Free SAM.gov just hands you the PDF. We read it for you and flag the bid traps, the incumbent, and what they got paid. Take a look. »

· Updated Jun 14, 2026 · Federal Contracting  · 7 min read

What Is CMMC? A Plain-English Guide for Construction Contractors

CMMC is a DoD cybersecurity certification that can disqualify you from federal construction bids before you even submit a number. Here is what it is, which contracts require it, and what happens if you ignore it.

CMMC is a DoD cybersecurity certification that can disqualify you from federal construction bids before you even submit a number. Here is what it is, which contracts require it, and what happens if you ignore it.

Most construction contractors have never heard of CMMC. That isn’t surprising. The requirement came out of the defense world and it sounds like an IT problem, not a construction problem. But if you bid on Department of Defense construction work and the contract involves certain types of information, CMMC is your problem too. Get caught without it and your bid gets thrown out automatically. No call. No second chance.

This post explains what CMMC is, which construction contracts require it, and what you actually need to do about it.

2026 Update: The Rollout Is No Longer Theoretical

For years CMMC was a proposed rule that contractors could safely ignore. That window is closed. The Department of Defense’s CMMC final rule took effect on November 10, 2025, and the requirement is now being phased into real contracts over three years:

  • Phase 1 (began November 10, 2025): Solicitations can require Level 1 or Level 2 self-assessments, documented in SPRS.
  • Phase 2 (2026): Level 2 third-party certification from a C3PAO starts becoming mandatory on applicable contracts, not just a self-attestation.
  • Phase 3 (2027): Level 3 requirements appear for the most sensitive programs.
  • Phase 4 (full implementation, November 10, 2028): CMMC clauses on all applicable DoD solicitations.

What this means for you right now, in 2026: if you bid DoD construction work that touches Controlled Unclassified Information, a self-attestation may no longer be enough. The contract can require a completed third-party assessment before award. Level 2 certification takes most small businesses 3 to 12 months, so the contractors who start the process now are the ones who will still be eligible when Phase 2 clauses land on the solicitations they want.

What CMMC Stands For

CMMC stands for Cybersecurity Maturity Model Certification. The Department of Defense created it because contractors kept getting hacked. Sensitive defense information was sitting on contractor laptops, shared drives, and email inboxes with no real protection. The DoD built CMMC to set minimum cybersecurity standards for any company that handles that information.

It isn’t a suggestion. It’s a contract requirement. If a solicitation says CMMC Level 2 is required, you need proof of certification before your bid is even considered.

The Three Levels

The CMMC framework has three levels. Each one requires more from you.

Level 1: Foundational

This is the baseline. It covers 17 basic cybersecurity practices pulled from the Federal Acquisition Regulation. Things like using antivirus software, limiting who has access to sensitive files, and changing default passwords. Most small businesses already do most of this without thinking about it. Level 1 applies to contractors who handle Federal Contract Information (FCI), which is basic information created for or by the government under a contract.

Level 2: Advanced

This is where most DoD construction contractors run into trouble. Level 2 requires 110 practices based on NIST Special Publication 800-171. It covers how you store, transmit, and protect Controlled Unclassified Information (CUI). CUI includes things like building plans for military installations, technical specifications for secure facilities, and personnel or access data related to government property.

Level 2 also requires a third-party assessment. You can’t self-certify at this level. A CMMC Third-Party Assessment Organization (C3PAO) has to come in, review your systems, and issue the certification.

Level 3: Expert

This level is for contractors working on the most sensitive DoD programs. It requires everything in Level 2 plus additional practices designed to counter advanced persistent threats. Most construction contractors will never encounter a contract requiring Level 3. If you do, you’ll know it because the solicitation will be explicit about it.

Which Construction Contracts Require CMMC

Here is the honest answer: most federal construction contracts don’t require CMMC. Routine maintenance, renovation work on non-sensitive facilities, and general construction at non-DoD sites typically don’t involve CUI and don’t trigger CMMC requirements.

The ones that do include:

  • Construction at military bases or secure DoD facilities
  • Projects involving design documents for sensitive installations (secure communications rooms, SCIFs, bunkers, weapons storage)
  • Contracts where you receive technical data or drawings that are marked as controlled
  • Any contract where the solicitation specifically lists a CMMC level in the requirements

The key is reading the solicitation. If a SAM.gov opportunity involves DoD and the Statement of Work mentions sensitive facility improvements, infrastructure that touches classified systems, or any requirement to handle protected technical data, read the full solicitation for CMMC language. Look for the clause DFARS 252.204-7012 and any CMMC level specified in Section L or M. (See also our breakdown of DFARS 252.204-7021 and SPRS scores, the related self-assessment requirement that runs in parallel with CMMC, and our walkthrough of how to read a federal solicitation if Section L/M is unfamiliar territory.)

How to Tell If a Solicitation Requires CMMC

Pull up the solicitation and search the document for these terms:

  • “CMMC”
  • “252.204-7012”
  • “Controlled Unclassified Information”
  • “CUI”

If none of those appear and it’s a simple construction project on a non-sensitive site, you’re probably fine. If they appear, you need to know your current CMMC level before you spend time building a bid.

Also check the CMMC Marketplace at https://cyberabb.cms.gov to see if the contracting officer has registered the contract with a required level. This is a public database.

What Happens If You Bid Without It

Automatic disqualification. There’s no appeal process for missing a required certification. The contracting officer can’t waive it. You don’t get to explain. Your bid goes in the trash.

This is different from most other requirements where you might get a phone call asking for a missing document. CMMC compliance either exists or it doesn’t. The government checks before awards are made and often before best-and-final offers are requested.

Worse, if you represent in your bid that you meet CMMC requirements and you don’t, that’s a False Claims Act issue. Contractors have faced serious legal exposure for misrepresenting their compliance status on federal bids.

Level 1 vs Level 2: What You Actually Need to Do

If your contracts only require Level 1, you can self-attest annually through the Supplier Performance Risk System (SPRS). Go to https://www.sprs.csd.disa.mil, document your 17 practices, and submit your score. No third party required.

If your contracts require Level 2, the process is more involved:

  1. Get a NIST 800-171 assessment done — either internally or with a consultant — to see where your gaps are
  2. Build a System Security Plan (SSP) documenting how you protect CUI
  3. Create a Plan of Action and Milestones (POAM) for anything you haven’t yet fixed
  4. Hire a C3PAO to conduct your formal assessment
  5. Receive your certification and upload it to SPRS

Level 2 certification takes most small businesses anywhere from 3 to 12 months depending on how far they’re from the baseline. It costs money. Budget for it before you pursue DoD work that requires it.

How to Know If a Contract Requires It Before You Bid

If you track federal construction opportunities through RenovationRoute, contracts that contain CMMC language get flagged on the opportunity card. That’s your signal to stop and check your certification status before spending time building a number. It isn’t a product feature so much as a shortcut — instead of searching a 60-page PDF for DFARS 252.204-7012, you see the flag and know immediately.

From there, getting certified is a separate process entirely and it takes time. Don’t wait until you find a contract you want. Start that process before you need it.

Getting Certified: Where to Start

If you’re new to CMMC and need help figuring out where you stand, get a gap assessment done first. It will tell you exactly where you’re relative to the level required and what it will take to close the gap. This is worth doing before you pursue any DoD work that requires certification.

MSTechAlpine specializes in helping construction and defense contractors through the CMMC process. They can assess your current posture, help you build your System Security Plan, and guide you through the C3PAO assessment. If DoD construction work is part of your plan, they’re the right starting point.

The Short Version

Most construction contractors don’t need CMMC right now. But if you want to bid on DoD facility work, secure construction projects, or any contract involving sensitive technical data, you need to know this framework exists and understand which level applies before you start building numbers. Bidding without the required certification isn’t just a wasted effort. On the wrong contract, it’s a legal problem.

Read the solicitation. Search for CMMC and CUI. Know your level. If you need Level 2, start the process early because it takes longer than you think.

Back to Blog

Related Posts

View All Posts »