This audio is automatically generated. Please let us know if you have any comments.
Malcolm Jack wants you to understand that when it comes to cybersecurity, people are just as important as technology.
Jack is the director of technology for Watsonville, Calif. contractor Granite, which announced a important technological milestone for government procurement in December: Achieve Cybersecurity Maturity Model Level 2 certification.
The CMMC framework requires government contractors to certify their cybersecurity practices to meet federal government standards, and managing unclassified controlled information is essential, according to the announcement.
On October 31, 2026, all contracts with the Department of War, formerly the Department of Defense, will require the appropriate CMMC certificate.
In a recent evaluation, Granite achieved what it characterized as “an almost impossible perfect score,” successfully passing 110 safety requirements and meeting all 320 evaluation objectives.
Here, Jack discusses the adoption timeline, what contractors should know about the process, and how to get up to speed.
Editor’s Note: This interview has been edited for brevity and clarity.
Immersion in CONSTRUCTION: When did Granite start getting CMMC Level 2 certification?
MALCOLM JACK: We actually call it a two-year journey, but when I look back at some of my records, this is more of a five- or six-year journey.
We looked at CMMC in 2019, when the government first announced new regulations in the Defense Federal Acquisition Regulation Supplement that would require CMMC certification for federal contractors, of which we are one. We have a federal division [that has] He has been doing federal work for years.
It’s been an interesting evolution over the past five or six years to get us to where we are today, which included some pivots and curve balls thrown at us by the government.
They moved the target sites several times, even when CMMC certification was required to bid on federal work. But now, it looks like they’re actually sticking to their 2026 requirements.
How was the process to get certified?
It was a trip.
In CMMC Level 2, there are 110 things you need to have in place, so it actually boils down to about 300 more controls that you need to replace. It’s a great implementation. Don’t wait until you think you have everything ready to actually try it.
Instead, we’d put a few things in place and then go test them. We would bring in someone from the outside or work with our internal audit team to see if we could find any errors.
Passing these iterative tests of the controls soon after we implemented them, and then moving forward, is how we were able to continue to move forward and feel confident about what we had put in place.
How was this implementation for the company?
Malcolm Jack
Permission granted by Granite Construction
You just found one of the most important parts of CMMC in general.
This is not a technological compromise. The reason we were successful in doing this is a close partnership with our federal division. It’s more about the people.
We may have the technology and tools in place, but it’s really the people who are dealing with the unclassified information being monitored on a daily basis.
If they don’t know the rules and regulations and protocols for safe handling, they won’t know where to put the information or how to put it. If they don’t understand how to interact with people and what you can and can’t share, you’re going to end up with a lot of problems.
While CMMC looks like a technology success, this is really a partnership success between the IT organization and our federal group, because both took on a large part of understanding and how we operate on a day-to-day basis. They put together training programs on how to use these systems that worked really, really well.
What I notice as I talk to my colleagues in the industry is that people are missing out. I’ve had colleagues come to me and say, “Hey, how do you implement technologies and solutions?” I can give you some advice about it. But really, how are you changing your staff and your workforce to understand how to operate within this new DFARS requirement?
What obstacles are there now for contractors?
People have asked me, “What do I do to get there?” And I say, “Well, the best advice I can give you is to start two years ago.”
Because, like I said, it was a two-year journey, but it was really a five-year journey for us, because we had to pivot over time and really get the experience and that partnership with our federal team. It took time to get there. So if I were to start right now, I would be very nervous.
I’m sure there is a way to play catch up. I’m sure there will be a number of companies and consultancies that will be happy to take a bunch of money to help you implement this very quickly.
But I would worry about that, because often when you’re putting something in place, you’re not actually taking the time to train your teams and your staff on what the requirements are.
