No attachments available.
Potential Application of Cybersecurity Maturity Model Certification (CMMC) Requirements For SCB MAC
Contact and place of performance
Jason Pratt
USA
NAVSEA provides this notice to Industry to inform current and prospective contractors for the SCB MAC IDIQ that future contract actions issued shall include the Cybersecurity Maturity Model Certification (CMMC) requirements in accordance with Department of War (DoW) implementation of the CMMC program. This notice is informational only and does not constitute a solicitation, request for proposals. As DoW continues imp...
View moreContractors are encouraged to review official CMMC guidance and resources published by the Department of War and to ensure that any required cybersecurity assessments and related information are accurately recorded in the Supplier Performance Risk System (SPRS), as applicable.
This notice does not change any existing contracts and does not by itself impose new requirements. Specific cybersecurity and CMMC requirements, including the applicable level and assessment type, will be identified in the solicitations, task/delivery order solicitations.
Interested vendors should continue to monitor SAM.gov and other official Department of War communication channels for future opportunities that will identify applicable cybersecurity and CMMC requirements.
The Department of the Navy, Naval Sea Systems Command (NAVSEA), issued this special notice regarding the potential application of Cybersecurity Maturity Model Certification (CMMC) requirements for the Small Boats and Craft (SCB) Multi-Award Contract (MAC) Indefinite Delivery/Indefinite Quantity (IDIQ) vehicle. This informational notice indicates that future contract actions issued under this program will incorporate CMMC requirements in alignment with the Department of War’s implementation of the program. The notice is categorized under NAICS 336612 for Boat Building and PSC 1940 for Small Craft. There is no set-aside designated for this announcement, and the primary place of performance is the United States.
Under the implementation plan, contracting officers will include applicable CMMC requirements in solicitations and contracts when contractor information systems are expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Offerors must maintain a current CMMC status recorded in the Supplier Performance Risk System (SPRS), including all applicable assessment results and affirmations, as a mandatory condition for receiving a contract, task order, or delivery order award. Specific CMMC levels and assessment types will be identified within individual solicitations or delivery orders as they are released.
Future solicitations and subsequent orders will include relevant Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity provisions. These include FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, as well as DFARS clauses 252.204-7008, 252.204-7012, 252.204-7019, 252.204-7020, 252.204-7021, and 252.204-7025. This notice serves as a preliminary advisory and does not alter existing contracts or impose new requirements by itself. Solicitation number N00024-25-RFPREQ-PMS-300-0009 was published on March 17, 2026, with Jason Pratt listed as the point of contact.
Generated by Lumen AI
Scoped analysis and attachments—go beyond the summary when you need detail from the solicitation package.