CMMC Primer for the Construction Industry

By Bridget Choi and Jamin Valdez of Woodruff Sawyer

Starting in 2025, the Cybersecurity Maturity Model Certification (CMMC) will be required for contractors on Department of Defense (DoD) projects. It’s crucial that Contractors proactively educate themselves on how this requirement may impact their bid qualifications and cybersecurity program. Understanding these criteria in advance can help prevent the unnecessary investment of time and resources, only to find later they may not meet the qualifications needed to bid on the opportunity.

Is your business ready to meet these new requirements?

What is it?

The Cybersecurity Maturity Model Certification (CMMC) will be required for contractors on Department of Defense (DoD) projects, including, for example, U.S. Army Corps of Engineers (USACE) initiatives as with others. This mandate extends beyond military installations to also include Civil Works projects—such as flood risk management, navigation, and water resources—Environmental Restoration and Conservation efforts, including ecosystem restoration, pollution control, and shoreline protection, and disaster relief and emergency response projects like infrastructure repair, temporary housing, and emergency flood management. These new requirements will impact various federal opportunities, including public works. The CMMC program helps industries doing business with the government meet cybersecurity requirements. It’s also a government tool to manage its supply chain. The program goes into effect in early 2025.

What is its Purpose?

CMMC is a program that requires contractors to meet a set of cybersecurity standards as a condition to work on DoD projects, particularly if they are holding sensitive information such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Does this apply to all of the construction industry?

Yes, CMMC is increasingly important for federal construction contracts. Public works are often included in federal projects (i.e. roads, bridges, water supply systems, and public buildings) which are constructed and maintained by government entities, including the federal government. These projects are usually aimed at serving the public interest and are frequently funded by federal programs. Contractors must demonstrate cybersecurity readiness to win new contracts, like a gate that only opens to contractors with a proven cybersecurity posture.

What about subcontractors?

Prime contractors are responsible for ensuring that their subcontractors have a current CMMC certificate or self- assessment at the required level. The level required for a subcontractor matches the sensitivity of the information they will be handling.

Will CMMC apply to all contractors and subcontractors?

No. CMMC will apply only to contract and subcontract awardees that will process, store, or transmit information that meets the standards for FCI or CUI on contractor information systems. It will not apply to government information systems operated by contractors or subcontractors on behalf of the Government. However, if a contractor is using a BIM or a project management system like Procore or Autodesk it is important to understand who is responsible for the processing, storing, and transmission of the information and assess whether those parties are CMMC compliant.

What is FCI and CUI?

FCI or Federal Contract Information is data that is created or obtained by a contractor for a US federal agency under a contract. FCI is not intended for public release. FCI includes information such as emails, invoices, and payment details. It is different from information that the government provides to the public, or simple transactional information. CUI or Controlled Unclassified Information is information that is not classified but requires safeguarding or dissemination controls. CUI can be created or possessed by the government or other entities on behalf of the government that requires marking to convey handling, safeguarding, and sensitivity requirements. CUI can include a wide range of information, such as: personal information, financial details, proprietary business insights, and intellectual property. An example in construction may be security information on systems, bridges, dams, buildings, and personnel all necessary to complete a project.

What are some examples of applicable construction contracts?

Possible examples span from building airfields, barracks, healthcare facilities to road repairs, ports, dams, shoreline restoration to name a few. Depending on the circumstances, federal statutes and regulations require an oversight agency to consider various factors when awarding these contracts, such as promoting competition and small businesses. In general, DoD is not required to consider the business location of construction contractors or subcontractors when making contract awards.

Are there any exceptions for small construction contractors or subcontractors?

There is no exception for small businesses; DoD reasoned that “[t]he value of DoD’s sensitive information (and impact of its loss to the Department) does not diminish when it moves to contractors—prime or sub, large or small.”

How do we build our CMMC compliance program?

Becoming CMMC compliant is a material project regardless of what level of compliance is required because there is a volume of paperwork, a need for a deep understanding of the requirements and likely monetary investment into cyber infrastructure. The most important question a smaller outfit should ask itself, before they get started is: Do I handle process or transfer FCI or CUI?

Failure To Comply

Contractors that fail to comply with these requirements will become ineligible for applicable contracts and could face False Claims Act liability for failing to implement appropriate controls while performing on contracts subject to the rules, or misreporting compliance. The Department of Justice’s Civil Cyber-Fraud initiative has been employing the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, which includes contractors that knowingly misrepresent their cybersecurity practices or protocols. False Claims Act liability can result in millions of dollars in civil penalties and suspension and debarment proceedings.

Will we see more of these programs in the future?

While CMMC is specific to defense contracts, contractors with other federal agencies will likely start to see similar programs in the coming years as the U.S. government seeks to harden its supply chains against cybersecurity attacks. Within DoD, the CMMC Program is part of a larger initiative to secure the supply chain broadly from risks stemming from cybersecurity, foreign-sourced products, and services from persons or countries of concern, or more recently, from foreign ownership, control or influence.

Cyber Insurance Considerations

Those construction companies who have gone through a CMMC exercise will enjoy an easier renewal for their cyber insurance. However, CMMC is complicated, and we recommend working with your insurance broker to ensure that legal counsel with CMMC specific knowledge is available or endorsed on the cyber insurance policy. Understanding what type of incidents need to be reported to whom is one of many things to consider when working with your broker.

Bridget Choi is Lead Product Counsel, Cyber with Woodruff Sawyer. She works with clients to find creative solutions for complex cyber and privacy challenges. With a deep understanding of incident response, privacy law, and insurance policies and claims, she provides coverage solutions and technical services for clients. She can be reached at bchoi@woodruffsawyer.com or 415.402.6612.

Jamin Valdez is Vice President, Construction with Woodruff Sawyer. He partners with clients to navigate complex global commercial property and casualty insurance challenges, with a focus on construction risks. He works with clients in all arenas and geographies with an emphasis on construction, professional services, energy, and real estate to develop risk management solutions. Valdez can be reached on LinkedIn, jvaldez@woodruffsawyer.com, or 858.876.4160.