5 Reasons Every AEC Firm Should Care about CMMC
Since the Cybersecurity Maturity Model Certification (CMMC) was released in January 2020, there has been a lot of hand-wringing over what it means and who should actually care. This is especially true for AEC firms, many of which figure this regulation only applies to big system integrators and defense contractors like Northrup Grumman and Boeing.
But CMMC isn’t just about large enterprises. Any organization that currently contracts with, or plans to contract with the U.S. Department of Defense (DoD) should be well on its way to getting CMMC certified.
Let’s quickly review what CMMC entails, then we’ll discuss why certification is important to your organization, even if you don’t work directly with the DoD.
What is CMMC?
CMMC is part of the effort to secure the DoD’s supply chain and protect the Defense Industrial Base (DIB) contractors from cybersecurity threats. The DIB refers to the “worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements,” according to the federal government.
CMMC represents an amalgamation of multiple frameworks and standards, such as NIST SP 800-171, the NIST Cybersecurity Framework, and ISO/IEC 27001, all of which represent best of breed guidelines for cybersecurity processes and practices. It’s comprised of five levels that align with contractors’ cybersecurity practices and the sensitivity of information they manage, as well as the types and consequences of potential threats.
In short, the work you do and the information you handle dictate which level you must achieve to be compliant. Any organization in the defense contract supply chain must comply with CMMC requirements and have those requirements audited by a certified independent third-party assessment organization.
These requirements include (but are not limited to):
- Critical infrastructure
- Procurement and acquisition
- Natural and cultural resources
- Nuclear energy
Effectively Manage CUI
The five different maturity levels focus on the form and caliber of controlled unclassified information (CUI):
- Level 1: Safeguard Federal Contract Information (FCI)
- Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI
- Level 3: Protect CUI
- Level 4-5: Protect CUI and reduce risk of advanced persistent threats (APT)
This means that any AEC firm handling CUI—and if you are working on a federal project you probably are handing CUI—needs to be certified at a minimum of Level 3.
For more detail on CMMC compliance, check out Egnyte’s full breakdown of the federal standards.
Why CMMC Matters to Your AEC Firm
Now that you know what CMMC is, let’s look at the five reasons why you, as an AEC firm, should care.
1. The Defense Industrial Base Spends Considerable Money
In 2020, the aerospace and defense industry reported $697 billion in revenue. A lot of that money is invested in weapons systems and computer networks, but it also goes into building roads on bases, fixing plumbing and lighting in office space, and updating facilities that are part of the Morale, Welfare and Recreation program.
Even if you don’t work directly for the DoD, there are plenty of opportunities for your AEC firms to work for defense contractors, like Boeing, or other general contractors that perform work for the DoD. Those firms will want to ensure their specialty contractors effectively protect potential DoD information. They certainly don’t want to end up in the news, having to explain how the specialty contractor fixing an HVAC system accidentally compromised government information.
2. CMMC Could Expand to the Remainder of the Federal Government
While the U.S. government has no immediate plans to expand CMMC beyond the DoD, we can reasonably expect other federal agencies will need to come up with similar programs. In the past year, government organizations were the most targeted industry for ransomware in North America, with 15.4% reporting an attack.
Those agencies will want to be extremely vigilant about who they share data with externally, in light of those threats. Even if the requirements aren’t as stringent as CMMC, expect to be held to higher standard than the general industry if you want to work on federal projects in the future.
3. The American Jobs Plan Will Drive Infrastructure Spending
The American Jobs Plan, if signed into law, will lead to $550 billion in investments in roads, bridges, water infrastructure, resilience, internet, and more. You don’t want to be left out, but again, the federal government is only going to work with AEC firms that can effectively protect their data.
With a program as politicized as the American Job Plan, opponents will look at any misstep—like a project manager on a jobsite losing a laptop with government information on it—as an opportunity to score political points. Expect the bidding process to be very selective when it comes to the data protection criteria.
4. Major General Contractors Want to Work with Certified Specialty Contractors
Let’s say you don’t currently work on any federal projects and don’t intend to ever work on any federal projects. That’s your choice, but consider this: there will always be some AEC firms that work exclusively on federal projects, but most have a mix of federal and commercial projects. When those businesses want to establish log-term partnerships subcontractors, are they going to select companies that can work on all their projects, or those that can only work on a subset of their projects?
We all know this industry is relationship-driven; companies want a small, select group of partners they can always work with and whom they can trust—trust to get the jobs done right, and to protect their brand reputations.
5) CMMC is Good Business
CMMC is not perfect, but the U.S. government got it right with this one. With rising cybersecurity threats—including ransomware, insider threats, and human error—proper data governance and security are critical to every AEC company. You don’t necessarily need to aim for CMMC Level 5 compliance, but the processes and procedures outlined at the lower levels are great data protection guideposts for any firm to follow.
These processes include:
- Limiting information system access to authorized users
- Sanitizing or destroying information system media containing sensitive information before disposal
- Ensuring the actions of individual system users can be uniquely traced
- Creating and retaining system audit logs and records
Proper data protection is essential for any organization, regardless of industry or size. But it’s even more critical in AEC, where there’s multiple jobsites, lots of mobile devices, and a myriad of subcontractor and partners sharing information.
What Comes Next?
This subject matter can be highly detailed and confusing. Since CMMC was launched in 2020, most organizations have spent the ensuing months just trying to figure it all out, and you’ll likely need to seek out help to get a better handle on how to meet compliance standards.
There are people and companies out there who live and breathe these regulations. Get with them, talk it through, and create a plan. Remember, any company that isn’t CMMC compliant by October 2025 risks not having their DoD contract renewed. The CMMC deadline will be coming up fast, so you don’t have time to lose.
To learn more about CMMC and how your organization can prepare for it, contact Egnyte to schedule a call with one of our experts. You can also watch our recent webinar on understanding CMMC, or rewatch a session from the Egnyte Exchange Global Summit, “Your Guide to Working with Government Projects," with Egnyte CSO Kris Lahiri.
To learn more about how Egnyte is helping AEC firms streamline every phase of construction visit our website at www.egnyte.com/solutions/construction-engineering.
Get started with Egnyte today
Explore the best secure platform for business-critical content across clouds, apps, and devices.
LATEST PRODUCT ARTICLES
Don’t miss an update
Subscribe today to our newsletter to get all the updates right in your inbox.