Key insights
Implementing the updated Cybersecurity Maturity Model Certification (CMMC) guidelines can help reduce the risk of cyber threats and enhance eligibility for Department of Defense (DoD) contracts.
Outline the steps your company can take to achieve and maintain CMMC compliance, including timelines, priorities, responsible parties, and training.
Update cybersecurity protocols regularly and conduct audits to help maintain compliance and protect sensitive data.
Collaborate with cybersecurity professionals to understand implementation methods and the long-term advantages of strong cybersecurity measures.
Some changes were recently made to cybersecurity compliance rules, and this could make things tricky for construction companies trying to win defense contracts and grants. The Cybersecurity Maturity Model Certification (CMMC) can help make your cybersecurity practices stronger while giving your bids a competitive edge.
Achieving cybersecurity compliance
The Cybersecurity Maturity Model Certification is a framework designed to protect sensitive data in the defense sector. Recent updates to the CMMC requirements have specific impacts on the construction industry.
Cybersecurity compliance requirements for defense contractors
Defense contractors have to follow strict compliance requirements to protect sensitive information and meet government standards. This includes safeguarding Federal Contract Information (FCI) like project schedules, internal communications, and billing records, and Controlled Unclassified Information (CUI) like blueprints, security plans, and personnel records.
Construction companies that have contracts with the Department of Defense (DoD) need to prepare for certification assessments to maintain bidding eligibility. There are three levels in the certification assessment system.
- Level 1 is the most basic — it’s all about protecting FCI, and companies can handle it themselves with a yearly self-check
- Level 2 steps things up to protect more sensitive data (CUI), and depending on the project, you might need a third-party audit every three years
- Level 3 is for the most critical work, and the government itself comes in to assess your cybersecurity setup
What you can do now
- Start by beefing up your security measures, like using encryption and secure access controls
- Train your employees regularly on how to handle sensitive information
- Stay updated with the latest regulations and create a response plan for any potential breaches
- Regularly review and update your security protocols to keep everything in check
Strengthening your overall security posture can lead to increased trust from clients and colleagues. Evaluate your current cybersecurity measures to identify gaps and areas for improvement. Watch our on-demand webinar for details.
Broader impact on operational technology in construction
Historically, cybersecurity in construction was focused on office networks and email. But CMMC pushes companies to treat job-site technology as part of the threat surface. Construction companies increasingly use operational technology (OT) systems like:
- Building automation systems
- Industrial control systems (ICS)
- Smart sensors and internet of things (IoT) devices on job sites
- Drones and robotics for surveying and inspection
These systems are often connected to networks and can interact with sensitive project data, making them potential targets for cyber threats. Under CMMC, these technologies must now be secured and monitored just like traditional IT systems through physical, logical, or other means.
What you can do now
- Evaluate your OT systems and devices and make sure they are properly segmented and protected
- Implement firewalls, secure configurations, patching, and other cybersecurity measures
- Continuously monitor for unauthorized access or anomalies
Flow-down provisions for subcontractors
In addition to their own compliance efforts, construction companies working on federal projects — especially those involving the DoD — must also verify that the operations of their suppliers and subcontractors who handle sensitive information also meet the appropriate CMMC level.
What you can do now
- Identify all third parties who may access CUI or FCI and conduct a supply chain risk assessment
- Perform regular audits of suppliers’ cybersecurity practices to help identify potential vulnerabilities
- Consider incorporating penalties or corrective action clauses in contracts for noncompliance
Connect

David Nowacki
Controls Consultant Manager

David Scaffido
Principal