Law360 published an article recently with the title, “DoD Official Says Cyber is an Allowable Contractor Cost.” The article states that the U.S. Department of Defense (DoD) will allow defense contractors to treat the costs of bringing their cybersecurity programs in line with DoD requirements as an allowable cost and, therefore, reimbursable. Specifically, at the June 14, 2019 Professional Services Council’s Federal Acquisition Conference, DoD special assistant for cybersecurity Katie Arrington said, “security is an allowable cost.”
Further, Law360 reported that in May, DoD said it was developing a “Cybersecurity Maturity Model Certification” (CMMC) program to build on the Defense Federal Acquisition Regulation Supplement regulation (DFARS § 252.204-7012(b)(2)) that requires defense contractors to implement the security controls in the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-171. The security controls are intended to protect covered defense information on nonfederal systems. DoD said the CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains.
Arrington told the conference attendees that the CMMC will be developed by DoD working in conjunction with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. The goal is to develop one unified standard for cybersecurity. This standard will include five different levels of required cybersecurity protections, from a level one of “basic hygiene,” which will be cheap and straightforward enough that a small business could meet it, to level five for “state-of-the-art” protections. Arrington said that DoD has planned 12 related industry days across the United States in July and August to work in a collaborative manner with defense contractors to improve cybersecurity practices in the CMMC plan. Acknowledgments to Daniel Wilson and Law360 for reporting these developments.
As always, the devil is in the details. Will DoD’s recognition of cybersecurity costs as allowable mean that contractors will be able to treat their recent security costs as allowable? Defense contractors have had to prepare to comply with DoD’s cybersecurity requirements for the past four years as the regulation was noticed in 2015 and implementation was required no later than Dec. 31, 2017. Or, will DoD limit allowability to only the cost incurred to meet the requirements of the new CMMC program?
The original answers to frequently asked questions said that contractors would be required to self-certify their compliance with the DFARS regulation. The Under Secretary of Defense for Acquisition, Tech and Logistics previously stated in response to the question, “Is a 3rd Party assessment of compliance required?”
… The rule does not require “certification” of any kind, either for DoD or Federal contractors. Nor will DoD give any credence to 3rd party assessments or certifications – by signing the contract, the contractor agrees to comply with the terms of the contract. It is up to the contractor to determine that their systems meet the requirements….
Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) Frequently Asked Questions (FAQs) Regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 230.76 ad PGI Subpart 239.76, Q25.
Given the uncertainty that many contractors had with meeting their obligations under NIST SP 800-171, it is good to see that third-party certifications will be required and that the cost for third-party audits will at least be allowable. Finally, one cautionary note – the establishment of various levels may give rise to pre-award protests as defense contractors challenge whether a particular contract merits a particular level of CMMC protection or post-award protests if the level is unspecified and competitors challenge whether the awardee’s level of CMMC protection is sufficient.