ARTICLE
By Mandy Irvine McClure, Construction Technology Chair AGC of America hosted a timely webinar earlier this month, DoD’s Latest CMMC Ruling: Federal Contractors Need to Take Action Now, addressing the Department of Defense’s (DoD) recent final rule on the Cybersecurity Maturity Model Certification (CMMC) program and what it means for contractors. The session featured experts from AGC and Egnyte, including Jordan Howard (AGC), Neil Jones, and Satyam Verma (Egnyte), and focused on actionable guidance for federal contractors navigating compliance. Key topics covered in the webinar included: MMC 2.0 Final Rule Status The final rule for CMMC was published by the DoD in late 2024 and is currently in the implementation phase. The rule outlines a phased rollout over three years (2025–2027), with CMMC requirements appearing in select contracts as early as October 2025. Contractors should not wait- if you handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), preparation should be underway now. Who Needs to Comply? CMMC Level 1 (Foundational): Required for contractors handling FCI; involves 17 basic cybersecurity practices and an annual self-assessment. CMMC Level 2 (Advanced): Required for contractors handling CUI; includes 110 security practices aligned with NIST SP 800-171 and will likely require a third-party assessment by a C3PAO. Timing & Phasing Initial contracts requiring CMMC are expected in late 2025. By October 2026, all applicable DoD contracts will begin including CMMC requirements as a condition of award. Contractors must be compliant at the time of contract award, not afterward. SPRS Score and NIST 800-171 Self-assessments for NIST 800-171 (with a System Security Plan) must be submitted to the Supplier Performance Risk System (SPRS). A valid SPRS score is already required under DFARS 252.204-7019/-7020 for many contracts. Common Pitfalls to Avoid Relying on IT providers to "handle it all" without oversight. Assuming a self-assessment is enough for Level 2 (it's not). Delaying documentation like System Security Plans (SSPs) and POA&Ms. Key Takeaways & Action Items Start Now CMMC is no longer theoretical- contractors should be actively preparing for assessments, especially if you plan to pursue contracts in 2025 or beyond. Get Your Documentation in Order Create or update your System Security Plan, incident response procedures, access control policies, and other required documents. Be ready to prove implementation, not just say you’re compliant. Understand Your Information Know whether you are handling CUI, FCI, or both- this determines your required CMMC level. Submit Your SPRS Score If you haven’t submitted your NIST 800-171 self-assessment to SPRS, you are already out of compliance with existing DFARS clauses. Build a Compliance Roadmap Whether in-house or with help from cybersecurity consultants, create a realistic plan that includes gap assessments, remediation, and readiness reviews. Engage the Right Partners Use qualified resources such as Registered Practitioners (RPs), C3PAOs, and reputable tools for tracking and documenting compliance (like Egnyte, who co-hosted this webinar). The CyberAB marketplace lists vetted providers who are certified to offer CMMC services in your region. Budget for Compliance Prepare for the costs of assessments, security tools, and internal resources needed to meet requirements. The message from AGC and the DoD is clear: contractors who wait may be left behind. CMMC is moving forward, and compliance will be required to win and keep DoD contracts. Now is the time to assess your readiness and take steps toward certification, before it becomes a barrier to doing business. Visit AGC of America for additional information and resources for contractors here.
By Mandy Irvine McClure, Construction Technology Chair AGC of America hosted a timely webinar earlier this month, DoD’s Latest CMMC Ruling: Federal Contractors Need to Take Action Now, addressing the Department of Defense’s (DoD) recent final rule on the Cybersecurity Maturity Model Certification (CMMC) program and what it means for contractors. The session featured experts from AGC and Egnyte, including Jordan Howard (AGC), Neil Jones, and Satyam Verma (Egnyte), and focused on actionable guidance for federal contractors navigating compliance. Key topics covered in the webinar included:
The message from AGC and the DoD is clear: contractors who wait may be left behind. CMMC is moving forward, and compliance will be required to win and keep DoD contracts. Now is the time to assess your readiness and take steps toward certification, before it becomes a barrier to doing business.
Visit AGC of America for additional information and resources for contractors here.