Are NIST 800-171 or CMMC Cybersecurity Costs Considered Reimbursable by the DoD?

By Carl Herberger • December 17, 2020

In short, yes; however, with caveats.

In 2019, the Department of Defense (DoD) announced the development of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a maturity model based foundationally on the NIST 800-171 framework with some key evolutionary elements and integrations from NIST 800-53 and ISO 27001 among others, respectively. The change also incorporates the addition of third-party accreditation by cybersecurity assessors.

In January of this year, the Department of Defense (DoD) released the CMMC. This new maturity model defines five levels of increasing maturity and will require all defense contractors, both Primes and Subs, to comply with one of the five levels and attain independent verification of compliance prior to contract award. In an ongoing effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC is a significant change for DoD acquisition, cybersecurity, and policy. For small businesses in the defense industrial base, the challenge is potentially insurmountable.

CMMC mandates minimum cybersecurity standards for 300,000 plus commercial defense contractors around the globe and makes compliance part of the acquisition process, preventing contract award until an independent third-party has verified compliance. Given the magnitude of this change and the revenue impacting consequences of non-compliance, we choose Microsoft for our CMMC Managed Services Customers.

So now that the mandate is in place, how does this effect the cost of doing business with the US DoD?

In short, this mandate is supposed to be a ‘pass through.’

Katie Arrington Quote on CMMC

So, where is the source government verbiage documenting that a 7012 (NIST) or 7021 (CMMC) assessment or implementation is a reimbursable cost?

See below:

NIST

Regarding DFARS 252.204-7012 in 2013, DOD stated (see attached) that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 accreditation should be an allowable cost.  The exact verbiage from the law is provided here and the full section of the law is (attached):

  1. Allowable Costs Under Cost Accounting Standards (CAS) Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS.

Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR 31.201–2, address the allowability of costs. There is nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201–2. While we cannot know in advance if a company will incur costs in accordance with FAR 31.201–2, there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201–2.

Comment: Several respondents stated that DoD needs to account for/provide funding for the additional costs of implementation.

Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business.

CMMC

Regarding CMMC, “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.”

“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”

Clearly the government isn’t expecting to receive the benefits of CMMC and the new accreditation without paying for it but it will not be a layup to get your costs covered. You still have to win first, there is not prize for losing bids.

FAQ for CMMC ( https://www.acq.osd.mil/cmmc/faq.html )

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.