Cyber Essentials for Construction Companies and Contractors

Cyber Essentials for Construction Companies and Contractors

Cyber Essentials has moved from "occasional nice-to-have" to "standard supplier requirement" in UK construction. Tier-one contractors increasingly require it from their subcontractors. Public-sector infrastructure frameworks — CCS RM6227 Construction Works and Associated Services, the Crown Commercial Service Demolition framework, the Scape frameworks, and the Procure22 and Procure23 frameworks — either require it outright or score it favourably. And for any firm bidding on MOD construction work under PPN 014/21, it is effectively mandatory.

This guide covers what certification actually means for a construction business, how the controls apply to the site-based and office-based mix of infrastructure most contractors run, and the scoping and BYOD questions that are distinctive to the sector.

Why construction firms are being asked for Cyber Essentials

Three overlapping pressures:

Government construction frameworks. Most CCS construction frameworks, including the major Works frameworks and the Construction Design & Build frameworks, list Cyber Essentials as a minimum requirement at the supplier qualification stage. Several go further and require Plus.

Tier-one subcontract terms. Larger contractors (Balfour Beatty, Kier, Mace, Skanska, Morgan Sindall, Willmott Dixon, Lendlease) increasingly cascade CE requirements into their subcontract terms. If you are a specialist subcontractor bidding to a tier one on a public-sector project, expect to be asked.

MOD and defence infrastructure. Work at MOD sites, for DE&S, or on Defence Infrastructure Organisation projects requires CE as a baseline. Some specific projects require CE Plus plus DEFSTAN 05-138 compliance.

Principal Designer / CDM overlap. Increasingly, principal designers and principal contractors are being asked about the cybersecurity posture of their entire supply chain as part of construction project risk management. CE has become the simplest way to demonstrate a baseline.

What construction infrastructure looks like

A typical UK construction firm runs a mix:

Everything up to and including BIM and the commercial systems is in scope. Site cameras and plant telematics may or may not be, depending on whether they process organisational data — the answer is usually that the data they push to the cloud service is organisational, so the telematics platform is in scope even if the physical devices are vendor-managed.

Site-based laptops and the BYOD question

The hardest Cyber Essentials area for construction is device management on site. Staff move between sites, use laptops in site offices that have temporary wifi, connect to client wifi networks, and sometimes tether from personal phones. The software firewall requirement gets more load than it does in a purely office-based business.

Specific issues to get right:

A specific pattern I see: a contractor has MDM-enrolled laptops for office staff but the site manager team uses pool laptops that were imaged two years ago and have never been managed centrally. Those pool laptops are in scope and need the same controls as the office fleet.

Subcontractor access

A construction business routinely shares BIM models, drawings, and programmes with subcontractors. Those subcontractors may have login access to the company's Procore, Aconex, or Asite tenant. Every one of those accounts is a user under v3.3 and needs MFA.

The realistic position for a mid-sized contractor is:

What does not pass: shared subcontractor accounts ("subby1", "subby2"), or a long list of legacy subcontractor accounts left active years after the relevant project finished.

BIM, CAD, and model sharing

BIM platforms are SaaS. They handle their own infrastructure and generally offer MFA. Your CE scope for BIM is the user accounts your staff use to log in, the desktop applications your staff run that sync models locally, and any API integrations.

Specific things to check:

Commercial systems and CIS

CIS-aware accounting systems (Causeway, COINS, CIS software) hold payroll and subcontractor payment data. This is in scope because it holds organisational and personal data (National Insurance numbers, UTRs, bank details). The usual CE controls apply — MFA on every user, leaver processes, and no shared logins.

A failure pattern: the commercial director has a CIS software login that was shared with the office manager "so they can enter invoices when I'm on site". Shared accounts fail.

The five construction-specific failures I see

1. Pool site laptops unmanaged. Office fleet is under MDM; the three laptops the site teams share are not.

2. Subcontractor accounts left live. Subcontractor finished their scope in 2023, their Procore account is still active in 2026.

3. Plant telematics platform not considered. The organisation has not thought about the fact that the plant telematics cloud account holds data that is organisational and is accessed by named users with password-only credentials.

4. BIM desktop software unpatched. Critical Autodesk or Bentley updates deferred "because the project is using a specific build". These need to be patched or formally excepted.

5. BYOD mobile phones used to access Procore. Staff check site drawings on personal iPhones that are not in MDM. Either enrol them or restrict the platform to managed devices.

Practical path to certification for a construction firm

If you are a construction company with 10-250 staff:

1. Map every system that holds project data. Include the commercial systems, BIM, project management, site cameras, and plant telematics.

2. Audit user accounts on every in-scope system. Ensure MFA on every one. Reconcile against your actual current staff and active subcontractors.

3. Inventory your laptop fleet. Office and site. Confirm every laptop is enrolled in MDM with baseline security policies.

4. Address mobile phone access. Company-issued: MDM. BYOD accessing site systems: enrol or restrict.

5. Document plant telematics and site cameras as part of scope, with the cloud service's own MFA and user management described.

6. Submit. CE small (10-49 staff) £399.99 + VAT; medium (50-249) £449.99 + VAT; large (250+) £549.99 + VAT. Plus ranges from £1,499 to £4,499 + VAT.

Bottom line

Construction has been slower than some sectors to adopt Cyber Essentials, but the commercial pressure has arrived. Firms that hold current CE are being shortlisted for public-sector work; firms that do not are being filtered out at the PQQ stage. The certification is also a reasonable proxy for the kind of operational discipline that good construction clients want to see — well-managed devices, prompt leaver processes, defined system boundaries, proper account hygiene. Getting it right is not complex; it just requires treating the site-based and office-based parts of the business as equal citizens in the compliance posture.

Check your readiness | View pricing | Talk to an assessor