In this post, we're having a candid conversation about the upcoming Cybersecurity Maturity Model Certification (CMMC) and its potential impact on construction organizations that work on federal projects. We'll also touch on using FedRAMP-approved solutions to meet compliance needs. To shed some light on this topic, we'll talk through key details, answering common questions we hear from companies in the construction industry.
This interview is between our Product Manager, Josh Witmer (JW), and our Information System Security Officer (ISSO), Troy Clark (TC).
JW: Hi Troy, thanks for joining me today. Let's get right to it. There's been a lot of buzz around CMMC lately. Can you explain what it is and why it's so important?
TC: Absolutely. CMMC, or the Cybersecurity Maturity Model Certification, is a new framework designed by the Department of Defense (DoD) to ensure that contractors, including those in the construction industry, safeguard sensitive federal information. The security of sensitive information is especially important when working on federal projects, where mishandling data can have national security implications and result in substantial company fines. A good example is what happened with Penn State University last year. The key idea is to create a standardized approach to cybersecurity across the DIB (defense industrial base), including any contractor—whether an IT company or a construction firm—that handles federal contracts.
JW: You mention construction firms. How does CMMC affect construction companies specifically?
TC: CMMC compliance will be required for construction companies that engage in federal projects – even if you are a subcontractor on a federal project. Construction companies are often entrusted with sensitive data, including facility blueprints, maintenance details, and even access plans for military installations. This data, known as Controlled Unclassified Information (CUI), must be secured like other critical data the government handles. So, with CMMC coming into play, construction companies must demonstrate they meet specific cybersecurity standards if they want to continue bidding on federal contracts.
The nature of the project and the data involved will determine the level of CMMC certification a company must achieve. Any construction company seeking to work on federal projects must, at a minimum, obtain CMMC Level 1 certification, which ensures basic cyber hygiene practices. CMMC level 2 certification will be a minimum requirement for federal CUI projects. The key takeaway is that construction companies must achieve some level of CMMC certification to work on federal projects.
JW: Can you talk more about those levels? What are the different levels of CMMC, and how do they apply to construction organizations?
TC: CMMC 2.0 consists of three levels, each with increasing cybersecurity requirements:
- Level 1 (Basic Cyber Hygiene): This foundational level covers basic cybersecurity practices like using strong passwords, updating software, and training staff. Contractors, including construction companies working on basic federal contracts, must meet this level.
- Level 2 (Advanced Cyber Hygiene): This level involves more comprehensive controls aligned with the National Institute of Standards and Technology (NIST) 800-171 guidelines, which is a requirement for organizations handling CUI.
- Level 3 (Expert Cyber Hygiene): This level is meant for contractors dealing with highly sensitive data. While most construction companies won't need to reach this level, organizations involved in highly sensitive or defense-related projects might.
Most construction firms will likely fall between Levels 1 and 2, but even meeting Level 1 requires a shift in how companies approach cybersecurity.
JW: Take a step back. You mentioned CMMC 2.0. What is 2.0, and how is that different from CMMC level 2?
TC: The original version of CMMC, which consisted of five certification levels and was published in 2020, is now known as CMMC 1.0. At that time, DoD established a five-year phased rollout, understanding that adjustments would be needed based on public comments and internal reviews.
In 2021, DoD announced CMMC 2.0, which aimed to enhance and simplify some aspects of the CMMC framework. The proposed CMMC 2.0 framework was published in 2023 and compressed the five levels to the three levels of certification that we just reviewed. CMMC 2.0 is progressing through the final stages of government approval, aligning with the initial five-year phased rollout timeline.
JW: That makes sense. What's the latest on when these CMMC requirements will actually be enforced?
TC: The DoD is finalizing the rollout timeline, but CMMC requirements are expected to appear in contracts by 2025. Many contractors are already preparing now, though, because achieving compliance can take time. It's not something that happens overnight—especially for construction firms that may not have had to think about cybersecurity as deeply in the past. Getting ahead of the curve is essential.
JW: Do you have any tips for construction organizations preparing for CMMC?
TC: The biggest piece of advice is to start preparing as soon as possible. Don't wait until CMMC is officially in place to start thinking about your cybersecurity strategy.
Begin by evaluating what level of CMMC certification your business needs, and then look for solutions—like FedRAMP-authorized software—that will help streamline the process. If you're handling any federal project data, it's no longer just about delivering the physical structures; it's about protecting the information that makes those projects possible. Lastly, consider working with cybersecurity experts or partners who understand CMMC requirements and can guide you through the process. It might seem overwhelming initially, but the long-term payoff in protecting your business and maintaining federal contracts is absolutely worth it.
JW: Last question. We've been focused on getting our product, ProjectTeam.com, through the FedRAMP authorization processes during the past year. How do FedRAMP solutions play a role in achieving CMMC compliance? How do they help construction firms working with federal data?
TC: That's a great point. FedRAMP, or the Federal Risk and Authorization Management Program, is a government-wide program that ensures cloud solutions meet strict security standards. Using a FedRAMP-authorized solution simplifies the process of meeting CMMC requirements because these solutions have already undergone rigorous security assessments that can directly be mapped to CMMC Cyber Hygiene.
For construction companies working on federal projects, choosing FedRAMP-authorized software means you're using a platform that the government itself trusts with sensitive information. It also helps reduce the burden on your internal IT team since much of the cybersecurity foundation is already built into these solutions. A FedRAMP-approved platform enables you to achieve CMMC compliance faster and with less stress, and it ensures that you can focus on construction rather than cybersecurity.
JW: Thank you so much for joining me today and shedding light on the importance of CMMC and how FedRAMP solutions can help construction companies achieve compliance.
If anyone has additional questions or wants to learn more about preparing for CMMC, please get in touch with us at info@projectteam.com. We're happy to help guide you through these changes and ensure you're ready for what's ahead!