Last Updated on February 25, 2020
The US Department of Defense (DoD) rolled out Version 1 of the Cyber Maturity Model Certification (CMMC) framework and audit program on January 31, 2020. While the need to improve the security posture of the US Defense Industrial Base is undeniable, many DoD contractors—especially smaller firms—are concerned about the cost impacts of upgrading their controls and processes to achieve CMMC compliance.
In the opening episode of Pivot Point Security’s new “The Virtual CISO Podcast” series, we were honored to have as our guest Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber and the DoD’s point person for the CMMC roll-out (link to her interview here). Katie amplified in our conversation what she’s stated consistently on this topic: Yes, security is an allowable cost in this new era of the CMMC.
But what does that really mean? And is it really that simple?
First of all, what is an “allowable cost” in DoD parlance? It’s an expense specified in a contract that is agreed in advance to be billable to the DoD.
As Katie said in our podcast, “Security is an allowable cost—if we value it, we pay for it.” Likewise, on the DoD’s CMMC website FAQ page, it states: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.”
In short, the expenses that suppliers incur to meet the required CMMC level specified in the RFP should be reimbursable, along with associated audit costs.
Katie then went on to say, “One of the core essential missions of the CMMC was it needed to be low-cost enough that a small business could be ingested. So if CMMC Level 1 costs a company more than $3,000, we missed the mark.”
But what about certification to CMMC Level 3 or higher?
This can be “a little tricky,” as Katie put it, because lots of contractors have been self-attesting that they already have the NIST SP 800-171 controls in place. So while the DoD might pay for a 20-something control upgrade to bring a robust, NIST-compliant security posture to CMMC Level 3 compliance, there might be pushback claiming allowable cost for the 110 existing controls that you were responsible for and have already attested to have if you have a DFARS Clause in your current contract.
Another thing Katie reiterated in our conversation is that “We have cost realism.” The DoD has done its homework using real-world audits on the actual costs associated with CMMC compliance, including the cost to ramp up for a CMMC assessment from a NIST 800-171 compliant starting point. That understanding will put parameters around what security costs a contractor can reasonably expect to be reimbursed for.
A question that came up in our podcast conversation was, why pay an auditor to come ensure in-person that an SMB contractor has the 17 Level 1 CMMC controls in place. CMMC Level 1 is “a pretty low bar,” as Katie put it. It covers things like password protection and antivirus protection. Does the risk mitigation of an in-person audit versus a self-report justify the cost of the audit at Level 1?
Here’s the DoD’s logic…
Straight from Katie: “Why do we have an auditor go to your site [to confirm Level 1]? A) It buys down the risk of shell companies being stood up. If you’re going to be a shell you’re going to have to go through an awful lot of pain to have an auditor come to your facility. B) It’s buying down the risk of foreign investment… [in the same way].” Sound logic given the risks and the realities, such as how China hacked an entire fighter jet program out from under the US.
In a recent blog post, I theorized that CMMC certification would cost a midsized supplier with more-or-less a NIST 800-171 complaint security posture about $20,000, much or all of which the DoD would likely offset if you win the contract. Given that cyber warfare unquestionably costs the Defense Industrial Base and the US taxpayer hundreds of billions of dollars per year, there’s a huge amount of ROI in those audits to offset their cost. Never mind strengthening our national defense and potentially saving American lives if our defense technology can be “Delivered Uncompromised.”
As Katie reframed it in our talk, “We can’t afford not to do this.”
Is the DoD’s “allowable cost” promise meant to be about as fair and equitable as it can realistically be? Sounds like it to me. Is it a free lunch for DoD suppliers that are reluctant to invest in security? Maybe not so much…
To get expert guidance now to align your organization with the new competitive reality of CMMC, download our free CMMC Compliance Guide.