Cybersecurity rules have tightened across most industries over the last few years, and construction is feeling that pressure, too. However, the journey has been harder here than in most sectors.

Construction has historically invested the least in technology of any major industry. Most industries spend roughly 3% to 5% of their revenue on IT, while construction sits closer to 1% to 2%. Most of that gap sits at the bottom of the supply chain, with the small and medium firms that handle the day-to-day work on a project.

That gap is starting to matter. Across the commercial construction industry, there is a general tightening around cybersecurity, and it touches everyone.

Owners pay closer attention to it when evaluating general contractors. General contractors look at it when evaluating subcontractors. And the pressure flows downhill from there, landing hardest on specialty subcontractors, many of whom have handled IT informally.

The GC–Sub Relationship Is Built on Security Now

The handoff between a general contractor and a subcontractor used to be physical.

Drawings, schedules, and a punch list on the trailer desk. That has changed completely. Today, project management platforms, building information models, and other operational systems live in shared digital environments.

So, if a subcontractor is commissioning a building automation system or wiring access controls, they are doing more than installing equipment; they are touching systems that connect to the owner’s network the day the building opens.

This changes the trust model. The general contractor now needs to know whether a subcontractor can be trusted with data and access on top of being good at their trade.

The Verizon 2025 Data Breach Investigations Report found that internal documents and login credentials are the most commonly stolen data in construction incidents, and that more than a third of breaches in the sector originate with a third party. When something goes wrong, it usually goes wrong somewhere in the supply chain.

General Contractors Bear Huge Responsibility

If you are a general contractor, a breach at one of your subcontractors can become your problem very quickly. Prime contracts increasingly hold the general contractor accountable for the security posture of everyone working under them. The idea behind it being that you signed the prime, you carry the liability. That is true for Department of Defense work, on federal civilian projects, and increasingly on large private builds.

To address this, you need to start asking specific questions when you are evaluating subcontractors during prequalification, and you need to understand the answers.

• Do they have multifactor authentication on their email?
• Are they keeping project files separated from the rest of their network?
• How do their field crews handle file uploads from outside the office?

When you can carry out that conversation fluently, you can understand and manage your risk properly.

And while you are establishing those systems of due diligence, the other half of the job is equally important: making your own systems easy for subcontractors to use safely. If the project portal is painful to log into, drawings will end up moving through personal cloud accounts and email, and that exposure lands back on you.

Strong vendor security programs pair due diligence with infrastructure.

Subcontractors Must Carry Their Share

If you are a subcontractor working with a general contractor, you need to understand that cybersecurity implications fall on you as well. A lot of contracts these days are shifting to put the cost of a breach, including any downstream impact on the owner, on whichever party’s environment was the entry point.

If an attacker gets in through your side, the financial consequences can extend well beyond your own recovery. 

The pressure also comes from the sheer volume and sensitivity of the data flowing from subcontractors to general contractors. Payment applications carry banking details. Certified payrolls carry employees’ personal information. Submittals often carry proprietary product information from manufacturers. All of it moves through systems the general contractor is being audited on.

The good news is that the fix for most subcontractors is about getting the fundamentals documented. How access is controlled inside the business, how devices are protected and how the team would respond if something went wrong. Written policies in those three areas will answer most of what comes up.

The U.S. Government Is Tightening the Belt

While the overall tightening of cybersecurity in construction is broad, the hardest push comes from the federal side.

CMMC gets the most attention, because it is tied to the largest pool of federal construction work, but it is far from the only requirement showing up. If you are working on any federal building or GSA project, and you are any firm within that chain, you are inside this regime, even if the scope is just HVAC or fire suppression.

The enforcement picture has also changed sharply. The DOJ’s Civil Cyber-Fraud Initiative has produced a wave of False Claims Act settlements against contractors who misrepresented their security posture. If a contractor told the government that their controls were in place when they were still in progress, that is now treated as fraud. The first action of its kind against a subcontractor came in late 2025.

How to Start Managing Your Responsibility

Every firm in this industry is still figuring out cybersecurity. The goal is to have a structure that moves in the right direction, with documentation that proves it to anyone who asks.

For general contractors, that means a real vendor risk process, contractual flow-downs that match what the prime is asking for, and shared systems that make secure collaboration the default. For subcontractors, it means starting with the basics: multi-factor authentication on email and project systems, a clear policy on who has admin rights, regular backups that are tested, and a written plan for what happens if a laptop or phone is compromised.

So, overall, the direction of travel is clear: industry expectations around cybersecurity and compliance are continuing to tighten. Contractors that put the right foundations in place early will be better positioned to meet customer requirements, compete for new work, and adapt as those expectations become more formalized.

The Midwest’s Construction Technology Partner

For over 20 years, the Astute Technology Management team has been working in close partnership with the AEC community throughout the region, providing them with the network support, cybersecurity protections, and technology leadership they need to stay ahead of the competition.

If you have any questions, feel free to contact us at 614 389 4102 or at [email protected], our staff in both Columbus and Cincinnati is ready to help!