�鶹��Ƶ

Rules related to Cybersecurity for Federal contractors are being updated and may change. �鶹��Ƶ aims to provide timely guidance and resources. This page was last updated on April 21st, 2026.

In addition to the resources below, join �鶹��Ƶ for a free virtual Demo Day focused on CMMC on May 21st, 2026. Save your spot today at /demo-days.

U.S. Department of War (DoW) has that require Cybersecurity Maturity Model Certification (CMMC) compliance. For construction contractors working on DoW projects, compliance with the CMMC presents significant challenges.

The CMMC framework, designed to protect and Federal Contract Information (FCI), imposes rigorous cybersecurity requirements that impact not only prime contractors but also the entire supply chain, including subcontractors. �鶹��Ƶ has taken a whole of association approach to navigating CMMC compliance.

Read the latest �鶹��Ƶ updates on Cybersecurity / CMMC and how we are advocating for you

Member Resources

Resources and more information for members from �鶹��Ƶ and beyond

Get started

Refer to the steps below to quickly orient your team and identify what actions may be required.

Step 1 | Determine what information your company handles

Start by understanding whether your systems handle:

• Federal Contract Information (FCI): information provided by or generated for the federal government that is not intended for public release; or
• : sensitive government information that requires safeguarding.

The type of information you handle drives which CMMC level is likely to apply.

Step 2 | Understand which CMMC level may apply to you

Contractors will fall under one of the following:

• CMMC Level 1: generally applies to contractors handling only FCI
• CMMC Level 2: applies to contractors handling CUI
• CMMC Level 3: limited to select, higher‑risk contracts and expected to apply to a smaller subset of firms

As of the current phase‑in, Level 1 and Level 2 self‑assessment requirements are now appearing in DoD solicitations and contracts, with additional requirements rolling out over time.

Step 3 | Take action to be prepared

Depending on your role and contract exposure, next steps may include:

• Learn more about CMMC (Member Resources)
• Conducting a required self‑assessment, and submitting scores in the  (SPRS) system
• Engaging trade partners and suppliers to understand their cybersecurity readiness
• Preparing for future third‑party assessments, where required

Latest update

Phased Implementation of CMMC requirements . On Sept. 10, 2025, the Department of War (DoW) released the  that requires (CMMC) compliance for every DoD prime and subcontractor. As of November 10, 2025, all DoW solicitations must include CMMC Level 1 and Level 2 Self-Assessment requirements. Most �鶹��Ƶ members will fall under Level 1 or 2, and contractors should expect to see the CMMC clause in their contracts in the coming months.

Outlook

CMMC Level 3 requirements are expected to come into effect in under a year. The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to continue through 2028.

Timeline

• Phase 1 begins November 10, 2025
• Contracting officers will include CMMC Level 1 and 2 in new contracts
• Companies must self-assess and submit scores in the  (SPRS) system
• CMMC will eventually be mandatory after the 3-year phase-in

Prime Contractors

If you hold or pursue DoW construction contracts, CMMC requirements will affect eligibility, and may flow down to your subcontractors. Engage with the �鶹��Ƶ of America Federal & Heavy Construction Division or to join the conversation.

Subcontractors & Specialty Contractors

Even without a direct federal contract, CMMC requirements may determine whether you can work with DoW prime contractors. �鶹��Ƶ of America's Specialty Contractors Committee represents you within the association.

Estimating, Business Development, and Operations

CMMC is increasingly part of go/no‑go decisions, teaming strategies, and federal construction risk management. Engage with the �鶹��Ƶ of America Project Innovation and Technology Committee and Business Development Committee to help prepare your organization.

Information Technology, Compliance, and Risk Management

CMMC introduces structured cybersecurity, documentation, and assessment expectations that require early planning. Join us at the and to ready your organization.

Background

What is Controlled Unclassified Information (CUI)?

CUI is sensitive information that does not meet the criteria for classification but must still be protected.  It is Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.  

Source:

What is Federal Contract Information (FCI)?

FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.

Source:

What is the difference between CUI and FCI?

All CUI in possession of a Government contractor is FCI, but not all FCI is CUI. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls.

Source:

History

Malicious cyber activity costs the U.S. economy billions of dollars every year. The federal government has recognized this threat to economic and national security.  In recent years the federal government in general, and the Department of Defense in particular, has begun requiring prime contractors, subcontractors, manufacturers, suppliers, and any entity in its supply chain to implement certain cybersecurity standards.  The most prominent of these requirements are NIST SP 800-171, Cybersecurity Maturity Model Certification, and "Section 889 Part B." 

In 2016, the federal government required all federal contractors to comply with the standards set forth in NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.  Among other requirements the NIST SP 800-171 rule imposed a set of several “basic” security controls for contractor information systems upon which “federal contract information” transits or resides, in particular any Controlled Unclassified Information/Covered Defense Information (CUI/CDI) data. As of November 2020, federal contractors must perform a self-assessment with Supplier Performance Risk System (SPRS) which requires entry of a contractor's Commercial and Government Entity Program (CAGE) code.  If a contractor does not have a cage code, it can be obtained either: 1) and a CAGE code will be assigned during processing; or 2) if the contractor does not intend to do business with the federal government a request from the directly by completing the request online.

In 2019, the Department of Defense initiated the Cybersecurity Maturity Model Certification (CMMC).  CMMC will be “go/no go” requirement in all Department of Defense solicitations. The purpose of CMMC is to become the “unified cybersecurity standard” for all defense contractors, subcontractors, and any entity in its supply chain. Under this model, defense contractors will be required to be certified by a third-party certifier (C3PAO) among the five different levels of cybersecurity in order to be eligible for contract award.  CMMC Accreditation Body is the sole authorized accreditation and certification partner CMMC program and C3PAOs.  Initially, the timeline was roughly a year for all of the more than 300,000 contractors that does business with the Department of Defense to be CMMC certified. Later, DoD announced a phased rollout ending in 2025. However, in November 2021, after months of internal review, the Department of Defense significant changes to the CMMC program, now called CMMC 2.0. Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM). These changes were met with oppositions from some stakeholders who argue that these changes are counter to DoD policies and President Biden’s recent Executive Orders increasing cybersecurity reporting requirements for businesses. �鶹��Ƶ has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DoD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance. On Dec. 16, 2024, the DoD issued the  implementing the CMMC program.

​In 2020, the rule often referred to as “Section 889 Part B” went into effect that prohibits federal agencies from entering into, extending, or renewing, a contract with a contractor that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. In brief, Section 889 Part B prohibits contractors from using certain telecommunications equipment mainly from Chinese companies, for example Huawei or ZTE. The rule states that the prohibited “use” of the covered technology applies “regardless of whether the usage is in performance of work under a federal contract.” The rule is likely to expand the scope of this prohibition to apply to affiliates, parents, and subsidiaries of the prime contractors. 

Disclaimer: The content provided on this page is intended to be information in nature and does not constitute legal, technical, or compliance advice. Cybersecurity requirements may vary based on specific circumstances and are subject to change. Users are encouraged to consult qualified legal counsel or cybersecurity professionals before taking action. �鶹��Ƶ does not warrant the accuracy, completeness, timeliness, or applicability of the information provided and assumes no liability for reliance on this content.