Rules related to Cybersecurity for Federal contractors are being updated and may change. AGC aims to provide timely guidance and resources. This page was last updated on March 17th, 2026
In addition to the resources below, join AGC for a virtual Demo Day focused on CMMC on May 21, sign up here: https://www.agc.org/demo-days.
U.S. Department of War (DoW) has proposed and released regulations that require Cybersecurity Maturity Model Certification (CMMC) compliance. For construction contractors working on DoW projects, compliance with the CMMC presents significant challenges.
The CMMC framework, designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), imposes rigorous cybersecurity requirements that impact not only prime contractors but also the entire supply chain, including subcontractors. AGC has taken a whole of association approach to navigating CMMC compliance.
Latest News
Read the latest AGC updates on Cybersecurity / CMMC and how we are advocating for you
Member Resources
Resources and more information for members from AGC and beyond
Latest update
Phased Implementation of CMMC requirements has begun. On Sept. 10, 2025, the Department of War (DoW) released the final regulation that requires Cybersecurity Maturity Model Certification (CMMC) compliance for every DoD prime and subcontractor. As of November 10, 2025, all DoW solicitations must include CMMC Level 1 and Level 2 Self-Assessment requirements. Most AGC members will fall under Level 1 or 2, and contractors should expect to see the CMMC clause in their contracts in the coming months.
Outlook
CMMC Level 3 requirements are expected to come into effect in under a year. The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to continue through 2028.
Background
What is Controlled Unclassified Information (CUI)?
CUI is sensitive information that does not meet the criteria for classification but must still be protected. It is Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.
Source: DoD CUI Program
What is Federal Contract Information (FCI)?
FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.
Source: Defense Counterintelligence and Security Agency
What is the difference between CUI and FCI?
All CUI in possession of a Government contractor is FCI, but not all FCI is CUI. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls.
Source: Defense Counterintelligence and Security Agency
History
Malicious cyber activity costs the U.S. economy billions of dollars every year. The federal government has recognized this threat to economic and national security. In recent years the federal government in general, and the Department of Defense in particular, has begun requiring prime contractors, subcontractors, manufacturers, suppliers, and any entity in its supply chain to implement certain cybersecurity standards. The most prominent of these requirements are NIST SP 800-171, Cybersecurity Maturity Model Certification, and "Section 889 Part B."
In 2016, the federal government required all federal contractors to comply with the standards set forth in NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Among other requirements the NIST SP 800-171 rule imposed a set of several “basic” security controls for contractor information systems upon which “federal contract information” transits or resides, in particular any Controlled Unclassified Information/Covered Defense Information (CUI/CDI) data. As of November 2020, federal contractors must perform a self-assessment with Supplier Performance Risk System (SPRS) which requires entry of a contractor's Commercial and Government Entity Program (CAGE) code. If a contractor does not have a cage code, it can be obtained either: 1) SAM.gov and a CAGE code will be assigned during processing; or 2) if the contractor does not intend to do business with the federal government a request from the DLA CAGE Branch directly by completing the request online.
In 2019, the Department of Defense initiated the Cybersecurity Maturity Model Certification (CMMC). CMMC will be “go/no go” requirement in all Department of Defense solicitations. The purpose of CMMC is to become the “unified cybersecurity standard” for all defense contractors, subcontractors, and any entity in its supply chain. Under this model, defense contractors will be required to be certified by a third-party certifier (C3PAO) among the five different levels of cybersecurity in order to be eligible for contract award. CMMC Accreditation Body is the sole authorized accreditation and certification partner CMMC program and C3PAOs. Initially, the timeline was roughly a year for all of the more than 300,000 contractors that does business with the Department of Defense to be CMMC certified. Later, DoD announced a phased rollout ending in 2025. However, in November 2021, after months of internal review, the Department of Defense announced significant changes to the CMMC program, now called CMMC 2.0. Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM). These changes were met with oppositions from some stakeholders who argue that these changes are counter to DoD policies and President Biden’s recent Executive Orders increasing cybersecurity reporting requirements for businesses. AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DoD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance. On Dec. 16, 2024, the DoD issued the final rule implementing the CMMC program.
In 2020, the rule often referred to as “Section 889 Part B” went into effect that prohibits federal agencies from entering into, extending, or renewing, a contract with a contractor that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. In brief, Section 889 Part B prohibits contractors from using certain telecommunications equipment mainly from Chinese companies, for example Huawei or ZTE. The rule states that the prohibited “use” of the covered technology applies “regardless of whether the usage is in performance of work under a federal contract.” The rule is likely to expand the scope of this prohibition to apply to affiliates, parents, and subsidiaries of the prime contractors.