Are NIST 800-171 or CMMC Cybersecurity Costs Considered Reimbursable by the DoD?
In short, yes; however, with caveats.
In 2019, the Department of Defense (DoD) announced the development of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a maturity model based foundationally on the NIST 800-171 framework with some key evolutionary elements and integrations from NIST 800-53 and ISO 27001 among others, respectively. The change also incorporates the addition of third-party accreditation by cybersecurity assessors.
In January of this year, the Department of Defense (DoD) released the CMMC. This new maturity model defines five levels of increasing maturity and will require all defense contractors, both Primes and Subs, to comply with one of the five levels and attain independent verification of compliance prior to contract award. In an ongoing effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC is a significant change for DoD acquisition, cybersecurity, and policy. For small businesses in the defense industrial base, the challenge is potentially insurmountable.
CMMC mandates minimum cybersecurity standards for 300,000 plus commercial defense contractors around the globe and makes compliance part of the acquisition process, preventing contract award until an independent third-party has verified compliance. Given the magnitude of this change and the revenue impacting consequences of non-compliance, we choose Microsoft for our CMMC Managed Services Customers.
So now that the mandate is in place, how does this effect the cost of doing business with the US DoD?
In short, this mandate is supposed to be a ‘pass through.’
So, where is the source government verbiage documenting that a 7012 (NIST) or 7021 (CMMC) assessment or implementation is a reimbursable cost?
Regarding DFARS 252.204-7012 in 2013, DOD stated (see attached) that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 accreditation should be an allowable cost. The exact verbiage from the law is provided here and the full section of the law is (attached):
- Allowable Costs Under Cost Accounting Standards (CAS) Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS.
Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR 31.201–2, address the allowability of costs. There is nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201–2. While we cannot know in advance if a company will incur costs in accordance with FAR 31.201–2, there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201–2.
Comment: Several respondents stated that DoD needs to account for/provide funding for the additional costs of implementation.
Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business.
Regarding CMMC, “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.”
“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”
Clearly the government isn’t expecting to receive the benefits of CMMC and the new accreditation without paying for it but it will not be a layup to get your costs covered. You still have to win first, there is not prize for losing bids.
FAQ for CMMC ( https://www.acq.osd.mil/cmmc/faq.html )