CMMC: Contractor Data Requirements on DOD Projects

Construction companies that take on work for the Department of Defense (DOD) and other federal projects often have access to sensitive or controlled information and data. This information isn’t always classified — i.e., potentially damaging to the country’s national security interests — but still requires safeguarding from unauthorized disclosure. 

Cybersecurity Maturity Model Certification (CMMC), spearheaded by the US DOD, is an information security standard that establishes requirements and protocols for the handling and safeguarding of Controlled Unclassified Information, or CUI. Contractors that work on construction projects subject to CMMC must demonstrate their ability to safeguard project information. For example, the drawings, specifications and other contract information for the construction of barracks on a military base would likely be marked as CUI. 

Until recently, the requirements for contractors to protect CUI have been both confusing and difficult to enforce. Contractors could simply self-attest they were taking the necessary measures, leaving sensitive government information vulnerable to exposure. As a result, the Department of Defense (DOD) is launching CMMC 2.0 to establish stricter oversight of controlled information. These requirements will phase in between 2024 and 2028. During this period, contractors on DOD construction projects will need to meet an increasingly high bar for contract compliance. 

Note: This article is purely intended for informational purposes. Nothing in it should be construed as legal advice. For legal guidance pertaining to CMMC compliance, consult with a lawyer. 

CMMC Basics: Types of Controlled Information

Clearly defined rules and protocols for handling classified data have existed in Federal Acquisition Regulation (FAR) since the National Industrial Security Program (NISP) was established in 1993. The rules for management of Controlled Unclassified Information have been less well defined. That’s why the DOD established Cybersecurity Maturity Model Certification in an effort to safeguard CUI and protect it from public disclosure. 

Controlled Unclassified Information is defined as “unclassified information the United States Government creates or possesses that requires safeguarding or dissemination controls limiting its distribution to those with a lawful government purpose.”(Source: DOD) All federal projects have the potential to expose contractors to some categories of CUI, but CMMC compliance is only currently a requirement of the DOD. Other federal agencies set their own standards for data handling and security. 

Contractors on most military construction projects will have access to a subset of CUI known as Federal Contract Information (FCI). This is sensitive “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” FCI doesn’t include simple transactional information (Source: FAR 52.204-21).

To be clear, information is defined by the Code of Federal Regulations (CFR) as “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual" (Source: 48 CFR 4.1901).

In short, any DOD project contract information that is not publicly available (i.e. published on a government agency website) is considered FCI and subject to CMMC rules.

Examples of FCI in construction include: 

• Organizational charts
• Drawings and specifications
• Requests for information (RFIs) and responses
• Emails and other communication between the DOD and contractors
• Voicemails, meeting recordings and other audio pertaining to project scope
• Submittals
• As-builts

Non-federal systems that store, process or transmit FCI that do not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

For a full list of key terms and acronyms related to CMMC, see the reference section at the bottom of this page.

CMMC Takeaways for Construction Companies

Construction companies that work on any DOD project that deals with Controlled Unclassified Information must be CMMC compliant to the level required. The solicitation and contract documents will specify when CMMC is required, usually with a specific reference to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021. 

The regulations around CMMC also make it clear that any requirements flow down to subcontractors. As a result, general contractors who bid on a DOD project with a CMMC clause need to either self-perform the work or then include that clause in any contract documents with specialty contractors. 

There are three levels of CMMC to which the contractor and any subcontractors might need to comply: 

• Level 1
• Level 2
• Level 3

Because the solicitation will specify which level is required, contractors can determine their ability to bid the project. The vast majority of DOD construction projects will require CMMC Level 2.

Note, though, that CMMC compliance is required as a condition of the contract award, not as a condition to initially submit a bid. As a result, contractors who don’t yet have the required level of compliance could still bid and begin work to secure the required level of CMMC. Since bidding for larger DOD projects typically takes months, the contractor may have sufficient time to implement the required cybersecurity measures and get their certification. 

Ideally, what is and isn’t CUI will be marked. The project administrator from the DOD should be able to provide clarity around what constitutes CUI and is consequently subject to CMMC requirements. That said, this is an area in which many contractors currently report some confusion. 

CMMC 2.0 Requirements

CMMC 2.0 sets data security standards for three different levels of compliance. 

CMMC Levels

CMMC 2.0 Timeline

To frame up CMMC 2.0 and what it means for construction professionals, it helps to look back to understand how the DOD and its contractors arrived at this point. 

2001–2024: Controlled Unclassified Information and Early-Stage CMMC

In the wake of 9/11, officials recognized that greater information sharing among government agencies might have prevented the tragedy. As a result, a government-wide initiative was launched with the goal of facilitating information sharing while protecting sensitive details.

From that effort, the term “Controlled Unclassified Information” was born. In 2010, Executive Order 13556 was issued to establish a uniform program for managing CUI. 

Today, a law, regulation, or government-wide policy (LRGWP) is required to categorize information as CUI. The National Archives and Records Administration (NARA) maintains a database of the latest CUI categories as enacted by LRGWP.

The current CUI program leaves government agencies with room to tackle CUI protection in different ways. The DOD has been notable in its proactive approach. 

With the 2017 enactment of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, construction contractors working with the DOD needed to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. 

This SP was developed by the NARA and the NIST to develop CUI safeguarding standards. NIST SP 800-171 lays the foundation for the DOD’s Cybersecurity Maturity Model Certification. 

CMMC 2.0

To establish the latest CMMC framework, also called CMMC 2.0, two pieces of legislation are being added to the Code of Federal Regulations (CFR). 

The first is 32 CFR Part 170, which took effect on December 16, 2024, and establishes the new framework and its requirements. However, it won't be implemented until the proposed acquisition rule (48 CFR Part 204 CMMC Acquisitions rule) is finalized, which is expected by mid-2025.

The second component, Defense Federal Acquisition Regulation Supplement (DFARS) 48 CFR, is what enables the DOD to include clauses in contracts requiring CMMC compliance for contractors when handling CUI. 

Note that there’s a third revision of NIST SP 800-171 live. For now, though, CMMC Level 2 hangs on Revision 2, along with a class deviation issued by the DOD.

At the beginning of CMMC 2.0, Level 1 and Level 2 contracts will allow for self-attestation, meaning the contractor can essentially sign something saying that they’re compliant with the 15 or 110 security measures. But as CMMC 2.0 gets phased in, the vast majority of construction contracts will require Level 2 CMMC compliance as confirmed by a Certified Third-Party Assessor Organization (C3PAO). 

To prove Level 3 CMMC compliance, which will only be required of contractors on projects with extremely sensitive security requirements, contractors will need to work with a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

No mandatory CMMC contractual requirements for defense contractors can take effect until the CMMC Title 48 Final Rule is approved and becomes effective. 48 CFR closed its comment period in October 2024 and moved into its finalization process. Approval is expected sometime between Spring and Fall of 2025. Once finalized, the three-year phased roll-out will begin.
 

Becoming CMMC Compliant

CMMC compliance depends on the phase of the 2.0 rollout.

Self-Attestation

This is the current state of affairs and will continue to be so until CMMC 2.0 Phase 2 begins on February 14, 2026. 

Right now, cybersecurity maturity model certification relies on self-attestation. Compliance means meeting the requirements and entering that self-attestation into the DOD’s Supplier Performance Risk System (SPRS).

Self-attestation shouldn’t be taken lightly. By attesting that the company has CMMC compliance to the appropriate level, that contractor is committing to upholding those security measures. 

The government has recourse if the contractor is found to be committing fraud in falsifying a self-attestation. In fact, the False Claims Act was instituted during the Civil War because of defense contractor fraud. Under the Act, fraudulent contractors can be held liable for up to three times the government’s damages plus an additional penalty. Adjusted for inflation, this sits at $13,946 with a maximum of $27,894.

To ensure Level 2 CMMC compliance, contractors should follow specific steps:

• Identify CUI and document where it lives within the company (e.g., in file folders, specific software solutions).
• Check compliance for how CUI is protected according to the 110 measures in NIST SP 800-171.
• Create plans of action and milestones (POAMs) for any areas that aren’t compliant.
• Look at ways that CUI can flow out of those places into others and set up boundaries to prevent unwanted flow.
• Name people responsible for monitoring CUI protections and equip them with the necessary tools.
• Review contracts with other parties (e.g., subcontractors) to ensure CMMC compliance flows down appropriately.
• Identify service providers and ensure appropriate compliance.

For help understanding what falls under CMMC requirements, construction professionals can turn to the scoping guide from the DOD. Broadly speaking, anything that stores, transmits, or processes CUI needs CMMC compliance. 

To reiterate a key point here, CMMC requirements flow down to subcontractors. Even in the self-attestation phase, all parties involved in the project and interacting with CUI need to be able to prove their CMMC compliance. 

Working With a C3PAO

As CMMC 2.0 Phase 2 rolls out, most contractors working with the DOD will need Level 2 CMMC as validated by a C3PAO. C3PAOs are authorized and accredited by the Cyber AB, the only authorized non-governmental partner of the DOD in implementing and overseeing CMMC. 

While getting an auditor involved might feel like extra work, it can streamline CMMC compliance for the construction company. The auditor determines the scope of the audit, identifying systems and parts of the company’s network that need to be in compliance. The scoping statement the auditor develops shapes the path forward and provides clarity about what the company needs to do to get certified. 

Once the auditor has confirmed CMMC compliance, the information needs to be recorded in both the CMMC Enterprise Mission Assurance Support Service (eMASS) and SPRS. 

To stay continually CMMC-compliant, the contractor needs to attest to compliance annually and have an audit conducted by a C3PAO every three years. 

How FedRAMP Plays Into CMMC Compliance

As part of these cybersecurity measures, any cloud service providers (CSPs) within the boundary that the contractor uses to handle, store, and process CUI must be Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline equivalent. 

Note, FedRAMP authorization isn’t an additional step the contractor needs to take internally. Instead, they need to choose FedRAMP-authorized CSPs or use CSPs who can prove FedRAMP moderate equivalency. This is explored in more depth in this FedRAMP guide. 

Looking Ahead With CMMC

As CMMC 2.0 rolls out, contractors should brace for hiccups along the way. The implementation of this cybersecurity standard means a lot of change for a lot of organizations — with surrounding processes layered on top. 

That said, the DOD is a forward-thinking government agency. Other agencies are only in the infancy stages of instituting protections for sensitive data, while the DOD is already in its second wave of implementing a robust plan.

For contractors, the best course of action is to take steps to implement CMMC 2.0 Level 2 compliance. For more information about the cybersecurity maturity model certification and the rollout of CMMC 2.0, construction professionals can refer to the DOD’s CMMC hub page. 

Reference Section

Key Terms & Acronyms

Source Legislation & Documents

1. FAR 52.204-21 

• Title: Basic Safeguarding of Covered Contractor Information Systems
• Source: https://www.acquisition.gov/far/52.204-21 
• What it covers: Establishes basic safeguarding requirements and procedures to protect contractor information systems that process, store, or transmit Federal contract information against cybersecurity threats.

2. Executive Order 13556 

• Title: Controlled Unclassified Information
• Source: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information 
• What it covers: Issued to establish a uniform program for managing Controlled Unclassified Information (CUI) across the executive branch, promoting a consistent approach to handling sensitive information.

3. DFARS 252.204-7012

• Title: Safeguarding Covered Defense Information and Cyber Incident Reporting
• Source: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting. 
• What it covers: Specifies requirements for contractors working with the Department of Defense to implement the cybersecurity standards outlined in NIST SP 800-171 in order to protect CUI.

4. NIST SP 800-171 (Rev 2)

• Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• Source: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
• What it covers: Provides guidelines for protecting Controlled Unclassified Information in non-federal systems and organizations, detailing 110 security requirements to ensure appropriate protections.

5. NIST SP 800-172

• Title: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
• Source: https://csrc.nist.gov/pubs/sp/800/172/final
• What it covers: Enhances the security requirements outlined in NIST SP 800-171 by adding additional safeguards for advanced persistent threats, applicable to organizations handling critical programs and high-value assets.

6. CFR 32 Part 170

• Title: Cybersecurity Maturity Model Certification (CMMC) Program
• Source: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program 
• What it covers: Establishes the framework and requirements for the latest version of the CMMC, known as CMMC 2.0, within the Code of Federal Regulations.

7. DFARS 48 CFR

• Title: Federal Acquisition Regulations System
• Source: https://www.ecfr.gov/current/title-48 
• What it covers: Enables the Department of Defense to include specific contract clauses requiring CMMC compliance for contractors handling CUI, facilitating the incorporation of cybersecurity requirements into contracts.

8. 31 USC §3729

• Title: False Claims (The False Claims Act of 1863)
• Source: https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title31-section3729&num=0&edition=prelim 
• What it covers: Imposes liability on individuals or companies that defraud governmental programs, allowing penalties for fraudulent claims and providing whistleblower protections.

Written by

Reviewed by