According to AGC News, the Associated General Contractors of America has launched a dedicated resource page and is hosting a Demo Day on May 21, 2026 to help construction contractors navigate the Department of Defense’s Cybersecurity Maturity Model Certification, known as CMMC, requirement. The announcement signals that federal cyber compliance is no longer a distant concern for contractors working on government projects. It’s an active obligation with real consequences for companies that aren’t prepared.
Background
The Department of Defense has been building toward mandatory CMMC compliance for several years. The framework requires contractors and subcontractors handling federal contract information or controlled unclassified information to meet specific cybersecurity standards, verified through a formal certification process. The requirements are tiered, with Level 1 covering basic cyber hygiene and Level 3 demanding more rigorous third-party assessments.
For the construction industry, this is relatively new territory. Defense-related construction contracts, including work on military bases, federal infrastructure, and other DoD-funded projects, fall squarely within scope. That pulls in general contractors and, critically, a wide range of specialty subcontractors who may have little to no experience with federal cybersecurity regulations.
According to AGC News, the association’s new resource page and upcoming Demo Day are designed specifically to help contractors understand what CMMC compliance involves and what steps they need to take. The full details of the resource content are behind a member login, but the association is clearly treating this as a priority advocacy and education issue for its members.
Analysis
The construction industry has historically lagged behind other defense contracting sectors, such as aerospace and defense manufacturing, when it comes to cybersecurity infrastructure. Most general contractors and subcontractors don’t have dedicated IT security staff, and many still rely on basic commercial tools like shared email accounts and unmanaged devices on jobsites. CMMC is going to force a hard look at those practices.
The tiered structure of CMMC matters here. Level 1 compliance, which applies to contractors handling only federal contract information, is achievable with basic practices and a self-assessment. But Level 2, which covers controlled unclassified information and requires a third-party assessment for most contractors, is a much heavier lift. Companies that aren’t already investing in documented security practices, access controls, and incident response plans are going to face real costs to get there.
The subcontractor dimension is where this gets complicated for the construction sector. A prime contractor on a DoD project is responsible for ensuring its subcontractors also meet the relevant CMMC requirements. That creates a flow-down obligation. If a mechanical subcontractor or a site services firm doesn’t have its CMMC certification in order, it could become ineligible to work on certain federal projects. Primes may start adding CMMC compliance as a prequalification requirement, the same way they require safety records or bonding capacity today.
The timing of AGC’s outreach also suggests the industry is behind schedule. With CMMC requirements now embedded in the Defense Federal Acquisition Regulation Supplement and expected to appear in new contracts, the window to prepare is closing. Companies that wait for a contract award to start thinking about compliance are going to face expensive, rushed remediation, and potentially lose bids to competitors who got ahead of it.
AGC hosting a Demo Day on May 21 indicates there’s likely a vendor or technology component to the event, which is worth monitoring. The CMMC compliance market has attracted a growing number of managed service providers and consultants who specialize in helping small and mid-sized contractors achieve certification. Quality and cost vary widely, and subcontractors should approach vendor selection carefully.
What It Means for Subcontractors
-
Know your contract scope. If you perform work on DoD projects, including military base construction, federal facilities, or any project funded through defense appropriations, you likely have CMMC obligations. Review your existing contracts for cybersecurity language.
-
Don’t assume Level 1 is all you need. If you handle any controlled unclassified information, such as design documents, specifications, or operational data tied to defense assets, you may be subject to Level 2 requirements, which include third-party certification.
-
Expect flow-down requirements from primes. General contractors are going to start requiring CMMC compliance as a prequalification condition. Getting certified before it’s demanded puts you in a stronger bid position.
-
Attend AGC’s Demo Day on May 21. Even if you’re not an AGC member, this event is worth tracking. The resources being assembled will reflect what the industry’s largest association thinks is a practical compliance path for construction firms.
-
Start with a gap assessment. Before spending money on new tools or consultants, document your current cybersecurity practices against the CMMC Level 1 and Level 2 requirements. Knowing where you stand is the first step to building a realistic compliance timeline.
-
Budget for it now. CMMC compliance has real costs, including potential third-party assessments, software upgrades, and staff training. Companies that treat this as a line item in their 2026 or 2027 budget will be better positioned than those who absorb it as an emergency expense.
