PKF O'Connor Davies Accountants and Advisors
PKF O'Connor Davies Accountants and Advisors

CMMC Compliance in 2025: What A&E Firms Must Do to Win — and Keep — Federal Work

Need help getting started?

Contact Us
August 6, 2025

Key Takeaways

  • Cybersecurity Maturity Model Certification (CMMC) compliance is a requirement for Architecture and Engineering (A&E) firms bidding on Department of Defense (DoD) contracts.
  • CMMC readiness requires strong internal controls and supply chain oversight.
  • False CMMC claims can trigger penalties, disqualification and federal investigations.

Cybersecurity requirements are evolving fast across the federal landscape and Architecture and Engineering (A&E) firms need to take notice. While the Cybersecurity Maturity Model Certification (CMMC) framework became final in December 2024, it is expected to become mandatory in contracts as early as Q3 2025. In addition, agencies like NASA, GSA and others are laying the groundwork to make CMMC compliance a standard requirement across federal procurement.

Any A&E firm that supports projects where the Department of Defense is the ultimate customer is part of the Defense Industrial Base (DIB). CMMC compliance is no longer a technical checkbox; it’s a prerequisite to protect your ability to compete for and retain federal contracts in 2025 and beyond.

CMMC Levels Overview

CMMC consists of three distinct cybersecurity maturity levels that organizations must meet:

  • Level 1 – Foundational: Designed for contractors handling Federal Contract Information (FCI), this level calls for 15 foundational security practices. Companies must complete a self-assessment annually and formally affirm their compliance.
  • Level 2 – Advanced: Intended for organizations working with Controlled Unclassified Information (CUI), this level requires 110 security controls based on the NIST SP 800-171 framework. Contracts will indicate whether a firm needs third-party certification every three years or may conduct internal assessments on an annual basis.
  • Level 3 – Expert: This level applies to organizations managing high-value CUI. It draws on elements of the NIST SP 800-172 framework and requires a government-led assessment rather than a third-party evaluation.

Why CMMC Matters to A&E Firms

CMMC applies to every organization that processes FCI or CUI, no matter its size or contract volume. For smaller firms, the requirements can feel complicated, but taking a proactive approach helps ease that challenge. This is especially important if your firm:

  • Designs/assesses infrastructure related to military or defense efforts
  • Handles blueprints, schematics or project data that are sensitive
  • Works with subcontractors or consultants on defense projects

Being CMMC-ready not only safeguards your contracts but also strengthens your firm’s credibility and reduces operational risk – from legal exposure to being disqualified from competitive bids.

Consequences of Non-Compliance

Falling short of CMMC standards can lead to serious, real-world consequences. One small DoD contractor in the A&E space recently settled a $4.6 million case and was barred from new federal work for 12 months after falsely claiming compliance with NIST SP 800-171. The company reported having security controls that weren’t actually in place, including basics like multi-factor authentication and a system security plan. A whistleblower raised the concern, which set off a federal investigation under the False Claims Act (FCA).

This example illustrates that overstating cybersecurity readiness can bring serious repercussions,  such as:

  • Ineligibility to bid on CUI-related contracts
  • Disqualification from DoD and other federal projects
  • Loss of certification if your firm cannot confirm or pass required reassessments

Making Cybersecurity Work for A&E Firms

  • Start with a Gap Check
    Take a close look at your systems through a CMMC gap analysis. You’ll quickly see which areas may not yet meet the standards.
  • Set Clear Policies
    Write cybersecurity policies that match your business needs and CMMC rules. Then train your staff on what’s expected.
  • Put Technical Controls in Place
    Use tools that manage access, secure files, enable encryption and monitor your systems.

  • Work with an Authorized Third-Party Assessment Organization (C3PAO)
    Level 2 certification requires an independent C3PAO authorized by the government. Note that advisors can’t certify your compliance.

  • Train Your Team
    Provide cybersecurity training tailored to each role so employees follow the right security steps when handling sensitive data.

  • Watch Your Supply Chain
    Review the CMMC status of subcontractors and vendors carefully. Weak links in your supply chain could cause compliance problems for your firm.

Beyond DoD: The Expanding Scope of CMMC

CMMC now reaches beyond the defense sector. The FAR CUI Rule introduces similar cybersecurity principles that will compel other agencies, together with A&E firms, to comply. Federal scrutiny of projects receiving government funding is expected to increase.

Final Takeaway

View CMMC not just as a compliance checklist — it’s a minimum requirement for doing business with federal clients. For A&E firms, that means cybersecurity must be treated with the same rigor as building codes and life-safety standards. Early adoption strengthens RFP responses, reduces project risk and positions your firm for long-term success as enforcement ramps up in 2025.

How We Can Help

PKF O’Connor Davies is both a Registered Provider Organization (RPO) and an accredited CMMC Third‑Party Assessment Organization (C3PAO). We offer A&E‑specific support designed around the tools, data flows and subcontractor structures common in the design and construction space:

  • Perform a focused gap assessment that maps CMMC controls to your CAD/BIM environments, field‑laptop fleet and project‑management platforms, delivering a clear remediation roadmap.
  • Draft and refine required documentation — System Security Plan (SSP), Policies & Procedures, and Plan of Action & Milestones (POA&M) — so they reflect the realities of multi‑disciplinary design teams and joint‑venture projects.
  • Provide technical hardening services, including Microsoft 365 tenant configuration, secure file‑sharing for large drawings and vendor risk scoring for key subcontractors.
  • Run a “mock audit” to prepare staff and collect evidence before your formal C3PAO assessment, reducing surprises on audit day.
  • Offer continuous‑compliance support — annual self‑affirmations, evidence maintenance, and control monitoring — so you remain compliant as projects and staff change.

For a deeper dive into our approach, see The Cybersecurity Maturity Model Certification Rule Has Been Published or contact our CMMC practice lead for a no‑cost readiness briefing.

Contact Us

If you have any questions, please contact your PKF O’Connor Davies client service team or:

Nick DeLena, CISSP, CISA, CRISC, CDPSE, CMMC-CCP
Partner
Cybersecurity and Privacy Advisory
ndelena@pkfod.com | 781.937.5191

Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
Cybersecurity and Privacy Advisory
tdemayo@pkfod.com | 646.449.6353