RenovationRoute· Federal Contracting · 6 min read
What Is CMMC? A Plain-English Guide for Construction Contractors
CMMC is a DoD cybersecurity certification that can disqualify you from federal construction bids before you even submit a number. Here is what it is, which contracts require it, and what happens if you ignore it.
Most construction contractors have never heard of CMMC. That is not surprising. The requirement came out of the defense world and it sounds like an IT problem, not a construction problem. But if you bid on Department of Defense construction work and the contract involves certain types of information, CMMC is your problem too. Get caught without it and your bid gets thrown out automatically. No call. No second chance.
This post explains what CMMC is, which construction contracts require it, and what you actually need to do about it.
What CMMC Stands For
CMMC stands for Cybersecurity Maturity Model Certification. The Department of Defense created it because contractors kept getting hacked. Sensitive defense information was sitting on contractor laptops, shared drives, and email inboxes with no real protection. The DoD built CMMC to set minimum cybersecurity standards for any company that handles that information.
It is not a suggestion. It is a contract requirement. If a solicitation says CMMC Level 2 is required, you need proof of certification before your bid is even considered.
The Three Levels
The CMMC framework has three levels. Each one requires more from you.
Level 1: Foundational
This is the baseline. It covers 17 basic cybersecurity practices pulled from the Federal Acquisition Regulation. Things like using antivirus software, limiting who has access to sensitive files, and changing default passwords. Most small businesses already do most of this without thinking about it. Level 1 applies to contractors who handle Federal Contract Information (FCI), which is basic information created for or by the government under a contract.
Level 2: Advanced
This is where most DoD construction contractors run into trouble. Level 2 requires 110 practices based on NIST Special Publication 800-171. It covers how you store, transmit, and protect Controlled Unclassified Information (CUI). CUI includes things like building plans for military installations, technical specifications for secure facilities, and personnel or access data related to government property.
Level 2 also requires a third-party assessment. You cannot self-certify at this level. A CMMC Third-Party Assessment Organization (C3PAO) has to come in, review your systems, and issue the certification.
Level 3: Expert
This level is for contractors working on the most sensitive DoD programs. It requires everything in Level 2 plus additional practices designed to counter advanced persistent threats. Most construction contractors will never encounter a contract requiring Level 3. If you do, you will know it because the solicitation will be explicit about it.
Which Construction Contracts Require CMMC
Here is the honest answer: most federal construction contracts do not require CMMC. Routine maintenance, renovation work on non-sensitive facilities, and general construction at non-DoD sites typically do not involve CUI and do not trigger CMMC requirements.
The ones that do include:
- Construction at military bases or secure DoD facilities
- Projects involving design documents for sensitive installations (secure communications rooms, SCIFs, bunkers, weapons storage)
- Contracts where you receive technical data or drawings that are marked as controlled
- Any contract where the solicitation specifically lists a CMMC level in the requirements
The key is reading the solicitation. If a SAM.gov opportunity involves DoD and the Statement of Work mentions sensitive facility improvements, infrastructure that touches classified systems, or any requirement to handle protected technical data, read the full solicitation for CMMC language. Look for the clause DFARS 252.204-7012 and any CMMC level specified in Section L or M.
How to Tell If a Solicitation Requires CMMC
Pull up the solicitation and search the document for these terms:
- “CMMC”
- “252.204-7012”
- “Controlled Unclassified Information”
- “CUI”
If none of those appear and it is a simple construction project on a non-sensitive site, you are probably fine. If they appear, you need to know your current CMMC level before you spend time building a bid.
Also check the CMMC Marketplace at https://cyberabb.cms.gov to see if the contracting officer has registered the contract with a required level. This is a public database.
What Happens If You Bid Without It
Automatic disqualification. There is no appeal process for missing a required certification. The contracting officer cannot waive it. You do not get to explain. Your bid goes in the trash.
This is different from most other requirements where you might get a phone call asking for a missing document. CMMC compliance either exists or it does not. The government checks before awards are made and often before best-and-final offers are requested.
Worse, if you represent in your bid that you meet CMMC requirements and you do not, that is a False Claims Act issue. Contractors have faced serious legal exposure for misrepresenting their compliance status on federal bids.
Level 1 vs Level 2: What You Actually Need to Do
If your contracts only require Level 1, you can self-attest annually through the Supplier Performance Risk System (SPRS). Go to https://www.sprs.csd.disa.mil, document your 17 practices, and submit your score. No third party required.
If your contracts require Level 2, the process is more involved:
- Get a NIST 800-171 assessment done — either internally or with a consultant — to see where your gaps are
- Build a System Security Plan (SSP) documenting how you protect CUI
- Create a Plan of Action and Milestones (POAM) for anything you have not yet fixed
- Hire a C3PAO to conduct your formal assessment
- Receive your certification and upload it to SPRS
Level 2 certification takes most small businesses anywhere from 3 to 12 months depending on how far they are from the baseline. It costs money. Budget for it before you pursue DoD work that requires it.
How to Know If a Contract Requires It Before You Bid
If you track federal construction opportunities through RenovationRoute, contracts that contain CMMC language get flagged on the opportunity card. That is your signal to stop and check your certification status before spending time building a number. It is not a product feature so much as a shortcut — instead of searching a 60-page PDF for DFARS 252.204-7012, you see the flag and know immediately.
From there, getting certified is a separate process entirely and it takes time. Do not wait until you find a contract you want. Start that process before you need it.
Getting Certified: Where to Start
If you are new to CMMC and need help figuring out where you stand, get a gap assessment done first. It will tell you exactly where you are relative to the level required and what it will take to close the gap. This is worth doing before you pursue any DoD work that requires certification.
MSTechAlpine specializes in helping construction and defense contractors through the CMMC process. They can assess your current posture, help you build your System Security Plan, and guide you through the C3PAO assessment. If DoD construction work is part of your plan, they are the right starting point.
The Short Version
Most construction contractors do not need CMMC right now. But if you want to bid on DoD facility work, secure construction projects, or any contract involving sensitive technical data, you need to know this framework exists and understand which level applies before you start building numbers. Bidding without the required certification is not just a wasted effort. On the wrong contract, it is a legal problem.
Read the solicitation. Search for CMMC and CUI. Know your level. If you need Level 2, start the process early because it takes longer than you think.
