CMMC News: New Contracts, RFPs, Solicitations

February 10, 2026

Is CMMC already in contracts?

Yes, CMMC is appearing in DoD solicitations today. If your company doesn’t already meet CMMC requirements, you are ineligible for these contracts.

DoD contracting officers are authorized to include CMMC as a condition of contract award as of November 10th, 2025. While some primes have made their CMMC posture clear, defense contractors are still asking, are there already contracts that mention or even require CMMC? 

The answer is an emphatic yes. CMMC is here and major DoD solicitations contain clear language requiring C3PAO (3rd party) CMMC assessments.

If you haven’t started getting engaged in CMMC, now is the time to do so. It was probably the time in early 2024, but now the light is flashing red.

-Matt Travis, CEO, Cyber AB

List of contracts with CMMC

Below is an up-to-date list of all DoD contracts, solicitations, and notices from sam.gov, the Official U.S. Government System for contracts, that mention CMMC.

• 2/6/2026: Cylindrical Antenna – Phase B System
  • Issued by: Department of the Navy, NAVAIR
  • Key quotation: “A Cyber Maturity Model Certification (CMMC) Level 2 (CUI Self) is anticipated for this requirement. If you disagree with the anticipated CMMC Level, please provide a rationale, and the recommended CMMC Level.”

• 2/5/2026: Three-Dimensional High Speed – High Altitude Mapping Operations & Technology Integration (3DH2-M O&TI) for U.S. Army Geospatial Center (AGC)
  • Issued by: Department of the Navy, US Army Corps of Engineers
  • Key quotation: “The Government anticipates that the Contractor shall have and maintain for the duration of this contract, order, or agreement a current CMMC status at the following CMMC level, or higher: CMMC Level 2 (Self) minimum and/or CMMC Level 2 (C3PAO) preferred for all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit FCI or CUI.”

• 2/5/2026: REPLACE TRANSFORMER STATIONS, PUMP STATION NO. 1 AND 3, DFSP HACHINOHE, JAPAN
  • Issued by: Department of the Navy, NAVFAC
  • Key quotation: “A CMMC Level 2 (Self-Assessment) is designated for this solicitation and contract. The government will check the Supplier Performance Risk System (SPRS) for each CMMC Unique Identifier (UID) to verify the offerors CMMC status and SHALL NOT award a contract to an Offeror that does not have a current CMMC status posted in SPRS at the specified CMMC level or higher required by the solicitation.”

• 2/4/2026: Replace Site Lighting Electrical Conduits at 5 LFs
  • Issued by: Department of the Air Force, Air Force Global Strike Command
  • Key quotation: “Due to classified information for this requirement, vendors must be up to date (within 3 years) and have a score of 110 on NIST SP 800-171 Assessment (or CMMC Assessment Level 2) in the SPRS module of PIEE to be considered capable.”

• 2/3/2026: Ship Self Defense System (SSDS) Legacy in Service
  • Issued by: Department of the Navy, NAVSEA
  • Key quotation: “Interested parties shall submit a capability statement that describes relevant experience and/or capability in support of the following requirements: Maintains Level 2 Cybersecurity Maturity Model Certification (CMMC)”
• 2/3/2026: Indefinite Delivery Indefinite Quantity (IDIQ) Multiple Award Contract (MAC) for Outsourcing Work from Chief of Naval Operations (CNO) Availabilities on all Submarines
  • Issued by: Department of the Navy, NAVSEA
  • Key quotation: “Have the ability to meet Cybersecurity Maturity Model Certification (CMMC) Level 2 via independent assessment by an authorized CMMC Third Party Assessment Organization (C3PAO) every three years.”

• 2/3/2026: White City Southern Oregon Rehabilitation Center and Clinics Seismic Upgrades
  • Issued by: Department of the Army, U.S. Army Corps of Engineers
  • Key quotation: “:Requirements Form for this procurement.  Consequently, offerors must have the required CMMC Level Self-Assessment to be eligible for potential contract award. The CMMC Level is curently anticiapted to be CMMC Level 2 (Self) Certified.”

• 2/3/2026: Prototype Integration Facility (PIF) 2027
  • Issued by: Department of Defense, Department of the Army
  • Key quotation: “Cybersecurity Maturity Model Certification (CMMC) Level 2 is required before the award date.”

• 2/2/2026: Inert Warhead for Reduced Range Practice Rocket (RRPR) FY26-FY28
  • Issued by: Department of Defenese, Department of the ARMY
  • Key quotation: “Interested parties will be required to have a current CMMC status at CMMC Level 2 or higher prior to award.”

• 1/30/2026: Custom Tilter
  • Issued by: Department of the Navy, NAVSEA
  • Key quotation: “The CMMC level required by this RFQ is: CMMC Level 2 (Self). This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.”

• 1/23/2026: Naval Sea Logistics Center Readiness Based Sparing Services
  • Issued by: Department of the Navy, NAVSEA
  • Key quotation: “The Program Office has determined CMMC compliance is required effective 10 November 2025. The minimum CMMC assessment requirement for this tasking is CMMC Level 2 (Self).”
• 1/22/2026: SOF Tactical Equipment Maintenance Facility
  • Issued by: Department of the Navy, US Army Corps of Engineers
  • Key quotation: “CMMC Certified, Level 1 certification is currently required. This will increase to Level 2 by October 1, 2026, and Level 3 by October 1, 2027.”

• 1/21/2026: Custom Tilter
  • Issued by: Department of the Navy, NAVSEA
  • Key quotation: “The CMMC level required by this RFQ is: CMMC Level 2 (Self). This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract. See Provision 252.204-7025 and Clause 252.204-7021, included in this RFQ.”

• 1/9/2026: 31- Multiple
  • Issued by: Defense Logistics Agency, DLA Aviation
  • Key quotation: “Cybersecurity Maturity Model Certification (CMMC) Level 2 Self-Assessment applies.”

• 1/8/2026: White City Southern Oregon Rehabilitation Center and Clinics Seismic Upgrades
  • Issued by: Department of the Navy, US Army Corps of Engineers
  • Key quotation: “This resultant contract related to this announcement has been determined, it will be CMMC Level 2.”

• 1/7/2026: Azimuth Gearbox Assembly Requirement Documents
  • Issued by: Department of The Air Force, Air Force Materiel Command
  • Key quotation: “Starting 10 November 2025, Cybersecurity Maturity Model Certification (CMMC) contract requirements in DFARS Clause 252.204-7021 may be included in any DoD Contracts or Solicitations. Companies must have a current Cybersecurity Maturity Model Certification status that meets or exceeds the requirements in future solicitation or contract.”
• 1/6/2026: Coil Forms
  • Issued by: Department of the Navy, NAVSEA
  • Key quotation: “The CMMC level required by this RFQ is: CMMC Level 2 (Self). This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract. See Provision 252.204-7025 and Clause 252.204-7021, included in this RFQ. The Offeror shall provide, in its offer, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of the contract resulting from this RFQ.”
• 1/5/2026: Mobility Prototyping
  • Issued by: Department of The Navy, NAVSEA Warfare Center
  • Key quotation: “Cybersecurity Maturity Model Certification (CMMC) Level 2 Self-Assessment is required for award.”
• 1/5/2026: Commercial Solutions Opening (CSO) for Space Domain Awareness (SDA) Solutions
  • Issued by: Department of The Air Force, Air Force Space Command
  • Key quotation: “Cybersecurity Compliance: Offerors must comply with NIST SP 800-171 and CMMC 2.0 requirements.”
• 1/5/2026: Telesco Drawbar NRP PR – 7014734035
  • Issued by: Defense Logistics Agency, Troop Support Subsistence
  • Key quotation: “To be eligible for award, offerors and any sources of supply proposed for use are required to have an approved JCP certification and have been approved by the DLA controlling authority to access export-controlled data managed by DLA. DLA will not delay award in order for an offeror or its supplier to apply for and receive approval by the DLA controlling authority to access the export-controlled data. RD004: Cybersecurity Maturity Model Certification (CMMC) Level 2 Self-Assessment”
• 12/29/2025: MK70 Booster Ballast Kits Synopsis
  • Issued by: Department of the Navy, NAVSEA Warfare Center
  • Key quotation: “Cybersecurity Maturity Model Certification (CMMC) Level 2.0 Self-Determination certification is required. There are no known security requirements associated with this requirement.”

• 12/17/2025: Custom Tilter
  • Issued by: Department of the Navy, NAVSEA Warfare Center
  • Key quotation: “The CMMC level required by this RFQ is: CMMC Level 2 (Self). This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.”
• 12/16/2025: White City Southern Oregon Rehabilitation Center and Clinics Seismic Upgrade
  • Issued by: Department of the Army, US Army Corps of Engineers
  • Key quotation: “Consequently, offerors must have the required CMMC Level Self-Assessment to be eligible for potential contract award. The CMMC Level will be noted on the first page, Block 10 of the SF1449.”
• 12/16/2025: Long Range Planning Support
  • Issued by: Department of the Navy, NAVAIR NAWC WD
  • Key quotation: “A Cyber Maturity Model Certification (CMMC) Level 2 (CUI Self), is anticipated for this requirement.”
• 12/10/2025: FTW501 UNACCOMPANIED ENLISTED PERSONNEL HOUSING FORT WAINWRIGHT
  • Issued by: Department of the Army, US Army Corps of Engineers
  • Key quotation: “In accordance with DFARS 252.204-7021 Cyber Security Maturity Model Certification (CMMC) offerors will be required to be LEVEL 1 self-certified.”
• 12/10/2025: Fall Protection Certification Services
  • Issued by: Department of the Air Force, Air Force Materiel Command
  • Key quotation: “Provide the following contractor information within your quote:…Proof of CMMC Level 1 Foundational compliance in SPRS module of PIEE.”
• 12/04/2025: PKA Relocatable Facility
  • Issued by: Department of the Air Force, Air Force Global Strike Command
  • Key quotation: “Vendors are required to have CMMC Level 2 certification in SPRS prior to receiving CUI drawings. CUI drawings will be provided after CMMC Level 2 certifications are confirmed and Attachment 2 – MFR CUI Control Receipt is received via email.”
• 12/03/2025: MODULE ASSEMBLY,JET
  • Issued by: Department of Defense, Defense Logistics Agency, DLA Maritime Columbus
  • Key quotation: “RD004: Cybersecurity Maturity Model Certification (CMMC) Level 2 Self-Assessment”
• 12/02/2025: MK22 Motor Tubes Solicitation
  • Issued by: Department of the Navy, NAVSEA Warfare Center
  • Key quotation: “Cybersecurity Maturity Model Certification (CMMC) Level I is required.”
• 11/17/2025: Ft. Buchanan Microgrid
  • Issued by: Department of the Army, U.S. Army Corps of Engineers, Great Lakes and Ohio
  • Key quotation: “Do you possess a CMMC and at what level (1, 2, or 3)? If not, when do you expect to obtain CMMC and at what level (1, 2, or 3)? And do you project any changes to your CMMC status in the year following issuance of the market survey?”
• 11/14/2025: Sources Sought for Global Positioning System Based Range Instrumentation Equipment (GPS-BRIE)
  • Issued by: Department of the Navy, Navy Air
  • Key quotation: “A Cyber Maturity Model Certification (CMMC) Level 2 (C3PAO) is anticipated for this requirement. If you disagree with the anticipated CMMC Level, please provide a rationale, and the recommended CMMC Level…Capability Statements should include either documentation of Cyber Maturity Model Certification (CMMC) Level 2 (C3PAO) or explanation of ability to obtain a CMMC Level 2 (C3PAO) prior to estimated award date.“
• 11/3/2025: CIVIL DESIGN INDEFINITE DELIVERY CONTRACTS (IDCs) WITHIN SAN FRANCISCO DISTRICT AND SOUTH PACIFIC DIVISION
  • Issued by: Department of the Army, U.S. Army Corps of Engineers, South Pacific
  • Key quotation: “Cybersecurity Maturity Model Certificate (CMMC) Level 2 applies to this contract. Requirement will be included in the solicitation document for the selected firms.”
• 10/20/2025: DESC2103C – Bulk Fuel Storage Tanks Phase II Yokota Air Base, Japan
  • Issued by: Department of the Army, U.S. Army Corps of Engineers, Pacific Ocean
  • Key quotation: “USACE Japan District anticipates that all solicitations issued on or after November 10, 2025 will require Basic (Level 1) certification or higher.  If your company is not certified at Basic (Level 1) or higher you will not be eligible to receive a contract award.”
• 10/20/2025: John Day Dam Turbine Runner Replacement and Generator Rewind Project
  • Issued by: Department of the Army, U.S. Army Corps of Engineers, Northwestern
  • Key quotation: “DFARS clause 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements are being developed and will be included in the solicitation as applicable.”
• 9/24/2025: FY26 CFAY HY2602 SOQ Gridley, Halsey, & Edwina Revitalization, Yokosuka, Japan
  • Issued by: Department of the Army, U.S. Army Corps of Engineers, Pacific Ocean
  • Key quotation: “CMMC requirements become mandatory 1 Oct 2025.  USACE Japan District anticipates that all solicitations and contracts will require Basic (Level 1) certification or higher. If your company is not certified at Basic (Level 1) or higher you will not be eligible to receive a contract award.”
• 9/18/2025: INFOSEC ALERT – NOTICE TO THE DIB: CMMC Program Implementation
  • Issued by: Department of the Army, U.S. Army Corps of Engineers
  • Key quotation: “DoD’s CMMC Program mandates that all organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) maintain specific cybersecurity maturity levels to protect sensitive data. CMMC provides a consistent methodology to assess compliance with cybersecurity requirements and standards set forth in the 48 CFR 52.204-21; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Basic Safeguarding of Covered Contractor Information Systems.”
• 9/12/2025: SOF Global Services Delivery Request for Proposal
  • Issued by: Department of Defense, US SPECIAL OPERATIONS COMMAND (USSOCOM)
  • Key Quotation: “Based on the rule implementation date of 10 November 2025, and an anticipated RFP release date that falls after the implementation date, the Government will include a CMMC pass/fail requirement in the final RFP as qualifying criteria.  It is currently anticipated that a “CMMC Level 1 (Self)” will be required at time of proposal submission.  Potential offerors are encouraged to begin working to meet this requirement if you have not already done so.”
• 9/2/2025: UPDATE – Cybersecurity Maturity Model Certification (CMMC) 2.0 Implementation
  • Issued by: U.S. Army Corps of Engineers, Headquarters, Directorate of Contracting
  • Key Quotation: “New Solicitations and Contracts issued on or after [8/25/2025] will, to the maximum extent practicable, comply with Class Deviation 2005-O0006, requiring contracting officers not to use the contract clause at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement, in new solicitations and contracts.”
• 8/17/2025: FY2025 – FY2026 Projections
  • Issued by: U.S. Army Corps Of Engineers, Engineer Division Pacific Ocean
  • Key Quotation: “CMMC requirements become mandatory 1 Oct 2025. USACE Japan District anticipates that all solicitations and contracts will require Basic (Level 1) certification or higher.”
• 7/29/2025: SOURCES SOUGHT – GROUND BASED STRATEGIC DETERRENT (GBSD) SENTINEL OPERATIONS GROUP FACILITY (OGF), FEW AFB, WY
  • Issued by: U.S. Army Corps Of Engineers, Engineer Division Northwestern
  • Key quotation: “This project is anticipated to be subject to Cybersecurity Maturity Model Certification (CMMC), Level 2 pursuant to DFARS Clause 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. Firms will need to ensure they are properly certified. Failure to meet the CMMC, Level 2 will make an offer ineligible for award.”

Behind on CMMC? Here’s how to catch up

PreVeil’s CMMC solution is trusted by thousands of defense contractors to streamline compliance and cut costs by 77%. Our Compliance Accelerator provides pre-filled, assessment-ready documentation, reducing certification preparation time from 12-24 months to just 4-6 months, and our Compliance Team + Preferred Partner Network of consultants, MSPs, and Assessors is here to help every step of the way.