Government contractors and subcontractors face a pivotal year when it comes to cybersecurity. In late 2024, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program went into effect, creating a chain reaction across various industries reliant on government contracts as part of the defense industrial base (DIB) supply chain. The CMMC program, which aims to safeguard federal contract information (FCI) and controlled unclassified information (CUI) within the DoD contracting community, will require contractors of all sizes to adopt more robust security protocols and adhere to specific guidelines. Since the construction industry plays a vital role in building, updating and maintaining the DoD’s infrastructure, bases and facilities, they must be prepared to comply with CMMC to continue participating in DoD contracts.
Why CMMC Should Be a Business Priority
The program’s purpose is to protect the DoD’s supply chain, a critical component of national security, from cyber threats. CMMC requirements to safeguard key government data as it travels through that supply chain, including construction organizations. This certification will be a requirement for any construction company that handles FCI or CUI as part of a DoD contract. FCI will require CMMC level 1 and CUI will require CMMC level 2 certification. Level 1 is a self-assessment, but level 2 is most frequently going to require certification issued by a third party.
While the program is intended to protect government data, it also offers a prime business opportunity to organizations that achieve CMMC certification early on. Fewer than 100 companies are eligible to conduct CMMC level 2 assessments, and with over 80,000 organizations likely seeking certification, delays are expected. Construction business owners will have an advantage in securing DoD contracts before competitors if they adopt CMMC standards early and position themselves as critical, well-protected suppliers.
The construction industry’s increased use of technology, access to sensitive data and relative lack of cyber maturity also make construction businesses attractive targets for attackers. A report from NordLocker listed construction as the industry most targeted by ransomware attacks between January 2022 and January 2023. In the broader market, CMMC certification offers an opportunity to improve your organization’s cybersecurity protocols and demonstrate cybersecurity readiness, which can provide a distinct competitive advantage over others who have not yet embarked on the process.
How Companies Can Determine CMMC Applicability
CMMC applicability is not always straightforward. Construction companies that are prime DoD contractors will be required to comply with CMMC if they work with CUI or FCI, but it can be harder to determine applicability further down the supply chain. Level 2 certification will be required if you handle CUI but knowing if that’s the case can be complicated.
Construction companies can determine their applicability by asking clients and partners if they have DFARS 252.204-7012. 7019, 7020 or 7021 clauses in their DoD contracts today or if there is any language in proposals or agreements that mention being CMMC compliant. Those specific clauses are included by DoD and/or prime contractors when they believe CUI is being shared. CUI is unclassified information that belongs to the DoD that has an associated requirement for protecting or restricting how it is disseminated. For instance, the DoD could decide that plans for a base is sensitive and should be protected and therefore this unclassified information requires safeguards and is considered CUI.
Prime contractors are also obligated to include those clauses in subcontracts that involve CUI or covered defense information. These contractual requirements are expected to flow down to each level handling CUI, which could extend unlimited levels down the supply chain if CUI continues to be shared with every organization.
What CMMC Compliance Entails
The CMMC certification assessment is designed to be straightforward with an expected timeframe of four to eight weeks, depending on the scope. However, preparing for it can be complex, and it may take some time before an organization is ready for a C3PAO, or CMMC Third-Party Assessment Organization (certifying party), to begin the level 2 assessment.
The most taxing part of the process will be implementing the required controls and assembling the necessary artifacts to demonstrate compliance. This will all require careful resource allocation and a well-rounded and dedicated team to prioritize implementation and gathering documentation. Failure to select the right team could result in delays and added costs in the process.
To be fully certified at level 2, a contractor is required to implement the full set of 110 controls without exception. However, for a portion of the controls, if something is not met during the process, organizations may receive a conditional certification and be put in a six-month remediation phase. If those items, known as Plan of Action and Milestones (POA&Ms), are completed within the specified timeframe, it would still result in full certification. Minimizing the number of POA&Ms is ideal given limited availability from the assessors, also ensuring the controls that are not eligible for POA&M are in place is critical.
To begin determining if your organization is CMMC assessment-ready, consider the following questions:
- Have I completed my:
- System security plan (SSP) — a document detailing how you comply with all 110 requirements
- CUI data flows — a document that details how CUI flows through your organization
- Associated policies and procedures
- Have I completed a self-assessment and concluded that our organization is compliant with all the CMMC practices and their associated assessment objectives?
- Have I collected evidence for each of the assessment objects?
- Have I evaluated my external service providers and cloud service providers? These third parties might be part of the assessment and can have special requirements.
- Have I trained my control owners on what to expect and how to properly perform the CMMC practices?
- Have I identified my CMMC assessor, and do I believe they will be fair and reasonable and available in the timeframe required?
Getting Started With the CMMC Process
The CMMC process is administered by the not-for-profit Cyber Accreditation Body (Cyber-AB) comprised of a volunteer group of industry professionals. Any organization seeking certification (OSC) will ask for requests for proposals (RFPs) or quotes from C3PAOs authorized by the Cyber-AB to conduct CMMC assessments. Once the C3PAO is contracted to conduct an assessment, they will manage the process, ensuring the assessment is credible and executed properly, and submit the results to the DoD.
Before contacting a C3PAO, construction companies should properly identify and organize their scope in alignment with the five distinct categories of assets. These include:
- CUI assets, which process, store or transmit CUI.
- Contractor risk managed assets, which are not intended to, but can process, store or transmit CUI.
- Security protection assets, which provide security capabilities or functionality within CMMC’s Assessment Scope, regardless of whether they process, store or transmit CUI (e.g. firewalls and multifactor authentication tools).
- Out-of-scope assets, which do not process, store or transmit CUI or security protections for CUI assets and are physically and/or logically separated from CUI-handling assets (e.g. cloud-based HR systems).
Specialized assets, which can process, store or transmit CUI but support a special function. Typically, these are excluded because they cannot be fully secured. Examples of specialized assets include testing equipment or manufacturing tools such as CNC that might handle detailed plans that could include CUI but are not traditional computers. Since these assets may be exempt from some CMMC requirements, understanding and proper categorization can be advantageous.
Construction business owners should leverage a strong understanding of the asset categories, especially the specialized assets class, to help minimize the scope burden and allow for effective allocation of resources. By limiting the size and complexity of the in-scope assets, the certification process becomes faster, easier and more cost-efficient.
Once all the assets are properly categorized, construction businesses must document and approve all CUI data flows to demonstrate the organization’s maturity and that they know where their CUI is stored, where it is allowed to go and how/why such approval is granted.
Organizations should also prepare their team for questions from the assessment team in advance. They can do this by conducting internal assessments and mock assessments, and by ensuring that documentation is readily available to demonstrate that the CMMC’s 110 controls are implemented for all systems in scope.
Construction businesses should expect the assessment to begin with a phase that works to understand the scope and ensure the OSC is ready. Leading up to the initial phase, the OSC will need to collect and provide artifacts to demonstrate that the practices are in place. The bulk of the assessment is in the fieldwork phase, which consists of a busy week when artifacts and live demonstrations will be presented to prove that the practices are in place. The process ends with wrap-up and reporting.
What Your Business Can Do Right Away
CMMC’s final rule went into effect on Dec. 16, 2024, meaning organizations can now be certified. While CMMC will not be a requirement for all new DoD contracts until mid 2025, every construction company should get started on CMMC right away. Key company figures involved in the process should begin reviewing the DoD materials and gain a clear knowledge of what certification entails and its potential organizational scope.
Given the potential for long C3PAO waitlists, some proactive measures can be taken now to ensure a successful certification outcome and prevent prolonging the process. To avoid any delays, construction business owners should consider engaging an external advisor who has a deep understanding of the CMMC process and can provide an assessor’s point of view before the official process begins. By combining a third-party perspective with internal expertise, you can significantly cut down on costs and operational strains that will result from becoming compliant with the CMMC requirements.