Why the construction industry needs to prioritize cybersecurity compliance

May 7, 2024
Picture of Scott Unruh

Scott Unruh

JE Dunn Security Systems Director

How CMMC, ISO 27001, and NIST CSF help protect against emerging cyber threats


CMMC: A requirement for defense contractors

CMMC stands for Cybersecurity Maturity Model Certification. It is a requirement for defense contractors and subcontractors that work with the Department of Defense (DoD). CMMC aims to ensure that the defense industrial base (DIB) has adequate cybersecurity controls and processes to protect sensitive information and systems from cyber threats.

CMMC is expected to be implemented by 2025. Therefore, commercial construction companies that work with the DoD or plan to do so in the future should be preparing for CMMC compliance as soon as possible. CMMC compliance will not only help protect your government clients from cyber threats; it will also give you a security program foundation for your business.

Example Timeline for CMMC Program Ruling and Enforcement:

For more information about CMMC, please visit the following reference links:

ISO 27001-2022: An international standard for information security management

ISO 27001 is an international standard for information security management. An information security management system (ISMS) is an approach to managing the confidentiality, integrity, and availability of information and systems that store, process, and transmit client data. ISO 27001 certification can benefit commercial construction companies through protection of information and systems from cyber threats, comply with legal and contractual obligations, enhance reputation and trustworthiness, and reduce risk to clients.

For more information on ISO 27001, please visit the following reference links:

NIST CSF: A voluntary framework for improving cybersecurity

NIST CSF 2.0 stands for National Institute of Standards and Technology CyberSecurity Framework. It is a voluntary framework for improving cybersecurity for critical infrastructure and other organizations. NIST CSF provides a set of guidelines and best practices for identifying, protecting, detecting, responding, and recovering from cyber threats.

NIST CSF can help commercial construction companies improve their cybersecurity posture and resilience. It can also help assess your current cybersecurity status, identify gaps and opportunities, prioritize actions and investments, communicate and collaborate with stakeholders, and measure and monitor progress and results. NIST CSF 2.0 guidelines also map to ISO and other Industry guidelines for streamlined review compared to other frameworks.

For more information about NIST CSF, please visit the following reference links:

Security Threat Trends for Commercial Construction

As the commercial construction industry becomes more digitalized and interconnected, it also becomes more vulnerable to cyberattacks. Cybercriminals are constantly evolving their tactics and techniques to exploit weaknesses in the commercial construction sector. Some of the security threat trends that affect the commercial construction industry are:

  • BMS/IACS hacking: Building management systems (BMS) and Industrial Automation & Control Systems (IACS) are systems that control and monitor various aspects of a building, such as heating, ventilation, air conditioning, lighting, security, fire, and safety. BMS/IACS are often connected to the internet or other networks, which makes them susceptible to hacking. Hackers can gain access to BMS and manipulate or sabotage the functions and operations of a building, causing physical damage, safety hazards, or operational disruptions. For example, in 2016, hackers breached the BMS of a hotel in Austria and locked the guests out of their rooms(Belton, 2017).
  • Payment fraud: Payment fraud is a type of fraud that involves stealing or diverting funds from legitimate transactions. Payment fraud can affect commercial construction companies in various ways, such as invoice fraud, payroll fraud, wire transfer fraud, or credit card fraud. There are numerous examples of successful fraud within our industry over the past several years(Sawyer & Rubenstone, 2019).
  • Ransomware: Ransomware is a type of malware that encrypts the data or systems of a victim and demands a ransom for the decryption key. Ransomware can cripple the operations and productivity of a commercial construction company, as well as compromise the confidentiality and integrity of the information and systems. For example, in 2020, a commercial construction company was hit by a ransomware attack that encrypted its systems(Korman, 2020).
  • InfraGard – Fraud Intelligence Partnership – InfraGard is a program operated by the FBI as a partnership with commercial organizations to exchange information and distribute alerts regarding fraud campaigns and cybersecurity threats (InfraGard Overview).

These are just some of the examples of the security threat trends that affect the commercial construction industry. To protect your organization and your clients, you should implement a comprehensive and layered cybersecurity strategy that aligns with regulations, client requirements, and industry best practices and standards, as discussed in this article.


Cybersecurity is a critical necessity for the commercial construction industry. As the industry faces increasing cyber threats, it also needs to comply with various cybersecurity standards and frameworks, such as CMMC, ISO 27001, and NIST CSF. These compliance initiatives can help commercial construction companies improve their cybersecurity posture and resilience. Additionally, commercial construction companies need to be aware of the security threat trends that affect their sector and take appropriate measures to prevent and mitigate them. By doing so, the construction industry can protect their information, systems, facilities, and reputation, from cyberattacks.


  • Belton, P. (2017, December 14). Lock out: The Austrian hotel that was hacked four times. BBC – Business News. Retrieved from https://www.bbc.com/news/business-42352326
  • Korman, R. (2020, February 6). Bouygues Construction Unit Gradually Recovering After Ransomware Attack. ENR. Retrieved from https://www.enr.com/articles/48637-bouygues-construction-unit-gradually-recovering-after-ransomware-attack
  • Sawyer, T., & Rubenstone, J. (2019, May 8). Construction Cybercrime Is On the Rise. ENR. Retrieved from https://www.enr.com/articles/46832-construction-cybercrime-is-on-the-rise