DoD Allows Contractors To Bill Back CMMC Costs
Rival nations and cybercriminals relentlessly target DoD supply chain organizations. That’s why CMMC compliance is a necessary and reimbursable expense.
The deadline for U.S. Department of Defense supply chain contractors to meet the upgraded cybersecurity requirements is fast approaching, and that has many small and mid-sized organizations worried about costs.
Although there have been some concerning comments from DoD officials about a hard-line being drawn in the sand, it appears that much of the cost of gaining Cybersecurity Maturity Model Certification (CMMC) may be billed back to the federal government. The flap about cash-strapped outfits paying out-of-pocket for yet another government mandate may have stemmed from some candid remarks that came out of the Charleston Defense Contractors Association 2019 Summit in Charleston, South Carolina.
“Companies that say, ‘I’ll never get certified, I don’t want to, this is too high of a bar to reach to work with the Department of Defense. It’s already cumbersome enough to work there.’ Here’s my thing: I love ya, but good riddance,” DoD acquisitions official Katie Arrington reportedly said. “We don’t want to lose you. The companies that don’t want to acquiesce: I don’t want them to go, but they have a business decision to make.”
During the summit, Arrington pointed out that upwards of 80 percent of DoD supply chain data is housed on non-government networks, and cybercriminals and rival nations are champing at the bit to steal sensitive information. But Arrington’s somewhat blunt remarks may have given decision-makers the wrong idea about who shoulders the full cost. While securing third-party certification before the imminent deadlines is an absolute must, reimbursement remains an option.
CMMC Reimbursement Eligibility
It appears the DoD practiced some self-awareness when announcing that meeting the CMMC was yet another expense that could potentially result in the loss of small and mid-sized supply chain outfits.
While large military contractors roll the expense of having an entire managed IT cybersecurity department into bids, most contractors rely on outsourcing and staff augmentation to keep the cost reasonable and remain competitive. That may be why the DoD has gone on the record stating, “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
Going forward, businesses are now able to bill the cost of CMMC Assessment and Preparation Services back to the federal government. There may also be enough wiggle room to get back the cost of any necessary remediation in order to meet your operation’s level of cybersecurity controls. These fall under the following five CMMC tiers.
- Level 1: Basic cybersecurity protections that present appropriate resistance to emerging threats.
- Level 2: Intermediate cybersecurity readiness with defined best practices protecting files and documents.
- Level 3: Active security controls that comply with the National Institute of Standards and Technology’s (SP 800-171) cybersecurity controls
- Level 4: Forceful and proactive cybersecurity that engages and deters sophisticated threats.
- Level 5: Advanced cybersecurity with complete automation and 24-7 monitoring.
Achieving compliance will generally require companies to outsource the overhaul to a managed IT cybersecurity expert. That’s largely due to the fact that DoD policies and protocols are highly specialized. Such private military defense outfits are also urged to act quickly as the industry could face a log jam of businesses trying to gain certification as the deadline nears.
Is Your Business CMMC Ready?
Government mandates can be something of a challenge, but DoD officials recently pointed out that this one is firmly rooted in national security. The inherent problem has been that large military contractors simply roll the cost into bids and never truly incur a loss. Subcontractors, on the other hand, wrestle with managed IT cybersecurity costs, and some have not met previous standards.
The government’s willingness to reimburse expenses is a prime opportunity for those lagging behind to unburden themselves of portions of the cost by bringing in a third-party cybersecurity specialist to assess, remediate, and secure CMMC compliance. The first step to meeting the new standards, getting certified, and maximizing your reimbursement starts with scheduling a CMMC consultation.