Rules related to Cybersecurity for Federal contractors are being updated and may change. AGC aims to provide timely guidance and resources. This page was last updated on April 21st, 2026.
In addition to the resources below, join AGC for a free virtual Demo Day focused on CMMC on May 21st, 2026. Save your spot today at https://www.agc.org/demo-days.
U.S. Department of War (DoW) has proposed and released regulations that require Cybersecurity Maturity Model Certification (CMMC) compliance. For construction contractors working on DoW projects, compliance with the CMMC presents significant challenges.
The CMMC framework, designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), imposes rigorous cybersecurity requirements that impact not only prime contractors but also the entire supply chain, including subcontractors. AGC has taken a whole of association approach to navigating CMMC compliance.
Latest News
Read the latest AGC updates on Cybersecurity / CMMC and how we are advocating for you
Member Resources
Resources and more information for members from AGC and beyond
Get started
Refer to the steps below to quickly orient your team and identify what actions may be required.
Step 1 | Determine what information your company handles
Start by understanding whether your systems handle:
- Federal Contract Information (FCI): information provided by or generated for the federal government that is not intended for public release; or
- Controlled Unclassified Information (CUI): sensitive government information that requires safeguarding.
The type of information you handle drives which CMMC level is likely to apply.
Step 2 | Understand which CMMC level may apply to you
Contractors will fall under one of the following:
- CMMC Level 1: generally applies to contractors handling only FCI
- CMMC Level 2: applies to contractors handling CUI
- CMMC Level 3: limited to select, higher‑risk contracts and expected to apply to a smaller subset of firms
As of the current phase‑in, Level 1 and Level 2 self‑assessment requirements are now appearing in DoD solicitations and contracts, with additional requirements rolling out over time.
Step 3 | Take action to be prepared
Depending on your role and contract exposure, next steps may include:
- Learn more about CMMC (Member Resources)
- Conducting a required self‑assessment, and submitting scores in the Supplier Performance Risk System (SPRS) system
- Engaging trade partners and suppliers to understand their cybersecurity readiness
- Preparing for future third‑party assessments, where required
Latest update
Phased Implementation of CMMC requirements has begun. On Sept. 10, 2025, the Department of War (DoW) released the final regulation that requires Cybersecurity Maturity Model Certification (CMMC) compliance for every DoD prime and subcontractor. As of November 10, 2025, all DoW solicitations must include CMMC Level 1 and Level 2 Self-Assessment requirements. Most AGC members will fall under Level 1 or 2, and contractors should expect to see the CMMC clause in their contracts in the coming months.
Outlook
CMMC Level 3 requirements are expected to come into effect in under a year. The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to continue through 2028.
Timeline
- Phase 1 begins November 10, 2025
- Contracting officers will include CMMC Level 1 and 2 in new contracts
- Companies must self-assess and submit scores in the Supplier Performance Risk System (SPRS) system
- CMMC will eventually be mandatory after the 3-year phase-in
Prime Contractors
If you hold or pursue DoW construction contracts, CMMC requirements will affect eligibility, and may flow down to your subcontractors. Engage with the AGC of America Federal & Heavy Construction Division or attend the AGC Federal Contractors Conference to join the conversation.
Subcontractors & Specialty Contractors
Even without a direct federal contract, CMMC requirements may determine whether you can work with DoW prime contractors. AGC of America's Specialty Contractors Committee represents you within the association.
Estimating, Business Development, and Operations
CMMC is increasingly part of go/no‑go decisions, teaming strategies, and federal construction risk management. Engage with the AGC of America Project Innovation and Technology Committee and Business Development Committee to help prepare your organization.
Information Technology, Compliance, and Risk Management
CMMC introduces structured cybersecurity, documentation, and assessment expectations that require early planning. Join us at the AGC Technology Conference and AGC Surety Bonding & Construction Risk Management Conference to ready your organization.
Background
What is Controlled Unclassified Information (CUI)?
CUI is sensitive information that does not meet the criteria for classification but must still be protected. It is Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.
Source: DoD CUI Program
What is Federal Contract Information (FCI)?
FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.
Source: Defense Counterintelligence and Security Agency
What is the difference between CUI and FCI?
All CUI in possession of a Government contractor is FCI, but not all FCI is CUI. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls.
Source: Defense Counterintelligence and Security Agency
History
Malicious cyber activity costs the U.S. economy billions of dollars every year. The federal government has recognized this threat to economic and national security. In recent years the federal government in general, and the Department of Defense in particular, has begun requiring prime contractors, subcontractors, manufacturers, suppliers, and any entity in its supply chain to implement certain cybersecurity standards. The most prominent of these requirements are NIST SP 800-171, Cybersecurity Maturity Model Certification, and "Section 889 Part B."
In 2016, the federal government required all federal contractors to comply with the standards set forth in NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Among other requirements the NIST SP 800-171 rule imposed a set of several “basic” security controls for contractor information systems upon which “federal contract information” transits or resides, in particular any Controlled Unclassified Information/Covered Defense Information (CUI/CDI) data. As of November 2020, federal contractors must perform a self-assessment with Supplier Performance Risk System (SPRS) which requires entry of a contractor's Commercial and Government Entity Program (CAGE) code. If a contractor does not have a cage code, it can be obtained either: 1) SAM.gov and a CAGE code will be assigned during processing; or 2) if the contractor does not intend to do business with the federal government a request from the DLA CAGE Branch directly by completing the request online.
In 2019, the Department of Defense initiated the Cybersecurity Maturity Model Certification (CMMC). CMMC will be “go/no go” requirement in all Department of Defense solicitations. The purpose of CMMC is to become the “unified cybersecurity standard” for all defense contractors, subcontractors, and any entity in its supply chain. Under this model, defense contractors will be required to be certified by a third-party certifier (C3PAO) among the five different levels of cybersecurity in order to be eligible for contract award. CMMC Accreditation Body is the sole authorized accreditation and certification partner CMMC program and C3PAOs. Initially, the timeline was roughly a year for all of the more than 300,000 contractors that does business with the Department of Defense to be CMMC certified. Later, DoD announced a phased rollout ending in 2025. However, in November 2021, after months of internal review, the Department of Defense announced significant changes to the CMMC program, now called CMMC 2.0. Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM). These changes were met with oppositions from some stakeholders who argue that these changes are counter to DoD policies and President Biden’s recent Executive Orders increasing cybersecurity reporting requirements for businesses. AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DoD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance. On Dec. 16, 2024, the DoD issued the final rule implementing the CMMC program.
In 2020, the rule often referred to as “Section 889 Part B” went into effect that prohibits federal agencies from entering into, extending, or renewing, a contract with a contractor that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. In brief, Section 889 Part B prohibits contractors from using certain telecommunications equipment mainly from Chinese companies, for example Huawei or ZTE. The rule states that the prohibited “use” of the covered technology applies “regardless of whether the usage is in performance of work under a federal contract.” The rule is likely to expand the scope of this prohibition to apply to affiliates, parents, and subsidiaries of the prime contractors.
Disclaimer: The content provided on this page is intended to be information in nature and does not constitute legal, technical, or compliance advice. Cybersecurity requirements may vary based on specific circumstances and are subject to change. Users are encouraged to consult qualified legal counsel or cybersecurity professionals before taking action. AGC does not warrant the accuracy, completeness, timeliness, or applicability of the information provided and assumes no liability for reliance on this content.