Both FedRAMP (Federal Risk and Authorization Management Program) and CMMC (Cybersecurity Maturity Model Certification) will be a big consideration for federal contractors in the year ahead. Let’s break down what this means for your construction business.
FedRAMP provides a standardized approach to security authorizations for cloud service offerings. It was established back in 2011 and then in December 2022, the FedRamp Authorization Act was signed as part of the FY23 National Defense Authorization Act, which codifies the program as the authorities standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. The objectives are clear: reduce duplicative efforts, promote innovation, create transparency, and ensure it is all secure.
The CMMC program launched by the U.S. DoD (Dept. of Defense) back in 2017 to verify contractors implemented the required security measures necessary to safeguard federal contract information and control unclassified information. In October 2024, the final program rule for the CMMC Program was released for public inspection on federalregister.gov and was published, which we have covered here on the blog as one of the top trends to watch for 2025.
I recently had a candid private conversation with Ty Witmer, president and founder, ProjectTeam. He says there have been rules in place for contractors working with the federal government to protect sensitive government data—and often it hasn’t been enforced, but that enforcement starts now.
Companies that do not comply could find themselves out of a job and facing penalties if working for the U.S. DoD. “The enforcement of this is a very big deal. There is reputational damage. There are even criminal consequences of violation of that,” says Witmer.
Another piece to all of this is the requirements for prime contractors, which are responsible not only for their own compliance, but also for the compliance of subcontractors.
“There are currently 245,000 organizations that are going to have to become CMMC compliant and a large percentage of them are working in the construction sector for the Army Corp of Engineers and some of these other initiatives and they need to be making plans pretty rapidly.”
How to Comply
In my conversation with Witmer, we talked about his history in the construction-technology space. For a long time, he served at a large reseller for Meridian Systems and worked with some of the world’s largest construction companies. He explained to me how he learned many of the intricacies from that phase of his career. Then, in 2014, he took information from a large audience. He personally met with 3,000 organizations and heard common themes.
“Everybody is looking for a system that they can use for their own purposes to meet their own business requirement, but that needs to be able to connect to everybody else on a project,” he explains. “Eliminating the duplication of effort is the major challenge.”
He spent much of 2014 exploring a solution to the problem. In 2015, his company, ProjectTeam, went into full-scale production, maintaining a low profile. In 2020, the company eagerly came to the market with the official launch of its product.
Speaking very candid with me, Witmer remarks, other technology companies initially did not really seem to care about CMMC, but now they realize the preponderance of their customers have an enormous dependency on DoD contracts.
We also took our private conversation public and recently had a discussion on The Peggy Smedley Show about what percentage are working toward compliance today, advice for organizations working on government projects, and what needs to happen in order to be compliant: people, processes, or technology.
Check out ProjectTeam’s webinar on CMMC/FedRAMP.
Want to tweet about this article? Use hashtags #construction #IoT #sustainability #AI #5G #cloud #edge #futureofwork #infrastructure #FedRAMP #CMMC