What All Contractors Need To Know About CMMC

Nick Espinosa 

Honestly, this freight train is heading toward the construction industry. While some contractors know and work on this, many construction companies have yet to learn about this potentially harmful (financially) compliance standard. So let’s break down some of the critical points about the CMMC. 

What we are talking about here is the Cybersecurity Maturity Model Certification, or CMMC. Essentially, this is the Department of Defense’s (DoD) response to years of having its supply chain of more than 300,000 corporations and entities, known as the Defense Industrial Base (DIB), continuously fall victim to cyberattacks, resulting in the loss or exfiltration of sensitive DoD data. In other words, sensitive military information is falling into the hands of potential adversaries around the globe, and they are moving to stop this. 

Historically, DoD contractors could self-attest to their cybersecurity practices and those of their subcontractors. However, the DoD was finding that many of the companies that had been compromised over the years were attesting to adequate security controls that weren’t really in place. 

The CMMC, now in version 2.0, has three levels of certification from Level One or “Foundational” which encompasses 17 critical cybersecurity practices up to Level Three or “Expert” which utilizes more than 110 critical cybersecurity practices.

As the CMMC 2.0 becomes the new standard for the DoD, each company that wishes to do business with the DoD or its contractors may have to be audited by a qualified CMMC auditor in order to become certified to a CMMC level that will allow the company either to work on DoD contracts and/or to handle sensitive DoD information, known as Controlled Unclassified Information (CUI). Over 90% of companies seeking this certification are going for the Level 2 certification or “Advanced” as that is the level required to handle CUI (think architectural designs for a military base that needs construction and all of the aspects of subcontracting that go with it). Everyone from the General Contractor to the subcontractors that will be doing the mechanical, electrical, plumbing, and more, work will need to adhere to Level 2 standards. 

Implementing a complete cybersecurity solution for a business will take time, money, and energy. Still, it is needed if one of the core revenue streams for the business is the DoD work or if the company’s growth strategy is focused on increasing its bids for the DoD and other government agencies. Even though the CMMC is not fully online yet (more on that in a moment), multiple federal agencies have already announced that they will be adopting these standards, and there is an expectation that within five to ten years we will also see elements of CMMC flow down to state, municipal and local governments as we have a serious problem with ransomware and extortion at the local level as well. In that vein, understanding that cybersecurity certifications may be required for most of the construction industry is important for companies who have multi-year growth strategies that include these entities as well. 

Already the DoD is increasing the amount of contracts they release annual that have CMMC requires. CMMC 2.0 rules have also been written and the DoD announced in mid-2022 that they were submitting these rules to the federal government in March of 2023. This activates a 60-day comment period for the public to weigh in and then in May of 2023, the CMMC will go online. This means that those companies that have not started implementing CMMC controls in preparation for certification are behind their competitors. Fortunately, the first phase of CMMC 2.0 in May of 2023 will start with a self-attestation phase as many companies are still not ready but working towards it, however the second phase will bring certification requirements for many companies depending on the type of CUI they will be handling and many companies at that point will begin to lose business. If the company isn’t certified then, by law, the company cannot handle some types of CUI and therefore cannot be used for the contract. The threat of losing most favored status with the general contractor should be a serious consideration here. 

The CMMC is not for all contractors. As I mentioned it takes time, money and energy and the multitude of contractors that stick to residential and commercial may not see the need for this certification, though I would also mention having a certification like this gives any company a competitive sales edge regardless of the type of work they do. So best of luck to all constructions companies out there! Sooner than later foreign intelligence will stop eating our lunch! 

Nick Espinosa is a cybersecurity and network infrastructure expert. He consults with clients ranging from small business owners to Fortune 100 companies through his business Security Fanatics, a cybersecurity/cyberwarfare outfit dedicated to designing custom cyberdefense strategies. Learn more at www.securityfanatics.com.