No SPRS Score, No Contract: What Construction Contractors in the DMV Need to Know About CMMC

If you're a construction contractor working on federal projects in the DMV area, there's a compliance requirement that may already apply to your business and most contractors in your situation haven't heard of it yet.

It's called CMMC. Cybersecurity Maturity Model Certification.

You might be thinking: that's for defense tech companies, not construction. And you'd be partially right. But here's where it gets relevant to you.

If you are a subcontractor on a federal project and you handle any information related to that contract project schedules, contract correspondence, drawings, site plans, specs that information is likely classified as Federal Contract Information (FCI). And FCI triggers CMMC Level 1 requirements.

That means you need to complete a self-assessment against 15 basic cybersecurity controls, submit your score to the DoD's Supplier Performance Risk System (SPRS), and have a senior company official affirm compliance annually.

And here's the part most subs don't know.

Your prime contractor is now legally required to verify your CMMC status before they can share FCI or CUI with you. They cannot pass you contract information if you don't have a current status in SPRS. Some primes in the DMV area are already requiring this not because a contract clause says so, but because they're on the hook if their subcontractors aren't compliant.

That means your CMMC status could determine whether you stay on a project.

The three questions worth asking right now:

1. Does your prime contractor's contract include DFARS clause 252.204-7021? If yes, CMMC requirements flow down to you based on what information you handle.

2. Do you have an SPRS score? If you've never heard of SPRS, you don't have one. That's a problem for any new federal contract award.

3. Are you handling anything beyond basic project information? Site plans and specifications for sensitive federal facilities can push you into CUI territory, which means Level 2 and a much more involved process.

What CMMC Level 1 actually requires

Level 1 is 15 basic cybersecurity practices. Things like using antivirus software, controlling who has access to systems that store contract information, and having a process for reporting cyber incidents. It is a self-assessment no third-party auditor required at this stage. But it does need to be documented, submitted to SPRS, and signed off by a company executive.

Most small construction firms can get to Level 1 compliance with the right IT partner and a few weeks of focused work. The bigger risk is not knowing you need it until a prime contractor asks for your SPRS score before a project kickoff.

The timeline matters

Phase 1 of the CMMC rollout began November 10, 2025. CMMC requirements are now appearing in new DoD solicitations and contracts. Phase 2 begins November 10, 2026, when third-party assessments become required for contractors handling CUI.

If you are working on federal projects as a subcontractor in the DMV area and have not looked at CMMC yet, now is the right time to start. Not because a deadline is looming but because your prime contractor may ask for your SPRS score before you expect it.

Phase 1 is live. If you don't have an SPRS score and you're working on federal projects, now is the time to find out what that means for your business.