As state and federal agencies tighten cybersecurity regulations on projects, here’s how contractors and subs can comply.

ljubaphoto via Getty Images

While leveraging BIM brings many benefits, it also comes with unique challenges for contractors trying to land civil projects, some experts say.

The construction industry is increasingly embracing collaborative digital tools like BIM. While leveraging BIM brings many benefits, it also comes with unique challenges for contractors trying to land civil projects.

Federal and state cybersecurity regulations are evolving rapidly, forcing contractors to stay on top of compliance issues, according to panelists at the National Institute of Building Sciences’ Building Innovation conference in Washington, D.C., on Tuesday. The Department of Energy and Department of Transportation both updated their data policies this year, and California, Colorado, Connecticut, Utah and Virginia all have data privacy laws that will go into effect in 2023.

To stay compliant, contractors must understand relevant regulations and equip workers and subcontractors to comply — or risk losing civil jobs.

Contractors concerned about compliance

To help builders work through some of these challenges, NIBS recently launched the U.S. National Building Information Management Program, which aims to create a BIM standard throughout the entire life cycle of designing, constructing and operating in the built environment.

Many contractors that work on federal builds have expressed a lack of clarity about who is responsible for what aspects of compliance, panelists said. Getting subcontractors and other stakeholders to comply as well presents another challenge, according to panelist Rachel Riopel, digital practice leader at Omaha, Nebraska-based design firm HDR.

“One of the biggest concerns that I saw among companies that do a lot of federal work is that we’re spending an inordinate amount of money to achieve those requirements, but we’re also flowing that down to our subcontractors and our carpenters and expecting that they jump on board with us, or that they themselves elevate their practices and become compliant,” Riopel said. “Otherwise, we do not get the work.”

For example, prime contractors may be denied an award if a subcontractor does not meet the federal Cybersecurity Maturity Model Certification requirements, panelists said. CMMC is a system of compliance levels that helps the government determine whether an organization has the security infrastructure necessary to work with certain sensitive data, which the feds call Controlled Unclassified Information.

How to mitigate risk 

Respondents to a recent NIBS survey said their top security-related concerns in a BIM environment are fear of ransomware, hacks and loss of personal info and privacy. With the rise of new regulations and anxieties about privacy and security, it’s important to get everyone on the same page so some parties don’t use these fears as an excuse not to share information with others on a project, Riopel said.

Strategies contractors can use include:

  • Assess the capability of organizations to implement new security requirements, i.e. a gap analysis.
  • Compare the cost of implementation to the benefits of using new security requirements.
  • Identify how current security practices fail and determine what will make them most likely to succeed.
  • Remove ambiguity and clarify requirements for everyone involved in a project.
  • Leverage new federal funding opportunities to bolster security elements of a project.

While many of the new standards are helpful, panelist Nathan Wood, executive director of the Construction Progress Coalition, said there needs to be more research to refine and update them, as well as more training for industry members. Crafting secure cybersecurity standards for contractors is complex, according to Wood.

“Depending on the type of project, a Department of State project versus a Department of Transportation project, they have very different security requirements,” said Wood. “So how do you set up for builders so that they’ll be able to meet those (security) goals, but also are able to easily adapt to different scenarios?


Author: Julie Strupp, Editor, Construction Dive, Dive Wire