If you’re a general contractor working in the Defense Industrial Base, CMMC isn’t just another compliance requirement.

It’s a direct challenge to how your business operates.

Most guidance around CMMC assumes a company controls its own environment. Its own systems. Its own people.

That’s not how construction works.

---

The Real Problem: You Don’t Do Most of the Work

In most projects, the GC wins the contract.

But the actual work? That’s performed by subcontractors.

Electrical
Plumbing
Mechanical
Engineering
Fabrication

You’re coordinating. Managing. Overseeing.

Not executing.

And more importantly, not controlling the environments where work actually happens.

---

Your “Preferred Subs” Model Becomes a Constraint

Most GCs don’t build teams from scratch.

They rely on a tight bench of trusted subcontractors. Often the same 1–2 firms per discipline across multiple projects.

That model works for quality, speed, and predictability.

It does not translate cleanly to CMMC.

Because now the question isn’t just:

• Can they do the work?

It’s:

• Can they handle CUI in a compliant way?
• Do they have NIST SP 800-171 implemented?
• Can they pass a CMMC Level 2 assessment if required?

And this is where friction starts.

---

This Doesn’t Show Up at Assessment Time

Most organizations think about CMMC when they’re preparing for an assessment.

That’s already too late for this problem.

By that point:

• Your subcontractor relationships are set
• Your bid strategy is locked
• Your delivery model is defined

You’re not making structural changes at that stage. You’re trying to validate what already exists.

For general contractors, the real risk isn’t failing an assessment.

It’s entering a contract with a supply chain that was never capable of meeting the requirement.

---

The Planning Phase Is Where This Is Won or Lost

Before you bid. Before you commit. Before you scope your own environment.

You need to understand:

• Where will CUI exist in this project?
• Which subcontractors will touch it?
• How will it move between parties?

And most importantly:

• Can your existing subcontractors operate within that model?

Because if they can’t, your options narrow quickly:

• Push them to mature (time, cost, uncertainty)
• Limit their exposure to CUI (architectural constraints)
• Replace them (relationship and performance risk)

None of those are decisions you want to make mid-project.

---

A Quiet Reality Most GCs Haven’t Faced Yet

Many subcontractors will not pursue CMMC.

Not because they don’t care, but because:

• The cost doesn’t align with their business
• The requirement isn’t consistent across their work
• Or they simply don’t see themselves as part of the DIB

That creates a bottleneck.

If your business depends on a small, trusted group of subs, and those subs are not positioned for CMMC, your ability to pursue certain contracts becomes constrained.

Not by your own readiness, but by theirs.

---

This Is Not Just a Compliance Exercise

For general contractors, CMMC is not just about securing your environment.

It’s about understanding whether your delivery model supports compliant execution of the work.

That’s a planning conversation, not an assessment activity.

---

Where to Start

You don’t need to solve everything upfront.

But you do need to start asking better questions early:

• Which of our projects will involve CUI?
• Which subcontractors would be in scope?
• What is their current cybersecurity posture?
• Where are the gaps that could impact delivery?

From there, you can make informed decisions before they become constraints.

---

CMMC is a journey. For general contractors, it’s one that reaches beyond your own systems and into every layer of your project execution.

It’s not something you want to navigate late, and it’s not something you want to navigate alone.