The following is an edited transcript from a ProjectTeam webinar on CMMC and FedRAMP compliance for construction contractors working with the Department of Defense. Panelists include Tony Bai (Chief Solutions Officer, RISCPoint), Troy Clark (Chief Security Officer, ProjectTeam), Jason Skeen (Solution Architect, ProjectTeam), and Josh Witmer (VP of Product, ProjectTeam), moderated by Liv Linton (Marketing Manager, ProjectTeam). This transcript has been edited for length and clarity. Responses have been paraphrased for readability.
Did you miss out on the full conversation? Watch the full webinar: Will YourConstruction Management Platform Survive a CMMC Audit?
Liv: Good morning, everyone. Welcome to our webinar. Thank you for joining us today, whether you're a general contractor, a project manager, or the person responsible for keeping your organization compliant. We're glad to have you here.
Today we'll cover an overview of CMMC and FedRAMP: what they are, how the frameworks work, and what to expect going forward. We'll also walk through common compliance gaps and misconceptions, explain what makes ProjectTeam a compliant solution, and close with a Q&A.
Our panel today includes Tony Bai, Chief Solutions Officer at RISCPoint, our cybersecurity and compliance partner, who brings over 30 years of cybersecurity experience in government and federal contracting, including prior service as a cyber defense subject matter expert in the US Air Force. We also have Troy Clark, Chief Security Officer at ProjectTeam, leading our FedRAMP authorization initiative; Jason Skeen, Solution Architect with nearly 30 years of software development experience and a ProjectTeam founding team member; and Josh Witmer, VP of Product, whose background spans both construction management and product development.
Tony Bai: CMMC, the Cybersecurity Maturity Model Certification, is a framework designed and implemented by the Department of Defense (DoD) in partnership with the Cyber AB accreditation body. Its purpose is to protect two categories of sensitive information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Much of this is codified within the DFARS, the Defense Federal Acquisition Requirement Supplement. DFARS 7021 is the enforcement mechanism that allows CMMC requirements to be written into contracts, a process that began in November 2025.
Level 1 Foundational: Covers protection of FCI. Encompasses 15 controls focused on basic cyber hygiene.
Level 2 Advanced: Applies when handling CUI. This is a bifurcated process, depending on contract requirements, it requires either an annual self-assessment or an independent certification by a C3PAO (CMMC Third Party Assessment Organization) every three years, with an annual affirmation in between. Level 2 encompasses 110 controls.
Level 3 Expert: Applies to companies handling CUI deemed critical and subject to nation-state threat actors. It builds on the 110 Level 2 controls and adds a delta assessment by the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) covering an additional 24 controls from NIST 800-172.
Before CMMC, compliance with CUI protection requirements was largely based on self-attestation. The DoD found that many organizations were attesting to compliance without actually improving their cybersecurity posture. CMMC was introduced to enforce independent verification and accountability. The data tells the story: as of 2025, the average SPRS score across the Defense Industrial Base (DIB) remains well below the perfect score of 110, indicating significant room for improvement across the contractor community.
The enforcement mechanism is clear. The 32 CFR codifies the CMMC program structure, levels, and certification process. The 48 CFR, which went into effect November 2025, allows DoD contracting officers to formally mandate CMMC certification as an award requirement in new solicitations.
Phase 1 (through November 2026): Level 1 and Level 2 self-assessments are applicable to contracts the DoD designates as requiring them. The DoD may also require independent CMMC certification for new contracts at its discretion.
Phase 2 (starting November 2026): C3PAO certifications become applicable to new contract solicitations broadly. Existing contracts are generally not grandfathered in, though the DoD retains discretion on a case-by-case basis. Level 3 assessments by DIBCAC may also begin at DoD discretion.
Phase 3 (starting November 2027): Level 2 CUI protection requirements become applicable to virtually all contracts, including existing ones. Level 3 certification may also be required for existing contracts prior to 2027.
Phase 4 (starting 2028): Full CMMC implementation across all DoD contracts going forward.
Non-compliance carries significant financial and operational risk. The False Claims Act is being actively used to crack down on organizations that attest to cybersecurity compliance without actually meeting the requirements. Past enforcement actions have resulted in fines ranging from $875,000 to $12.75 million, based on the severity of false claims and contract value. Beyond fines, non-compliant organizations can lose their ability to bid on future DoD work entirely.
Importantly, this isn't just about bad actors. Ignorance of requirements is not a defense. Even unintentional non-compliance can expose organizations to these penalties.
"CMMC only applies to large prime contractors." False. CMMC applies throughout the entire Defense Industrial Base, to primes, subcontractors, and every tier of the supply chain that touches FCI or CUI. If you share CUI with suppliers downstream, you are accountable for ensuring they are also meeting CMMC requirements.
"CMMC is a one-time certification." False. CMMC requires continuous monitoring and improvement. Even after achieving C3PAO certification (valid for three years), organizations must submit an annual self-attestation affirming continued compliance. Filing a false attestation is legally equivalent to submitting a false claim, a serious risk under the False Claims Act.
"We have plenty of time." Partially true, but it depends on your current cybersecurity posture and whether prime contractors are already pushing CMMC requirements down to their subs. Companies like Raytheon, Lockheed Martin, and L3 Harris are already sending letters to subcontractors with hard deadlines for compliance.
"We don't handle CUI, so we don't need CMMC." Partially true, but worth auditing carefully. CUI applies wherever it is stored, processed, or transmitted. Many organizations overlook CUI that arrives informally via email or from clients who haven't marked it as such. You may be handling CUI without realizing it.
"We're FedRAMP authorized, so we don't need CMMC." False. FedRAMP authorization applies only within a defined authorization boundary. If CUI exists or is handled outside that boundary, and in practice it usually does, CMMC certification is still required for those systems and processes.
Jason Skeen: FedRAMP, the Federal Risk and Authorization Management Program, is the federal government's standardized approach for authorizing cloud service providers (CSPs) to operate within government environments. ProjectTeam has been FedRAMP authorized and listed in the marketplace for approximately three years, a process we completed in partnership with RISCPoint.
The core concept behind FedRAMP is efficiency: do the rigorous security review once, then allow any federal agency to use the authorized solution without having to conduct their own independent audit. For contractors, this is equally valuable, choosing a FedRAMP authorized solution means the CSP bears responsibility for maintaining those security controls, not you.
Similar to CMMC, FedRAMP has three impact levels, Low, Moderate, and High. Most DoD contracts require FedRAMP Moderate (Level 2). High impact is reserved for intelligence or top-secret data. FedRAMP and CMMC both derive from NIST standards and share significant overlap in their controls, though FedRAMP goes considerably further with 323 controls compared to CMMC's 110 practices.
The DFARS clause requires that any cloud service offering used to store, process, or transmit CUI must be FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency. In the AEC/construction space, examples of CUI that commonly live in cloud platforms include architectural drawings, specifications, and other project documentation tied to federal contracts.
Critically: if you use a FedRAMP authorized solution, you are not responsible for that platform's compliance, the CSP is. However, if you share CUI with collaborators (subs, architects, engineers, building managers) and they upload it to a non-CMMC-compliant system, you become responsible for that breach. The obligation to flow CMMC requirements down the supply chain rests with the party that owns the data relationship.
Troy Clark: The FedRAMP marketplace (marketplace.fedramp.gov) lists all CSP products with official FedRAMP designations. When evaluating solutions for CMMC compliance, there are three criteria to verify:
1. FedRAMP Authorized status. Products listed as "ready" or "in process" have only started their FedRAMP journey, they cannot be used under CMMC until they achieve full authorization, which can take years.
2. Moderate or High impact level. Low and LI-SaaS products do not satisfy CMMC requirements.
3. Rev Five designation. FedRAMP is transitioning to a newer framework called "20x," but the DoD has not yet provided guidance on whether 20x authorization will satisfy CMMC requirements. Until it does, only Rev Five products are safe to rely on for CMMC compliance.
ProjectTeam achieved FedRAMP authorized status in October 2024 under Rev Five at the Moderate impact level. Unlike CMMC's three-year audit cycle, FedRAMP requires a third-party assessment organization audit annually, a standard we already maintain.
"I'll just use a FedRAMP equivalent product." You can, but with significant risk. You become responsible for reviewing that vendor's security documentation and for any penalties or breaches that result. With a FedRAMP authorized product, that liability shifts to the CSP.
"We use AWS/Box/another FedRAMP platform, so we're covered." Those are infrastructure platforms, not construction management solutions. Any workflow or application built on top of them is still subject to CMMC, and you remain responsible for demonstrating compliance for that software layer.
"FedRAMP 20x is newer, so it must be better." The 20x transition is about streamlining the authorization process, not raising the security bar. Until DoD provides explicit guidance accepting 20x products, Rev Five authorization is the only safe choice for CMMC.
"All FedRAMP systems are equivalent." Not at all. Many FedRAMP authorized versions of commercial software are stripped-down subsets of the full product. ProjectTeam's FedRAMP authorized environment is identical to our commercial platform, no features held back.
Josh Witmer: FedRAMP authorization is the baseline, the price of admission. What matters after that is how platforms actually differ, and those differences show up in three areas: scope, deployment, and functionality.
Scope: ProjectTeam is FedRAMP authorized at the Moderate impact level and also holds GovRAMP authorization, relevant for state and local agencies increasingly requiring cloud security standards.
Deployment: ProjectTeam is 100% cloud-based with no on-premise hardware and no hybrid workarounds where part of the system lives outside the authorized boundary. When auditors ask where your data actually lives, the answer is always clear.
Functionality: Every feature of ProjectTeam's commercial platform is available within the FedRAMP authorization boundary. There is no "government lite" version. What you see is what you get.
ProjectTeam is a construction management platform built from day one for the industry, not a document repository or generic cloud solution with a compliance wrapper. Core capabilities include:
Document Management: RFIs, submittals, drawings, and files, all forms of documentation that can contain CUI, are managed within the platform with full customization. Users can add fields, modify workflows, and adapt the system to their business processes without developer involvement, all within the authorized security boundary.
Integrated Cost and Financial Controls: Budgets, contracts, and change management workflows are fully connected. A change order flows through the system, gets approved, ties back to the original contract, updates the budget, and refreshes reports, all in real time.
Drawing and Specification Management: A robust file viewer allows users to pull up drawings and add markup annotations, shapes, text, document pins, with all collaborative activity hosted within the FedRAMP authorized boundary.
Full Mobile Functionality: Field reports, safety inspections, QA/QC checklists, punch lists, every feature is available on mobile devices. Not a read-only app, not a stripped-down version. Field teams can capture data in real time with camera integration and voice-to-text capabilities.
Real-Time Reporting and Dashboards: Reports and dashboards can be created on any data tracked in the system, saved as standards, and scheduled for automated delivery. No waiting for someone to manually assemble status reports.
Most construction projects, and most FedRAMP solutions, operate in a fragmented model: one system holds the authorized data, and every other stakeholder (contractors, subs, QA/QC teams, suppliers) operates on their own platform. Every time data is downloaded and re-uploaded, emailed, or dropped into a shared folder, it leaves the authorization boundary. Under CMMC, that's where you fall out of compliance, even if every individual system is technically secure on its own.
ProjectTeam solves this by creating a single connected collaboration environment. The owner invites the prime contractor, the prime invites subs and architects and engineers, and all project data, including CUI like RFIs, submittals, and drawings, stays within a single FedRAMP authorized boundary. Everyone has shared access to the same source of truth, eliminating the need to download and re-upload data, and keeping the entire project ecosystem within the authorization boundary.
Each stakeholder organization can also customize their view of shared data, adding their own fields, internal tracking, and workflows, without forcing their processes on collaborators. The core record stays unified while each party sees it through their own lens.
The core message: you shouldn't have to choose between a tool that keeps you legally compliant and a tool that actually helps you run your projects. With ProjectTeam, you get both, a modern, configurable, FedRAMP authorized construction management platform with the full feature set, supported by US-based customer support, role-based hands-on training, and implementation specialists who come from the construction industry.
Troy Clark: All CUI data stored in ProjectTeam lives within our FedRAMP Moderate authorized system, within clearly defined authorization boundaries. The data never leaves that system. Under CMMC rules, if your cloud service provider is FedRAMP Moderate authorized and your CUI stays within that boundary, the CSP meets the cloud-related CMMC requirements, and you don't need to separately mandate CMMC certification from the CSP.
Tony Bai: To add context: if all CUI is strictly within a FedRAMP authorized boundary, there is actually nothing for a C3PAO to assess for a CMMC Level 2 certification, because the CUI is already protected under FedRAMP. The two frameworks are mutually exclusive in that scenario. The CMMC requirements that remain apply to your organization as the contractor, not to the authorized platform you're using.
Tony Bai: Yes. If a sub has a CMMC Level 2 certification, their certified assessment boundary is authorized to handle CUI. You can share CUI with them, provided you're using approved methods for sharing and are only providing the CUI necessary for the scope of work. As the party flowing data downstream, you remain accountable for ensuring your subs are protecting the data appropriately, not through independent auditing, but through due diligence confirming their certification status and compliant data handling practices.
Tony Bai: CMMC is currently a DoD-only program. Whether state and municipal governments adopt similar requirements is at their discretion. I'm not aware of any state or local implementations of CMMC-equivalent frameworks at this time. However, the analog at the state and local level is GovRAMP (formerly StateRAMP), which mirrors FedRAMP for non-federal agencies. We're seeing a growing number of state and municipal RFPs that already require FedRAMP authorization from their vendors, so the trend is clearly moving in this direction.
Liv: Thank you to our panelists for sharing their expertise. If you have questions about your CMMC journey or need compliance guidance, you can reach Tony Bai at sales@riscpoint.com. For questions about ProjectTeam, to see features in action, or to schedule a demo, reach out to us at info@projectteam.com.
This transcript has been edited for length and clarity. Responses have been paraphrased for readability.
About ProjectTeam.com
ProjectTeam.com is an all-in-one, cloud-based construction management software platform built for complex projects and capital programs. Owners, general contractors, subcontractors, and public agencies use it to manage documents, costs, schedules, and teams in one environment, where every stakeholder owns their own records and shares on their own terms. The platform is configured to match each organization's processes with unlimited no-code customization. For federal programs and government agencies, ProjectTeam.com is both FedRAMP and GovRAMP Authorized. For more information, visit https://www.projectteam.com.