Granite’s Cybersecurity Sprint: Inside the Race to Beat Federal Compliance Deadlines

On a brisk December morning in Watsonville, California, the halls of Granite Construction buzzed not with the rumble of machinery, but with the quiet intensity of a company that had just pulled off a rare cybersecurity feat. In an era when federal contracts come with ever-tightening digital locks, Granite announced it had clinched the coveted Cybersecurity Maturity Model Certification (CMMC) Level 2 - years before the Department of War’s (formerly DoD) critical deadline. But behind the headlines lies a story of shifting goalposts, internal pivots, and a revelation that the greatest vulnerability isn’t a line of code, but the people behind the screens.

The Road to Compliance: More Than a Checklist

For Malcolm Jack, Granite’s chief technology officer, the path to federal cybersecurity compliance wasn’t just a matter of ticking boxes. “It’s not a technology engagement - it’s about people,” Jack insists. Granite’s odyssey began as early as 2019, when the federal government first signaled a new era of cyber scrutiny for its contractors. What followed was a marathon of adapting to evolving requirements, enduring regulatory curveballs, and - most crucially - building a culture where security is everyone’s job.

The CMMC Level 2 standard is no small hurdle: it demands 110 discrete security practices, ballooning into over 300 individual controls. But Granite didn’t wait for perfection before testing their defenses. Instead, they adopted an iterative approach - implementing, testing, and retesting controls, often with external auditors or their own internal team. This relentless feedback loop was key to catching weaknesses before they could become liabilities.

Yet, as Jack points out, technology alone can’t save a company from a breach if employees aren’t trained to spot threats or handle sensitive data properly. Granite’s breakthrough came not from a flashy new firewall, but from forging a partnership between IT and their federal division - rolling out robust training and ensuring every staff member understood the stakes. “If they don’t know the rules, they won’t know where to put the information - or how to keep it safe,” Jack says.

The Real Deadline: Yesterday

With the Department of War holding firm on a 2026 compliance cutoff, the clock is ticking for thousands of contractors. Jack’s advice to laggards is blunt: “The best advice I could give you is to start two years ago.” While consultants promise quick fixes, he cautions that rushed compliance risks leaving staff unprepared - a recipe for disaster when federal data is on the line.

Conclusion: The Human Firewall

Granite’s success story is a warning shot for the industry: compliance isn’t just an IT sprint, but a company-wide relay. As the federal government locks down its digital frontiers, the winners won’t be those with the shiniest tech, but those who build the strongest human firewall. For Granite, the race to compliance was won not in the server room, but in the minds of its people.

WIKICROOK

• CMMC: CMMC is a DoD framework that sets cybersecurity standards for defense contractors, ensuring protection of sensitive government information in the supply chain.
• Controlled Unclassified Information (CUI): CUI is sensitive federal information that isn’t classified but must be protected and controlled according to government laws and policies.
• DFARS: DFARS is a set of regulations for defense contractors, focusing on cybersecurity and data protection requirements for working with the U.S. Department of Defense.
• Security Controls: Security controls are tools, processes, or policies - like firewalls or backups - used to protect computer systems and data from threats and attacks.
• Iterative Testing: Iterative testing is a repeated process of evaluating and improving security, helping to catch vulnerabilities early and strengthen cybersecurity defenses.