POTENTIAL APPLICATION OF CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) REQUIREMENTS FOR SCB MAC

NAVSEA provides this notice to Industry to inform current and prospective contractors for the SCB MAC IDIQ that future contract actions issued shall include the Cybersecurity Maturity Model Certification (CMMC) requirements in accordance with Department of War (DoW) implementation of the CMMC program.

This notice is informational only and does not constitute a solicitation, request for proposals.

As DoW continues implementation of the CMMC program, Contracting Officers shall include applicable CMMC requirements in solicitations and contracts when contractor information systems are expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The applicable CMMC level, will be identified in the solicitation, or delivery order.

Offerors shall be required to have a current CMMC status recorded in the Supplier Performance Risk System (SPRS), including applicable assessment results and affirmations, as a condition of award for the contract, task order, or delivery order where CMMC requirements apply.

The solicitation and any subsequent task/delivery orders shall include applicable Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity provisions and clauses, including but not limited to:

• FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems
• DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls
• DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
• DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements
• DFARS 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements

Contractors are encouraged to review official CMMC guidance and resources published by the Department of War and to ensure that any required cybersecurity assessments and related information are accurately recorded in the Supplier Performance Risk System (SPRS), as applicable.

This notice does not change any existing contracts and does not by itself impose new requirements. Specific cybersecurity and CMMC requirements, including the applicable level and assessment type, will be identified in the solicitations, task/delivery order solicitations.

Interested vendors should continue to monitor SAM.gov and other official Department of War communication channels for future opportunities that will identify applicable cybersecurity and CMMC requirements.