Home Services Medical Practices Veterinary Clinics Law Firms Construction & Trades Federal Contractors How We Work Results About Get Assessment

What IT documentation do general contractors want for prequalification?

By the Sentry Consulting Group team · Updated July 2026 · 5 min read

More general contractors are putting cybersecurity questions into their subcontractor prequalification packages, especially on public, federal-adjacent, and larger commercial jobs. If you've started seeing IT and security questions on prequal forms and weren't sure how to answer them, you're not alone, and getting them wrong can quietly cost you bids.

What GCs are actually asking for

The questions vary, but they usually circle the same controls: multi-factor authentication, endpoint protection (EDR), tested backups, email security, written security policies, security-awareness training, and sometimes an incident response plan. On federal and defense-adjacent work you'll increasingly see language borrowed from NIST 800-171 or CMMC. The GC's goal is to make sure a subcontractor isn't the weak link that exposes the whole project.

Why subs lose bids on this

Not because they lack the controls, necessarily, but because they can't document them on demand. A prequal questionnaire assumes you can produce evidence: a policy document, proof of MFA enforcement, a backup-testing record. A contractor scrambling to assemble that during a bid window looks less prepared than one who hands it over the same day. Over time, the documented sub wins more shortlists.

What to have ready

A note on CMMC

If a GC or contract specifically requires CMMC certification, that's a formal, assessed standard, different from documenting the controls above, and something to scope carefully rather than claim loosely. For most subcontractor prequals today, what's needed is credible documentation of the controls, maintained and ready. That's what Sentry keeps current for the construction and trades clients we manage.

Part of our guide to IT for construction and trades companies in Northern Virginia. See how Sentry supports construction and trades, or book a free assessment.

Common questions.

What IT documentation do general contractors want for prequalification?

Typically evidence of MFA, managed EDR, tested backups, email security, written security policies, security-awareness training, and sometimes an incident response plan. On federal-adjacent work you may also see NIST 800-171 or CMMC language.

Why do subcontractors lose bids over cybersecurity questions?

Usually not because they lack controls, but because they can't produce documentation on demand during the bid window. GCs increasingly shortlist subs who can hand over policies and evidence the same day, which makes maintained documentation a competitive advantage.

Is GC prequalification the same as CMMC?

No. CMMC is a formal, third-party-assessed certification. Most subcontractor prequalification questionnaires ask you to document standard security controls, not to hold a certification. If a contract specifically requires CMMC, that should be scoped carefully rather than claimed loosely.

Find out where your operations stand.

We will review your current environment, identify the gaps, and tell you exactly what it would take to bring your IT operations up to a disciplined, documented standard. If something is outside our scope, we will say so directly.

Schedule Your Free Assessment

No pressure, no obligation. Available to practices and businesses in the DC/MD/VA corridor.