Industry Solutions

CMMC Compliance for Architecture, Engineering, & Construction (AEC)

Architecture, Engineering & Construction (AEC)

AEC companies working with Department of War (DoW) contracts face a critical challenge: CMMC compliance without disrupting operations.

You’re dealing with sensitive data: drawings, specs, and International Traffic in Arms Regulations (ITAR)/Export Administration Regulations (EAR)-controlled info, across teams, subcontractors, and shared IT environments.

Top CMMC Pain Points for AEC Firms

Tool Compatibility

Run Autodesk, Revit, Bluebeam, Procure in a compliant environment.

Multiple CUI Types

Meet rules for Cyber Threat Intelligence (CTI), Operations Security (OPSEC), ITAR, EAR, and no non-U.S. access.

Subcontractor Isolation

Learn to keep trades like drywall and tile installers outside CMMC scope.

Enterprise Segmentation

Split off defense work from commercial operations and, if needed, global/shared IT.

Speed to Cert

Get compliant fast, without sacrificing accuracy.

Speak with an Expert

Our team of certified experts are ready to speak with you about your needs.

All-In

Move the entire org to a compliant environment.

Full migration to Microsoft Gov Cloud
Covers desktops, servers, logging
One system; no swivel seating
Includes licensing, setup, support

Ideal for: Firms scaling defense contracts or Fed-first

CUI Enclave

Segmented, secure workspace for small Controlled Unclassified Information (CUI) teams.

Microsoft Gov Cloud + virtual desktops
Runs full engineering suite
Connects to local plotters, printers
Fast to deploy, low overhead

Ideal for: Organizations with a small defense/federal practice

Frequently Asked Questions

How do we protect technical drawings and schematics classified as CUI?

Any file that contains export-controlled specs, design schematics, or technical data related to DoW contracts can be considered CUI. These files must be stored and shared only within CMMC-compliant environments like Government Community Cloud (GCC) High or Azure Government. Access should be limited to authorized personnel, often U.S. persons if ITAR applies. Encryption, access logging, and physical security measures (such as file vaulting for hard copies) are also required to demonstrate full compliance.

Are construction project files shared with primes considered in-scope for CMMC?

Yes. If you’re handling blueprints, material specs, or subcontracted engineering documents under a prime contract that involves CUI, those files fall within your CMMC scope. Even if the prime owns the original data, your role in storing, transmitting, or modifying the data means you must protect it to the same standard. Flow-down rules under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 apply whether you’re a general contractor or a subcontractor.

What are our cloud hosting options if we use large Building Information Modeling (BIM) models?

For companies managing BIM workflows that involve CUI, Microsoft GCC High or Azure Government are the most secure and compliant hosting environments. Commercial cloud platforms do not meet FedRAMP Moderate or ITAR compliance requirements. Summit 7 helps AEC firms migrate data and workflows, including BIM models and Computer-Aided Dispatch (CAD) files, into these compliant environments while ensuring performance and usability are preserved.

How does cross-cloud collaboration work for remote engineering teams?

Cross-cloud collaboration between GCC, GCC High, and commercial tenants is limited. Unified global address list sync is not supported across sovereign clouds, and certain Teams features like file co-authoring or external invites may not work as expected. Summit 7 supports secure collaboration using Business-to-Business (B2B) guest access and dynamic group membership, but strict governance is required to prevent compliance violations during cross-tenant sharing.

Can we use commercial cloud services like Dropbox or SharePoint Online?

Not if you’re storing or transmitting CUI. Commercial cloud platforms like Dropbox or standard Microsoft 365 do not meet FedRAMP Moderate or ITAR requirements. Contractors must use environments such as GCC High or AWS GovCloud, which are specifically authorized to handle CUI. Using non-compliant services, even briefly, can result in audit failure or a breach of contract with the DoW or prime contractors.

What’s the best way to isolate project teams handling DoW data?

The best approach is to create a separate enclave for CUI-handling teams. This enclave includes dedicated systems, user accounts, file repositories, and access policies. Rather than trying to retrofit compliance across your entire firm, isolating CUI users into a dedicated environment allows you to maintain operational efficiency while meeting all CMMC Level 2 requirements. Summit 7 specializes in this scoped enclave strategy.

Are contractors and subcontractors required to meet CMMC Level 2?

Yes, if they access CUI. All subcontractors must be CMMC Level 2 certified (or in the process) if they handle controlled data. This includes architecture firms, civil engineers, structural analysts, and others supporting federal construction projects. Many primes are already requiring CMMC certification as a prerequisite for teaming, even ahead of formal DoW enforcement.

How do we ensure FedRAMP compliance when subcontractors upload project files?

Subcontractors must only upload files through secure portals hosted in FedRAMP-authorized environments (like GCC High or Azure Government). You should avoid shared commercial platforms. Summit 7 recommends enforcing access control policies, maintaining a control responsibility matrix, and ensuring all file uploads are logged and monitored. Flow-down language in contracts must also hold subs accountable for their data handling practices.

Do physical security controls matter for temporary or mobile work trailers?

Yes. Physical environments used to process or store CUI, whether permanent or mobile, must meet National Institute of Standards and Technology (NIST) SP 800-171 physical protection controls. This includes badge access, locked storage for printed documents, surveillance, and visitor logs. A common failure point is treating construction trailers or field offices as out-of-scope, when in fact they must be assessed and secured like any other part of the enclave.

What role does Summit 7 play in designing enclaves for AEC firms?

Summit 7 designs right-sized compliance enclaves for AEC clients using tools like Microsoft GCC High, Azure Government, and partner-supported security stacks. We manage the entire compliance journey – from CUI scoping to migration, secure collaboration, device management, and pre-assessment readiness. Our goal is to keep your team productive while building a secure, audit-ready environment aligned with CMMC, ITAR, and FedRAMP requirements.

Featured Case Study

RIB U.S. Cost Gains CMMC Confidence with Summit 7’s Managed GRC, Commander

“The Commander team worked closely with my cybersecurity analysts to make sure we had the policies and procedures in place to meet CMMC requirements.”

– Suzanne Moltzen, CEO of RIB U.S. Cost

Read the Story

Testimonials

When I tell big-name defense contractors we’re working with Summit 7, there’s a sigh of relief. That’s a huge advantage.

Matt GustafsonPresident, Clinkenbeard

I have been working with these guys for years now! With lots of hard work and timely communication they made sure they delivered the best to me. Highly recommended!

John DoeCompany Name

When I tell big-name defense contractors we’re working with Summit 7, there’s a sigh of relief. That’s a huge advantage.

Matt GustafsonPresident, Clinkenbeard

When I tell big-name defense contractors we’re working with Summit 7, there’s a sigh of relief. That’s a huge advantage.

Matt GustafsonPresident, Clinkenbeard

Talk to an Expert

Our team of compliance and cybersecurity experts are on standby and ready to help.

Don't Know Where to Start?

Join the Team

Don't Know Where to Start?

Join the Team

CMMC Compliance for Architecture, Engineering, & Construction (AEC)

Choose Your Industry

Architecture, Engineering & Construction (AEC)

Top CMMC Pain Points for AEC Firms

Tool Compatibility

Multiple CUI Types

Subcontractor Isolation

Enterprise Segmentation

Speed to Cert

Speak with an Expert

CMMC Solutions for AEC

All-In

CUI Enclave

Frequently Asked Questions

RIB U.S. Cost Gains CMMC Confidence with Summit 7’s Managed GRC, Commander

Testimonials

Talk to an Expert