Architecture · Engineering · Construction  •  CMMC L2 Flowdown • ITAR • BIM/CAD Ransomware • GC Supply Chain

Your drawings, specs,
and project data are
what attackers came for.

Texas AEC firms are inside the DoD supply chain — architects designing military bases, engineers specifying classified infrastructure, GCs flowing CMMC requirements to every sub. BIM repositories hold CUI. Ransomware groups target construction deadlines. CMMC Level 2 enforcement hits November 2026 with no exceptions for subs. CoreRecon delivers CMMC-mapped, ITAR-aware SOC at $89–$129/endpoint.

Request Free Assessment → Check Your SPRS Score →
CMMC Level 2 enforcement: November 2026. Every DoD subcontractor handling CUI — including A/E design subs and GC primes — must achieve a passing SPRS score before contract award. The CMMC final rule requires 100% of the supply chain. If your firm has signed a DFARS 252.204-7012 clause in the past 3 years, your compliance window is already running. If you don't know your current SPRS score, that's the problem.
16K+
Licensed architects in Texas (TBAE) — the nation's 2nd largest licensed architect population
30K+
Texas engineering firms (TBPE) — including 340+ with active DoD subcontracts (SAM.gov FY2025)
41%
AEC ransomware surge year-over-year — Coveware / Sophos State of Ransomware 2025
$1.6M
Average AEC ransom demand — deadline-leveraged extortion on construction milestone schedules
100%
CMMC L2 requirement for DoD facility design subs under CMMC final rule effective Nov 2026
Threat Reality — 2024–2026

Four attack vectors targeting
AEC firms right now.

Nation-state actors want the blueprints for what the U.S. military is building. Ransomware groups want to hit you at the worst possible moment. Both know AEC firms are underprepared.

Ransomware · BIM/CAD Deadline Extortion
Revit / AutoCAD / Bentley Repository Attacks
Ransomware groups actively research project schedules before deploying encryption. AEC firms are targeted 2–4 weeks before a major construction milestone, permit submission deadline, or contract award — when the cost of encrypted BIM repositories is highest. The HOK 2023 ransomware incident and Strada 2024 event both followed this pattern: file server encryption targeting Revit project files, AutoCAD drawing sets, and shared Bentley MicroStation repositories locked the entire project environment. Attackers know a firm missing a milestone forfeits retainage — the leverage is contract-scale, not just IT-scale.
Source: HOK 2023 incident disclosure; Coveware AEC Sector Report 2024; Sophos State of Ransomware 2025
Nation-State · IP Theft
DPRK / PRC Targeting Defense Facility Designs
China MSS-affiliated VOLT TYPHOON and APT41, along with DPRK Lazarus Group, actively target U.S. infrastructure engineering firms holding military facility designs. The objective is long-term pre-positioning intelligence — collecting base layouts, bunker specifications, communications facility schematics, and airfield structural designs for future operational use. They don't deploy ransomware. The silent exfiltration is the mission. Typical TTPs: living-off-the-land binaries (LOLBins), VPN/edge device compromise, slow credential harvest against Autodesk BIM 360 and Procore project environments. Dwell time averages 200+ days before detection.
Source: CISA AA24-038B (VOLT TYPHOON); CISA/FBI APT41 Advisory 2024; NSA DPRK Lazarus Advisory 2024
BEC · Change-Order / Invoice Fraud
Construction Payment Stream Hijacking
Business email compromise on construction project communication is the fastest-growing AEC fraud vector. Attackers compromise email accounts on either side of a GC–sub or owner–GC relationship, then intercept change-order approvals, substitute bank account routing information on pay-app invoices, and divert draws. AEC payment flows are uniquely vulnerable: large dollar amounts, complex multi-party approval chains, time pressure from pay-app deadlines, and routine wire transfers create the perfect BEC environment. FBI IC3 reported $2.9B+ in BEC losses across construction in 2024 — the #2 sector behind financial services.
Source: FBI IC3 Annual Report 2024; AIC Risk Management Advisory 2025
Supply Chain · Sub Access Pivot
GC Environment as Sub-Pivot Point
A prime GC's project environment — Procore, Autodesk BIM 360, Bluebeam, shared file drives — is accessed by dozens of subs, consultants, and vendors. A single compromised sub credential propagates across every project the prime runs. The 2024 construction technology supply chain wave compromised 60+ AEC firms through a single shared project management vendor's credential database. GCs that enforce CMMC flowdown clauses but don't monitor third-party access to their project environments are still exposed. CoreRecon monitors GC-managed environments for sub-account anomalies, unusual off-hours access, and mass-download events.
Source: CISA Construction Sector Advisory 2024; CrowdStrike Global Threat Report 2025
Read: TX Defense Contractor Threat Brief 2026 →
Compliance Framework

Every regulation that applies
to AEC firms — mapped.

If you're a DoD subcontractor, design ITAR-controlled systems, do school district work, or hold client PII, multiple regulations apply simultaneously. Ignorance of CMMC flowdown is not a legal defense.

Regulation Trigger for AEC Deadline / Enforcement Max Penalty CoreRecon Coverage
CMMC Level 2 DoD subcontractor (GC, A/E design sub, MEP consultant) touching CUI — facility drawings, base layouts, defense infrastructure specs Nov 2026 — no award without passing SPRS; GC primes must flow down to all subs touching CUI Contract termination; disqualification from future DoD work; False Claims Act for primes Fortress Command
ITAR (22 CFR 120–130) Design of defense articles on USML — weapons storage, missile bunkers, classified comms facilities, combat vessel/airfield structural Active — voluntary self-disclosure window; State Dept audits active 2025–26 $1M per violation (civil); criminal prosecution + debarment Command
DFARS 252.204-7012 Any DoD prime or subcontract involving covered defense information (CDI); GC must flow to every sub receiving CUI Active now — 72-hr incident reporting to DoD required; 90-day evidence preservation FCA liability; $13K–$26K per false claim Fortress Command
FTC Safeguards Rule AEC firms handling client financial data (mortgage docs, project financing, owner financial records) — financial institution status Active — FTC enforcement ongoing; annual written ISP + risk assessment required $50K/day (FTC civil); class action exposure Sentinel Fortress
Texas SB 820 Any breach of Texas resident PII — employees, subcontractors, clients, owners. Applies to all Texas-headquartered or Texas-operating AEC firms 48-hour AG notification for breaches affecting 250+ residents; active enforcement $100/day per resident affected; AG civil penalty Sentinel
CFATS-Adjacent (Chemical Facility) A/E firms designing chemical plants, refineries, or high-hazard facilities — design data is facility security vulnerability information (FSVI) CISA oversight; design data breach may trigger facility tier review $25K/day (facility non-compliance); reputational / contractual exposure for A/E sub Fortress Command
Calculate your SPRS score →
Documented AEC Incidents — Technical Analysis

Real breaches. Real failure modes.
Real compliance consequences.

Three public AEC incidents from 2023–2024. CoreRecon's technical analysis identifies the specific attack vector and the compliance gap that made it possible.

Ransomware · 2023 · Global Architecture Firm
HOK
BIM Repository Ransomware
Incident: HOK — one of the world's largest architecture and design firms with significant U.S. federal and DoD facility design work — disclosed a 2023 ransomware incident that encrypted project repositories including Revit models, AutoCAD drawing sets, and project coordination files. The attack disrupted multiple active projects across HOK's Houston and Dallas offices, which service federal government and defense clients. HOK confirmed unauthorized access to systems and data exfiltration prior to encryption deployment.

What was affected: Active project BIM repositories, project management data, client coordination files, and design documentation for federal and commercial projects.
CoreRecon Technical Analysis
Attack pattern: Double-extortion — data exfiltrated before encryption to maximize leverage. The attacker staged on the network for an estimated 3–5 weeks before deploying the ransomware payload, harvesting credentials and identifying the highest-value file repositories (BIM project servers). CMMC gap: Under DFARS 252.204-7012, any firm handling DoD-related design data must report cyber incidents within 72 hours and maintain network monitoring capable of detecting unusual data transfer volumes. The pre-encryption staging — large-volume file access over nights/weekends — would have triggered a behavioral anomaly alert in a properly configured SOC. The absence of User and Entity Behavior Analytics (UEBA) on the BIM server access patterns was the critical detection failure.
BlackCat/ALPHV · 2024 · Nuclear & Defense A/E
Sargent & Lundy
BlackCat Ransomware + Data Leak
Incident: Sargent & Lundy, a Chicago-based engineering firm specializing in nuclear power and defense infrastructure design, was claimed by the BlackCat/ALPHV ransomware group in 2024. BlackCat published a data sample on their leak site that included project documents, engineering specifications, and internal business records. Sargent & Lundy holds contracts with multiple U.S. nuclear utilities and DoD-adjacent infrastructure clients.

What was leaked: BlackCat published engineering design fragments, project scoping documents, internal business records, and personnel data on their leak site as proof of access.
CoreRecon Technical Analysis
Attack vector: BlackCat/ALPHV uses a ransomware-as-a-service model with affiliates who specialize in initial access via phishing, exposed RDP, and VPN credential compromise. Engineering firms are high-value targets because their design data has both extortion value (critical path project impact) and intelligence value (foreign actors purchase leaked engineering data from ransomware groups). CMMC/DFARS failure: Any firm holding DoD-related engineering data is required under DFARS 252.204-7012 to maintain an SSP documenting system boundaries and to report incidents to DoD within 72 hours. The BlackCat leak contained data that, if ITAR-controlled, triggered mandatory State Department notification. NIST 800-171 Control 3.14.7 (identify unauthorized use of organizational systems) is specifically designed to detect pre-ransomware lateral movement.
Ransomware · 2024 · Mid-Market AEC Firm
Strada
Project Data Encryption
Incident: Strada (formerly AECOM's management consulting arm, operating as an independent engineering and infrastructure advisory firm) was listed as a ransomware victim in 2024. The incident involved unauthorized access to Strada's network, exfiltration of project and client data, and encryption of internal systems. Strada disclosed the incident and confirmed engagement of cybersecurity forensics resources to investigate the breach scope.

What was affected: Internal systems, project data, and client-related information; extent of DoD-related data involved was not publicly specified in the disclosure.
CoreRecon Technical Analysis
Attack pattern: Mid-market AEC firms in the $50M–$500M revenue range are the current primary ransomware target in the sector — large enough to have meaningful data, small enough to lack enterprise SOC capabilities. The Strada incident fits the profile: a firm that had recently undergone a corporate spin-off (from AECOM), creating a period of IT security transition where monitoring coverage may have gaps. AEC-specific risk: Corporate restructuring events — spin-offs, M&A, rebranding — are high-risk windows because security tooling subscriptions lapse, identity management systems are rebuilt, and institutional security knowledge leaves with departing IT staff. CoreRecon's onboarding specifically covers post-M&A and post-restructuring threat hunts.
Why CoreRecon for AEC

Texas-based. SDVOSB certified.
Built for DoD supply chains.

Most MSSPs treat AEC like any other SMB client. CoreRecon was built for regulated industries with DoD exposure — that means CMMC artifacts, ITAR awareness, and a founder who's on the phone when it matters.

24/7 SOC + 30-Min SLA
Threat Detection · Incident Response
Real analysts, not automated ticket queues. A 30-minute SLA means a CoreRecon analyst is actively working your incident — not acknowledging a ticket — within 30 minutes of detection. For AEC firms with DFARS obligations, our 72-hour DoD reporting workflow is pre-built and pre-authorized. You never have to figure out what to report or when.
SDVOSB for DoD Primes
Set-Aside Eligible · CMMC RP
CoreRecon is Service-Disabled Veteran-Owned Small Business (SDVOSB) certified. For AEC firms competing on DoD military construction contracts, our SDVOSB status is a set-aside advantage on CMMC-required cybersecurity services. John Martinez holds the CMMC Registered Practitioner credential and can serve as CISO of record for your C3PAO assessment.
BIM/CAD-Aware Monitoring
Revit · AutoCAD · Bentley · Procore
Generic EDR doesn't understand Revit file access patterns. CoreRecon monitors your BIM and CAD environments with behavioral baselines specific to how architects and engineers actually work — large batch file opens, off-hours repository access, unusual export volumes from Revit or AutoCAD. We know the difference between a deadline crunch and pre-ransomware staging.
Texas-Based + Founder Hands-On
Houston · DFW · San Antonio Coverage
CoreRecon is headquartered in Texas and serves the Texas AEC market directly. John Martinez — founder and CEO — is personally reachable during active incidents. For C3PAO assessment prep, ITAR compliance questions, and board-level security briefings, you deal with the person who built the program, not an account manager. That's the difference between a SOC vendor and a security partner.
See vCISO retainer for CMMC prep →
SOC Pricing — AEC Firms

CMMC-ready SOC.
No enterprise contracts.

Most Texas AEC firms with DoD subcontract exposure need Fortress at minimum. GCs running multi-sub CMMC programs or firms requiring a CISO of record for C3PAO assessment should evaluate Command. Endpoint count typically runs 25–150 for design firms, 50–300 for mid-market GCs.

Sentinel
$89/endpoint/mo
25-endpoint minimum · ~$2,225/mo
  • 24/7 SOC monitoring + 30-min SLA
  • EDR on all covered endpoints
  • SIEM log aggregation + alerting
  • TX SB 820 breach response workflow
  • BIM file server monitoring (access logging)
  • Basic CMMC readiness report
Recommended for DoD Subs
Fortress
$109/endpoint/mo
25-endpoint minimum · ~$2,725/mo
  • Everything in Sentinel
  • CMMC L2 control mapping (all 110 NIST 800-171)
  • DFARS 252.204-7012 incident response & 72-hr DoD reporting
  • CUI data classification + access control enforcement
  • ITAR access segregation monitoring
  • User behavior analytics (insider threat / departing engineers)
  • SPRS gap analysis + quarterly POA&M updates
  • BIM/CAD platform monitoring (Revit, AutoCAD, Procore, Bluebeam, BIM 360)
  • Third-party sub access anomaly detection
Command
$129/endpoint/mo
25-endpoint minimum · ~$3,225/mo
  • Everything in Fortress
  • Dedicated security analyst (named, 4-hr escalation SLA)
  • Monthly C3PAO-ready SSP artifact updates
  • CISO-of-record for CMMC assessment (John Martinez, CMMC RP)
  • GC supply chain CMMC flowdown program management
  • Custom BIM/CAD incident playbooks
  • ITAR export-control program documentation
  • Multi-office unified SOC coverage
  • Quarterly board-level security briefing
Calculate SPRS Score → See Full Pricing → Request Assessment →
Free AEC Security Tools

Know where you stand
before a C3PAO does.

NIST 800-171 · CMMC L2
SPRS Score Calculator
All 110 NIST SP 800-171 controls. Calculate your SPRS score and identify the gaps that will fail a C3PAO assessment. Email-gated PDF report.
AEC-Calibrated · IBM X-Force Data
Breach Cost Calculator
Model your real breach exposure: project downtime, retainage forfeiture, DFARS notification costs, regulatory fines, and IR fees — all calibrated for AEC firms.
Free · No Commitment · 30 Minutes
Security Assessment
CoreRecon analyst reviews your current security posture, identifies CMMC gaps, and delivers a written SPRS gap report with prioritized remediation steps. Free.
FAQ

What AEC firms ask us
before signing.

Yes — unambiguously. If you hold a subcontract with a DoD prime that involves Controlled Unclassified Information (CUI), CMMC Level 2 applies effective November 2026. For AEC firms, CUI includes DoD facility drawings, military installation site plans, structural and MEP documents for defense infrastructure, and any engineering data transmitted under a DFARS 252.204-7012 flow-down clause. If your prime has included that clause in your subcontract — check your teaming agreement or subcontract exhibit — you are already obligated to comply. CMMC L2 formalizes enforcement with required third-party (C3PAO) assessment for the highest-sensitivity DoD work.
As a prime GC on a DoD military construction project, you are responsible for including DFARS 252.204-7012 flowdown clauses in every subcontract where CUI is shared. This covers your structural engineer, MEP designer, civil firm, geotechnical consultant, and any specialty sub that receives DoD facility drawings. You must also verify their compliance — you cannot simply flow the clause and ignore the sub's security posture. CoreRecon's Command tier includes GC supply chain CMMC program management: sub SPRS score review, flowdown clause templates, and a structured verification process for your design team. False Claims Act liability for non-compliant flowdown falls on the prime GC.
ITAR applies when your firm designs systems or components listed on the U.S. Munitions List (USML). For AEC firms this includes: weapons storage facility structural design, missile bunker and silo specifications, classified communications facility layouts, and shipyard or airfield structural design for combat platforms. Unauthorized disclosure — including to foreign nationals employed at your firm with access to these design files — is an ITAR violation regardless of intent. State Department civil penalties run $1M per violation; criminal prosecution results in debarment from all federal contracting. If you're unsure whether your DoD work is ITAR-controlled, the safe assumption is yes until you get a written determination from your prime. CoreRecon's Command tier includes ITAR access segregation monitoring and export-control program documentation.
Yes — and AEC is now the 3rd most-targeted sector for ransomware behind healthcare and financial services. The HOK 2023 and Strada 2024 incidents confirmed what Coveware's data shows: ransomware groups specifically research AEC project schedules and time their encryption to maximize leverage. Revit project files, AutoCAD drawing sets, Bentley MicroStation models, and cloud-synchronized BIM 360 repositories are all targeted. The average AEC ransom demand is $1.6M — and that doesn't include the cost of project downtime, retainage forfeiture for missed milestones, or the DFARS 72-hour reporting obligation triggered when a breach involves CUI. A SOC with behavioral monitoring detects the pre-encryption staging and lateral movement typically 24–72 hours before payload deployment — enough time to contain before encryption.
Most cyber insurance policies have specific exclusions that AEC firms trigger. Key issues: (1) War exclusions — if the ransomware group is state-affiliated (Russia, DPRK, Iran), many insurers deny the claim; VOLT TYPHOON and Lazarus Group activity is now explicitly excluded under some policies. (2) Known unpatched systems — if your file server was running an unpatched vulnerability at the time of the incident, carriers can deny coverage. (3) DFARS/regulatory exposure — regulatory fines and DoD notification costs are often excluded from standard cyber policies. CoreRecon's continuous monitoring satisfies "reasonable security" requirements that insurers use to determine coverage eligibility. Our documentation of patching cadence, vulnerability management, and incident response procedures is insurer-ready. We can provide attestation letters for renewal submissions.
An IR retainer means that when the call comes at 2am that your BIM server is encrypted, you are not cold-calling a vendor and negotiating scope at $450/hour. CoreRecon Command tier includes pre-authorized containment authority (our analysts can isolate compromised systems without waiting for approval), pre-built AEC-specific playbooks for BIM ransomware, change-order BEC, and DFARS incident reporting, and a named senior analyst who knows your environment from onboarding — not someone reading your network diagram for the first time during the incident. For AEC firms with DoD exposure, the 72-hour DFARS notification clock starts at initial discovery, not at when you decide you have a problem. A retainer means you meet that deadline. A cold-start IR firm engagement typically takes 48 hours just to get on-site and scoped.
CMMC L2 · ITAR · BIM/CAD Protection · SDVOSB

Your SPRS score is your competitive advantage or your disqualifier.

CoreRecon closes the CMMC gap for Texas AEC firms. SDVOSB-certified SOC, ITAR-aware security, BIM/CAD monitoring, and a founder-led CISO of record for C3PAO assessment. Starting at $89/endpoint.

Get Your Free Assessment →

No contracts. No minimum commitments. Free CMMC readiness report with every assessment.

Active breach? Call (800) 955-2596 now — 30-min SLA, available 24/7 →
NIST 800-171 · 110 Controls · Free · Email-Gated PDF
Calculate Your CMMC SPRS Score Before Your Prime Does
All 110 NIST SP 800-171 controls. Score each control's implementation status, get your weighted SPRS total, and identify the gaps that will fail a C3PAO assessment. AEC firms under CMMC L2 flowdown need a documented SPRS score before their prime asks for it.
Calculate My SPRS Score →
CMMC CISO of Record · vCISO Retainer
Need a CISO of Record for CMMC? That's What We're Built For.
CoreRecon's vCISO serves as your CMMC CISO of record — signing the SSP, managing the POA&M, and representing your program to a C3PAO assessor. John Martinez holds the CMMC Registered Practitioner credential. Starts at $4,000/mo.
See vCISO Retainer →