Malcolm Jack wants you to understand that when it comes to cybersecurity, people are just as important as technology.
Jack is the chief technology officer for Watsonville, California-based contractor Granite, which announced a significant tech milestone for government contracting in December: reaching Cybersecurity Maturity Model Certification Level 2.
The CMMC framework requires government contractors to certify their cybersecurity practices to meet the federal government’s standards, and it’s a must-have to handle controlled unclassified information, according to the announcement.
By Oct. 31, 2026, all contracts with the Department of War, formerly the Department of Defense, will require the appropriate CMMC certificate.
In a recent assessment, Granite achieved what it characterized as “an almost impossible perfect score,” successfully passing all 110 security requirements and meeting 320 assessment objectives.
Here, Jack discusses the timeline of adoption, what contractors should know about the process and how to play catch-up.
Editor’s note: This interview has been edited for brevity and clarity.
CONSTRUCTION DIVE: When did Granite start pursuing CMMC Level 2 certification?
MALCOLM JACK: We actually call it a two-year journey, but when I look back at some of my records, this is more of a five- or six-year journey.
We looked at CMMC back in 2019, when the government first announced the new Defense Federal Acquisition Regulation Supplement regulations that were going to require CMMC certification for federal contractors, of which we’re one. We have a federal division [that has] been doing federal work for years.
It’s been an interesting evolution over those five to six years to get us where we are today, which included some pivots and curveballs thrown at us by the government.
They moved the goal posts a number of times, as far as when you had to have CMMC certification in place for bidding on federal work. But now, it seems like they really are holding firm to their 2026 requirements.
What was the process to become certified like?
It was a journey.
In CMMC Level 2, there’s 110 things you have to have in place, so that actually flows down to about 300-plus controls you have to replace. It’s a large implementation. You don’t wait until you think you have everything ready to go to actually test it.
Instead, we would get a few things in place, and then go test it. We’d bring somebody in from the outside, or work with our internal audit team to see if we could find faults.
Going through that iterative testing on the controls shortly after we implemented them, and then moving forward, is how we were able to continue to make forward progress and feel confident about what we had put in place.
What was this implementation like for the company?
Malcolm Jack
Permission granted by Granite Construction
You’ve just hit on probably one of the biggest parts of CMMC in general.
This is not a technology engagement. The reason that we were successful in getting this done is tight partnership with our federal division. It’s more about the people.
We can have the technology and the tools in place, but really it’s the people who are dealing with the controlled unclassified information on a daily basis.
If they don’t know the rules and the regulations and the safe handling protocols, they won’t know where to put the information or how to put it there. If they don’t understand how to interact with people and what you can share and what you can’t share, then you’re going to end up in a lot of trouble.
While CMMC seems like a technology success, this is truly a partnership success between the IT organization and our federal group, because they both took on a big part of understanding it and how to operate on a daily basis. They put together the training programs on how to use these systems that worked really, really well.
What I’m noticing as I talk to my colleagues in the industry is that it’s the people who are missing. I’ve had colleagues come to me and say, “Hey, how do you implement the technologies and the solutions?” I can give you some advice on that. But really, how are you changing your staff and your workforce to understand how to operate within this new DFARS requirement?
What hurdles exist for contractors now?
People have asked me, “What do I do to get there?” And I say, “Well, the best advice I could give you is to start two years ago.”
Because, like I said, it was a two-year journey, but really it was a five-year journey for us, because we had to pivot over time and really get the experience and that partnership with our federal team. It took time to get there. So if I was starting right now, I’d be very nervous.
I’m sure there’s a way to play catch up. I’m sure there’s going to be a number of companies and consultancies out there that will be happy to take a bunch of money to help you implement it very quickly.
But I would worry about that, because oftentimes when you’re slamming something in place, you’re not actually taking the time to train your teams and your staff on what the requirements are.
