The clock is ticking

May 04, 2025

Banner Image

 

Government contractors must act now to secure CMMC compliance – or risk losing valuable federal contracts.

For government contractors in the architecture, engineering, and construction industry, cybersecurity compliance is no longer an option; it’s a requirement. The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is set to take effect on October 1, 2025, and failing to meet its standards could mean losing valuable federal contracts.

If your firm handles Controlled Unclassified Information (CUI) as part of government projects, compliance with CMMC 2.0 Level 2 and NIST 800-171 is mandatory. With the deadline fast approaching, now is the time to assess your cybersecurity posture and take the necessary steps to ensure compliance. Waiting until the last minute will put you at risk.

What is CMMC 2.0 and why does it matter? CMMC 2.0 is the DoD’s response to growing cybersecurity threats, designed to protect sensitive government data across the defense industrial base. This updated framework simplifies compliance by consolidating security requirements into three levels, with Level 2 aligning directly with NIST 800-171, a set of security controls that all contractors handling CUI must follow.

For AEC firms working on federal contracts, achieving compliance means more than just meeting regulations, it’s about safeguarding your business, protecting sensitive project data, and maintaining your eligibility to bid on government work.

The role of the SPRS score in compliance. A crucial component of meeting CMMC 2.0 and NIST 800-171 standards is your Supplier Performance Risk System (SPRS) score. The SPRS score is a numerical representation of your organization’s adherence to NIST 800-171 controls. Before pursuing DoD contracts, contractors must submit their SPRS score, which the government uses to evaluate cybersecurity readiness.

  • Higher scores provide a competitive advantage. A strong SPRS score demonstrates your commitment to cybersecurity and makes your firm a more attractive partner for government projects.
  • Low scores can jeopardize contract eligibility. A poor SPRS score can disqualify your business from contract awards, even before CMMC 2.0 is fully implemented.
  • Regular updates are required. Firms must reassess and update their SPRS score as they implement security improvements, ensuring continuous compliance.

The risks of non-compliance. The consequences of failing to meet CMMC 2.0 standards are severe:

  • Lost contracts. If you’re not compliant, you may be disqualified from bidding on federal projects.
  • Financial impact. Remediation costs can skyrocket if you wait until the last minute to address gaps.
  • Reputation damage. A data breach or non-compliance finding can erode trust with government agencies and partners.

Why you need to act now. Many firms mistakenly believe they can wait to start their compliance journey. However, achieving CMMC 2.0 compliance is a multi-step process that takes time. Here’s why early action is crucial:

  • Assessments and remediation take time. Conducting a gap analysis, addressing deficiencies, and implementing new security controls can take six to 12 months or more.
  • Third-party certification will be required. Unlike previous self-attestation models, CMMC Level 2 requires an independent third-party assessment. Certification bodies will be in high demand as the deadline nears.
  • Federal contracts may require compliance before the deadline. Some contracts may start including CMMC requirements before October 2025, so waiting could mean missing out on lucrative opportunities.

What steps should you take today? You can start today by:

  • Conducting a readiness assessment. Identify gaps between your current cybersecurity posture and CMMC 2.0/NIST 800-171 requirements. Then, develop a plan of action and milestones (POAM) to address deficiencies.
  • Strengthening your security controls. Implement multi-factor authentication, endpoint detection and response, and zero trust architecture. Secure your network with continuous monitoring and managed detection response.
  • Developing and maintain compliance documentation. Create or update your system security plan; establish incident response and data protection policies, and ensure your SPRS score reflects your latest compliance efforts.
  • Training your team. Conduct cybersecurity awareness training to ensure employees understand their role in protecting sensitive information, implement phishing simulations and security workshops to reinforce best practices.
  • Engaging with compliance experts. If you’re unsure where to start, working with specialists who understand government contracting cybersecurity requirements can help streamline your path to compliance.

Next steps. The October 1, 2025 deadline is closer than you think. Firms that take action now will not only secure their compliance but will also gain a competitive edge in government contracting.

If you’re uncertain about your firm’s cybersecurity standing or need guidance on the next steps, schedule a CMMC/NIST readiness assessment today. Our team specializes in helping AEC firms navigate cybersecurity mandates and can provide the support you need to meet compliance with confidence.

Secure your contracts. Protect your business. Act now. Contact SN to learn more and take our brief quiz to assess your CMMC readiness. 

Phil Keeney is managing director of Technology at Stambaugh Ness.

About Zweig Group

Zweig Group, a four-time Inc. 500/5000 honoree, is the premier authority in AEC management consulting, the go-to source for industry research, and the leading provider of customized learning and training. Zweig Group specializes in four core consulting areas: Talent, Performance, Growth, and Transition, including innovative solutions in mergers and acquisitions, strategic planning, financial management, ownership transition, executive search, business development, valuation, and more. Zweig Group exists to help AEC firms succeed in a competitive marketplace. The firm has offices in Dallas and Fayetteville, Arkansas.