There is a significant need for the increase of security in Defense Department acquisitions and such procedures come with a great cost. The implementation of new rules and regulations will require organizations to recalculate their budgets and accommodate the cost of prioritizing security as a primary metric in the Defense Department. With that in mind, contractors who are performing on defense contracts will have to deal with a significant increase in costs with the arrival of new requirements such as the Defense Federal Acquisition Regulation Supplement clauses 252.204-7012 and 252.204-7021.
The first clause requires contractors to apply the security requirements listed in the Special Publication 800-171 of the National Institute of Standards and Technology in order to safeguard Covered Defense Information. The second clause, on the other hand, requires contractors to comply with the requirements of the Defense Department’s Cybersecurity Maturity Model Certification or the CMMC for short. Contractors and Organizations working in the Defense Department space cannot in any way escape the growing costs since they are required to regularly evaluate and update their security systems and standards. As Kate Arrington describes it, “security is an allowable cost,” (the chief information security officer behind the CMMC program.
There has been a significant increase in costs on the other side as well where vendors are spending significant portions of their budget to enhance their cybersecurity capabilities and improve their security networks. We’re talking about costs that will be incurred on an ongoing basis, while there will also be non-recurring costs such as engineering and hardware updates. Moreover, costs such as those of procuring equipment, the maintenance of security assessment and programs, salaries of security personnel, as well as fees of managed security providers will be applicable for reimbursement under FAR Part 31. However, what is not clear is how contractors should deal with these costs on their end.
What remains questionable is which criteria should contractors consider when determining if costs are directly related to a contract or should be charged to that specific contract? The main question is - how should they manage the costs that benefit multiple contracts in accordance with the Cost Accounting Standards. With limited guidance from the CMMC regarding cost allocation, contractors will have to find a way to deal with costs related to information technology and cybersecurity. The CMMC director of policy, Stacy Bostjanick, said “Up to [CMMC] Level 3 will be included in your indirect rates. So, you don’t get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business.” She also added that Levels 4 and 5 are more complex and will most likely be a direct charge to the contract.
One more thing we want to mention is the criteria provided by the Cost Accounting Standards 403 regarding home office expenses. The criteria states that such expenses should be grouped into homogeneous pools and allocated as an indirect cost across all segments. The system is set up in this way to prevent double counting of IT and/or cybersecurity expenses.
In conclusion, contractors will be responsible for selecting a level of security they want to adopt, including CMMC levels, 1, 2, 3, and above. Naturally, the costs will depend on the level of security they choose to focus on and the contracts that will bear those costs. In accordance, they will have to select a cost accounting practice to allocate security costs to contracts in an appropriate manner (in accordance with the latest standards).