Cost of Cybersecurity Compliance Now an Allowable Cost?
The defense contractor community is buzzing about a recent announcement by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cybersecurity. The announcement? The costs of achieving compliance with the Department of Defense (DoD) cybersecurity requirements will be allowable in certain cases. While there have been arguments that cybersecurity costs could be included in overhead, Katie Arrington's statement is significant because it ends the debate (at least with respect to DoD).
The application and scope of the ability to charge cybersecurity compliance costs to DoD, however, remains unclear. DoD's decision concerning these costs is tied to the rollout of its Cybersecurity Maturity Model Certification (CMMC) Program. The CMMC Program's objective is to establish uniform standards against which DoD contractors' compliance will be measured. DoD plans to issue draft standards by the end of the summer, and will hold listening sessions for contractors throughout the summer. The standards are expected to include five "Maturity Levels." Compliance with the standard will require certification by a third-party cybersecurity assessor.
DoD's implementation of the CMMC Program is aggressive. The Department expects third-party certifiers to begin their efforts in January of 2020. Requests for Information are to include compliance with the CMMC standards in June 2020; Solicitations will include the standards beginning in September 2020.
If this schedule holds, DoD contractors will be expected to be compliant – as certified by a third-party – with the new standards in a little more than a year. DoD believes that a very small percentage of its contractors now comply with the National Institute of Standards and Technology Publication (NIST) 800-171, which contains the standards on which DoD's current cybersecurity requirements are based. See Defense Federal Acquisition Supplement (DFARS) 252.204-7012. The NIST standards will also play a role in the CMMC Program. Contractors whose cybersecurity protections do not meet the NIST requirements and who do not have an active Plan of Action to achieve compliance are well advised to begin implementing the NIST 800-171 standards now.
At the same time, DoD contractors are reminded that DoD has indicated that it will begin auditing contractors for cybersecurity matters, no longer relying on companies to self-certify that their cybersecurity practices are sufficient. Add this issue, and waiting until the last minute, contractors could risk both exclusion from participating in DoD procurements and potential penalties for non-compliance.