Why Construction Firms Need CMMC
Most defense contractors think of CMMC as a manufacturing problem. Machine shops, electronics assemblers, aerospace subcontractors. But construction firms doing MILCON (Military Construction) work or maintaining DoD facilities are just as much in the supply chain — and they carry CUI that's arguably more sensitive in certain ways.
Think about what's in a full set of construction documents for a military facility: building layouts, structural details, utility routing, communication conduit paths, access control points, camera positions, security fencing specifications. If you know where every conduit runs, where the power comes in, and how the access control system is wired, you have a roadmap for disrupting that installation.
The DoD has known this for years, which is why DFARS 252.204-7012 — the clause requiring CUI protection — has been in military construction contracts for a long time. CMMC adds the third-party verification piece that DFARS alone couldn't enforce.
MILCON (Military Construction) contracts and base operations support (BOS) contracts routinely include DFARS clauses requiring CUI protection. If your contract scope includes access to facility drawings, security system specs, or infrastructure vulnerability data, you're handling CUI and need CMMC Level 2.
Who This Applies To
Not every construction firm doing work near a military installation needs CMMC. The trigger is CUI — specifically, whether you receive and work with controlled design data. These construction roles almost always involve CUI:
- Prime MILCON contractors — You receive the full design package from the Army Corps of Engineers or NAVFAC. That's CUI.
- General contractors on base renovation projects — Renovating an existing facility means working from as-built drawings that describe the current state of the installation.
- Security system integrators — If you're designing or installing access control, intrusion detection, or CCTV systems, your design documents are among the most sensitive on base.
- Base operations & maintenance (BOM) contractors — Long-term maintenance contracts give you ongoing access to facility documentation, work order systems, and infrastructure data.
- MEP (Mechanical, Electrical, Plumbing) subcontractors — If you receive the full building systems design, including emergency power, communications infrastructure, or HVAC for sensitive areas, you likely have CUI.
A landscaping subcontractor who never sees building drawings? Probably not in scope. A concrete sub working from architecturals? It depends on what those drawings show. If there's any doubt, check your contract for DFARS 252.204-7012. If that clause is there, assume you're in CUI territory.
What CUI Looks Like in Construction
Construction CUI is different from manufacturing CUI in one important way: it's about facilities rather than parts. The classification logic is similar — the information describes something that an adversary could exploit — but the specific types of controlled data are different.
Physical Infrastructure Data
The most common CUI in defense construction is what you might call facility vulnerability information. This includes:
- Architectural drawings showing security zones — Which areas are restricted, how access is controlled, where barriers are located
- Structural drawings for hardened facilities — Bunkers, command centers, hardened aircraft shelters have blast resistance specs that reveal design assumptions
- Utility infrastructure plans — Power distribution, emergency generator locations, telecommunications infrastructure, water supply for critical systems
- Site surveys and topographic data — Detailed surveys of installations that don't appear in public maps
Security System Data
This is usually the most sensitive category. If you're a security integrator or an electrical contractor who installs security systems, your design documents include:
- Camera coverage maps and blind spots
- Access control panel locations and programming logic
- Intrusion detection zone layouts
- Guard booth specifications and response procedures
- Security lighting design and coverage
A camera coverage map with noted blind spots is one of the most valuable documents an adversary could obtain about a military facility. If you have that document on your server, it's CUI — and it needs to be protected like CUI.
Construction Phase Documents That Become CUI
Even documents that start out innocuous can become CUI as they incorporate more information:
- RFIs (Requests for Information) that describe sensitive conditions or systems
- Submittals for security-related equipment (cameras, locks, barriers)
- As-built drawings after construction — these describe the finished installation
- Commissioning reports for security and life-safety systems
The Job Site Challenge: CUI on the Move
Manufacturing firms deal with CUI in one place: their facility. Construction firms deal with CUI across multiple locations simultaneously — the home office, a project trailer on site, the superintendent's truck, a field tablet, a subcontractor's laptop at a coordination meeting.
This mobility is the central compliance challenge for construction. And it's where most construction firms fail their first CMMC gap assessment.
The Problem with Personal Devices on Job Sites
When a superintendent needs to reference a drawing on a job site, they often pull it up on their personal phone or iPad. That's fast and convenient. It's also a CMMC violation if that drawing is CUI and the device isn't managed and compliant.
CMMC Level 2 requires that all devices that process, store, or transmit CUI meet the 110 NIST 800-171 controls. A personal iPhone that's never been configured for corporate use doesn't meet those controls — not even close. So either that device goes out of scope (meaning it never touches CUI), or it gets managed and configured properly.
Building a CUI-Compliant Field Environment
The practical answer for construction firms involves a combination of approaches:
- Company-issued, MDM-enrolled devices for field use — Mobile Device Management (MDM) software lets you enforce encryption, remote wipe, and access controls on tablets and phones. This is the baseline.
- Cloud-based document access through compliant platforms — Use a FedRAMP-authorized construction document management platform (Procore has GovCloud options; some firms use SharePoint GCC) so drawings are never downloaded to local storage on site.
- VPN requirements for any remote access — Any field access to your CUI environment should go through an encrypted VPN connection.
- Physical access controls in trailers — A site trailer that stores CUI (printed drawings, laptops) needs locks, access logs, and visitor controls. It's a physical location in your CUI environment.
- Clear rules about printing — Printed drawings are physical CUI. If field staff print drawings at a local UPS Store, that's a problem. Set up compliant printing within your CUI environment only.
Our assessment identifies exactly which of your operations touch CUI and which tools you need. Takes 2 minutes.
Take the Free Readiness Check →What's In Scope for Construction Firms
Scoping correctly is critical. Over-scoping — putting your entire company network in the CUI environment — dramatically increases your compliance cost. Under-scoping — leaving out systems that actually touch CUI — means a failed assessment.
What CMMC Level 2 Requires for Construction
The 110 controls in NIST 800-171 apply regardless of industry. But some controls are especially relevant — and especially challenging — for construction firms.
Access Control (AC)
Every person who can access your CUI environment needs a unique account with the minimum access they need to do their job. The project superintendent doesn't need access to the security system submittals. The security integrator doesn't need access to structural drawings. Least privilege applies.
Media Protection (MP)
This is the printing/USB problem. Printed drawings are physical CUI. USB drives used to transfer drawings between systems are controlled media. You need policies and procedures covering both. On job sites, this means clear rules about how drawings get to field staff and what happens to printed copies when the project ends.
Physical Protection (PE)
Your site trailer is a physical location in your CUI environment. That means it needs controlled access (locks, access logs), visitor controls (guests must be escorted, and there must be a log), and some form of physical audit. This isn't as hard as it sounds — a locked trailer with a visitor sign-in sheet covers much of it — but it needs to be documented.
Configuration Management (CM)
All company devices that touch CUI need a baseline configuration. For field tablets, this means MDM enrollment, encryption enabled, screen lock enforced, and approved app list enforced. The baseline needs to be documented and maintained.
What It Actually Costs
Construction firms in the 15–50 person range typically see CMMC costs broken down like this:
| Cost Component | Typical Range | Notes |
|---|---|---|
| Gap assessment | $8,000–$20,000 | Higher than manufacturing due to multi-site complexity |
| MDM deployment for field devices | $5,000–$15,000 | Intune or JAMF setup + per-device licensing |
| Cloud platform migration (FedRAMP) | $10,000–$30,000 | Moving from standard to GovCloud platforms |
| Policy and documentation | $8,000–$18,000 | 14 required policies + SSP + construction-specific procedures |
| Security tools (EDR, SIEM, MFA) | $6,000–$16,000/year | Annual ongoing cost |
| C3PAO assessment | $25,000–$60,000 | Varies with number of sites assessed |
| Total first-year estimate | $62,000–$159,000 | Multi-site complexity drives higher end |
The multi-site nature of construction work is the main cost driver above what a manufacturing firm pays. Every active job site with CUI access is an additional location that needs to be secured and documented. Firms that limit their CUI footprint — centralizing document access rather than distributing it — pay significantly less.
Common Mistakes Construction Firms Make
After construction-specific CMMC gap assessments, the same issues appear consistently:
- Personal devices in the CUI environment — Superintendents using personal iPads to access project drawings is almost universal. It needs to stop, or those devices need to be brought into compliance.
- CUI distributed to subcontractors without a plan — Sending security system drawings to an electrical sub without a clear CUI handling agreement is a problem. Your subs may need their own CMMC compliance, or you need to control exactly what you share with them.
- Site trailers not documented as physical locations — Assessors will ask about every location where CUI is processed, stored, or accessed. "We have a trailer on site" is an incomplete answer without documentation of what's in it and how it's secured.
- Email as the primary CUI transfer mechanism — Emailing controlled drawings is risky if your email isn't running on a FedRAMP-authorized platform with encryption enforced. Many construction firms still use basic office email.
- As-builts not treated as CUI — The as-built drawings are often more sensitive than the original construction documents because they describe the actual installed condition. Many firms get sloppy with archive management.
How to Get Started
Construction firms typically have a longer remediation timeline than manufacturers because the multi-site environment takes more time to lock down. Here's a realistic sequence:
- Map your CUI flow across all active projects — Document where controlled data enters your organization, how it moves, who accesses it, and where it's stored. This becomes the basis of your System Security Plan.
- Audit your field device situation — Identify every device touching CUI in the field. Company-issued or personal? Managed or unmanaged? Encrypted or not? This drives your MDM deployment plan.
- Choose a compliant document management platform — If you're using standard Procore or a file server, evaluate your options for a FedRAMP-authorized alternative. This is often the biggest infrastructure investment.
- Document your site trailer requirements — Write your physical security procedures for active project sites, including how visitor access is controlled, how printed CUI is handled, and how equipment is tracked.
- Engage a C3PAO early — With 6–12 month booking lead times, find your assessor while you're still in remediation. A pre-assessment consultation can also identify gaps before the formal assessment.
Our free readiness assessment is built for defense contractors of all types. Answer 8 questions about your business and get a prioritized action list.
Start Free Readiness Check →Frequently Asked Questions
Yes — more than most people realize. If you're building or renovating a military facility, you're almost certainly working from blueprints that describe structural layouts, utility runs, access control points, and security system locations. That information is CUI because it reveals exploitable details about military infrastructure. Even maintenance schedules for sensitive systems can be controlled.
If they receive CUI — which usually means getting the actual facility drawings or security specs — then yes. A concrete subcontractor who just pours slabs to a basic dimensioned drawing might not touch CUI. An electrical sub who sees the full security system schematic almost certainly does. Your prime will flow CMMC requirements down to subs who handle controlled data.
This is the central challenge for construction firms. The answer is a combination of controls: use company-managed devices (not personal phones) on site, require VPN connections back to your compliant network when accessing CUI, use a cloud environment that's FedRAMP-authorized so access is controlled regardless of physical location, and train your field staff on what they can and can't do with controlled documents. Temporary site trailers aren't off the hook — if CUI lives there, they're in scope.
Facility clearances (FCLs) address classified work and are managed by DCSA. CMMC addresses unclassified CUI and is a separate program. They don't overlap in terms of certification — you need both if you do both types of work. That said, if you already have an FCL, you likely have some security infrastructure in place (physical security, personnel security, basic IS controls) that gives you a head start on parts of CMMC.
Plan for 12–18 months from start to certified. The biggest time sinks are usually: (1) identifying and limiting your CUI environment — most construction firms have CUI spread across email, shared drives, and field tablets before they start; (2) getting mobile device management deployed to field devices; and (3) waiting for a C3PAO assessment slot. Start early. Assessors are booking 6–12 months out.
Find out where your construction firm stands.
Our free readiness check is designed for defense contractors of all types — including construction. 8 questions. Plain English. Real answers.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →