Construction companies are highly vulnerable to cyberthreats because of the mobile nature of their operations. And the risk of a breach goes far beyond disclosure of confidential financial information or competitive intelligence.
Hacking a construction business could also raise serious concerns about potential personal injuries and property damage. Imagine the harm a hacker could cause by altering plans or specifications, interfering with a building’s security or safety systems, or tampering with vehicles or equipment such as a drone. One entity that’s well aware of these dangers: the federal government.
The CMMC program
Recently, the U.S. Department of Defense (DoD) updated its Cybersecurity Maturity Model Certification (CMMC) program. Construction companies and other entities that contract with the DoD will soon be required to comply with it.
The CMMC program requires defense contractors to comply with strict standards, practices and processes for the protection of sensitive government information. It also requires contractors to obtain a certification from a CMMC third-party assessor organization.
A comprehensive description and discussion of the CMMC program is beyond the scope of this article. Generally, it incorporates a tiered model under which cybersecurity standards become progressively more advanced, depending on the type and sensitivity of the information entrusted to a defense contractor.
The exact timeline for implementation of the CMMC program is uncertain, but the DoD expects its requirements to begin appearing in solicitations for government contracts by the middle of 2023.
A cybersecurity assessment
Construction companies that plan to bid on DoD contracts should conduct a cybersecurity assessment as soon as possible to identify the steps they’ll need to take to comply with CMMC requirements. For more information on the program, you can visit dodcio.defense.gov/CMMC/.
However, even if your construction business doesn’t plan to get involved with DoD projects, it’s a good idea to conduct a cybersecurity assessment to evaluate the vulnerability of your systems. Take inventory of your hardware and software, as well as the mobile devices used by employees and other parties. Identify potential vulnerabilities such as:
- Outdated software,
- Lack of encryption, and
- Poor or nonexistent password protection.
Such an assessment should help you implement controls and other safeguards to reduce the risk of a data breach. It can also help you develop an incident response plan to mitigate the damage in the event a breach occurs.
DoD contracts can be a substantial revenue source for construction companies with the resources and skilled labor to win a bid. Just be prepared for the intensive rules that accompany public projects, which now includes tighter cybersecurity.