5 Reasons Every AEC Firm Should Care about CMMC

‍

Since the Cybersecurity Maturity Model Certification (CMMC) was released in January 2020, there’s been a lot of hand-wringing over what it means and who should actually care. This is especially true for AEC firms, many of which figure this regulation only applies to the big system integrators and defense contractors of the world like Northrup Grumman and Boeing.

But CMMC isn’t just about large enterprises. Any organization that currently contracts with, or plans to contract with the U.S. Department of Defense (DoD) should be well on its way to getting CMMC certified.

Let’s quickly review what CMMC entails, then discuss why certification is important to your organization, even if you don’t work directly with the DoD.

What is CMMC?

CMMC is part of an effort to secure the DoD’s supply chain and protect Defense Industrial Base (DIB) contractors from cybersecurity threats. The DIB refers to the “worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements,” according to the federal government.

CMMC represents an amalgamation of multiple frameworks and standards, such as NIST SP 800-171, the NIST Cybersecurity Framework, and ISO/IEC 27001, all of which represent best of breed guidelines for cybersecurity processes and practices. It’s comprised of three levels that align with contractors’ cybersecurity practices and the sensitivity of information they manage, as well as the types and consequences of potential threats.

In short, the work you do and the information you handle dictate which level you must achieve to be compliant. Any organization in the Defense contract supply chain must comply with CMMC requirements and organizations that manage the most sensitive data must have those requirements audited by a certified independent third-party assessment organization.

These requirements include (but are not limited to):

• Critical infrastructure
• Defense
• Procurement and acquisition
• Natural and cultural resources
• Nuclear energy

Effectively Manage CUI

The three different maturity levels focus on the form and caliber of controlled unclassified information (CUI):

• Level 1: Safeguard Federal Contract Information (FCI)
• Level 2: Protect CUI
• Level 3: Protect CUI and reduce risk of advanced persistent threats (APT)

This means that any AEC firm handling CUI—and if you are working on a federal project you probably are handing CUI—needs to be certified at a minimum of Level 2.

For more detail on CMMC compliance, check out Egnyte’s full breakdown of the federal standards.

Why CMMC Matters to Your AEC Firm

Now that you know what CMMC is, let’s look at the five reasons why you, as an AEC firm, should care.‍

1. The Defense Industrial Base Spends Considerable Money

In 2020, the aerospace and defense industry reported $697 billion in revenue. A lot of that money is invested in weapons systems and computer networks, but it also goes into building roads on bases, fixing plumbing and lighting in office space, and updating facilities that are part of the Morale, Welfare, and Recreation program.

Even if you don’t work directly for the DoD, there are plenty of opportunities for your AEC firm to work for defense contractors like Boeing, or other general contractors that perform work for the DoD. Those firms will want to ensure their specialty contractors effectively protect potential DoD information. They certainly don’t want to end up in the news, having to explain how a specialty contractor fixing an HVAC system accidentally compromised sensitive government information.

2. CMMC Could Expand to the Remainder of the Federal Government

While the U.S. government has no immediate plans to expand CMMC beyond the DoD, we can reasonably expect other federal agencies will eventually need to adopt similar programs. In the past year, government organizations were the most targeted industry for ransomware in North America, with 15.4% reporting an attack.

Those agencies will want to be extremely vigilant about who they share data with externally, in light of those threats. Even if the requirements aren’t as stringent as CMMC, expect to be held to higher standard than the general industry if you want to work on federal projects in the future.

3. Broader Governmental Cybersecurity Initiatives Will Drive Infrastructure Spending

Across the political spectrum, legislation is being introduced in Washington that’s geared at increasing cybersecurity requirements for organizations that do business with the federal government. You don’t want to be left out, but remember, the federal government is likely to short-list AEC firms that can effectively protect their data.

With any politicized government program, opponents will look at any misstep—like a project manager on a jobsite losing a laptop with privileged government information on it—as an opportunity to score political points. Expect the bidding process to be very selective when it comes to the data protection criteria.

4. Major General Contractors Want to Work with Certified Specialty Contractors

Let’s say you don’t currently work on any federal projects and don’t intend to ever work on any federal projects. That’s your choice, but consider this: there will always be some AEC firms that work exclusively on federal projects, but most have a mix of federal and commercial projects. When those businesses want to establish long-term partnerships with subcontractors, are they going to select companies that can work on all of their projects, or those that can only work on a subset of their projects?

We all know that this industry is relationship-driven; companies want a small, select group of partners they can always work with and trust—trust to get the jobs done right, and to protect their brand reputations.

5) CMMC is Good Business

CMMC is not perfect, but the U.S. government got it right with this one. With rising cybersecurity threats—including ransomware, insider threats, and human error—proper data governance and security are critical to every AEC company. You don’t need to aim for CMMC Level 3 compliance, but the processes and procedures outlined at the lower levels are great data protection guideposts for any firm to follow.

These processes include:

• Limiting information system access to authorized users
• Sanitizing or destroying information system media containing sensitive information before disposal
• Ensuring the actions of individual system users can be uniquely traced
• Creating and retaining system audit logs and records

Proper data protection is essential for any organization, regardless of industry or size. But it’s even more critical in AEC, where there’s multiple jobsites, lots of mobile devices, and a myriad of subcontractor and partners who share information.

What’s Next?

This subject matter can be highly detailed and confusing. Since CMMC was launched in 2020, most organizations have spent the ensuing time just trying to figure it all out, and you’ll likely need to seek help from a trusted advisor like Egnyte to get a better handle on how to meet compliance standards.

There are people and companies like Egnyte who live and breathe these regulations. Get with them, talk it through, and create a plan. Remember, any company that isn’t CMMC compliant by October 2025 risks not having their DoD contract renewed. The CMMC deadline will be coming up faster than you think, so you don’t have time to lose.

Editor's note: This page has been updated to reflect changes made to CMMC in November 2021.

Learn More

To learn more about how Egnyte is helping AEC firms streamline every phase of construction visit our website at www.egnyte.com/aec.

‍