CMMC “allowable cost” discussion and thoughts

As I write this, we are still early in the process for the CMMC.

  • The CMMC introductory Listening Tour just finished.
  • CMMC Draft version 0.6 was released November 7, 2019.
  • At this time, a third party oversight organization for certifiers and auditors has not been chosen yet.

CMMC draft version 0.6 states, “This document includes CMMC Levels 1-3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to CMMC Levels 4-5 will be provided in the next public release.* These higher CMMC levels focus on reducing the risk of advanced persistent threats (APTs) and are intended to protect CUI associated with DoD critical programs and technologies.”

In other words, the CMMC is still absolutely in flux.  That said..

CMMC cybersecurity is an “allowable cost” for DoD contractors?

“The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.”

“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”

FAQ for CMMC ( https://www.acq.osd.mil/cmmc/faq.html )

This statement about allowable cost is reassuring. However, as someone familiar with the RFP process, I’m not sure how that would work in reality.

Once a contract is awarded, I can certainly see cybersecurity as an overhead cost. Yearly renewals for security licenses, full time cybersecurity engineers, regular penetration testing, audit and certification costs all make sense. These will continue over the life of your contract.

But what about the cost to increase security and obtain CMMC certification before the contract is awarded? During the listening tour I attended, it was stated that an RFP response requires certification at Level X as a “go / no-go” to even qualify.

What if ten companies bid on the contract and your company is not chosen? You still had to certify your network against CMMC. How can you translate that into an allowable cost?

The cost of CMMC (and all cybersecurity) compliance

The initial cost of cybersecurity compliance is high. Just writing policies and gathering proof of compliance will take probably be 300-600 hours for existing networks at Level 3. (This is a ballpark estimate from my experience, please comment with your thoughts.) Depending on the complexity of your network, engineering, testing, and applying secure configurations will take much longer. Bringing existing systems up to the required level of security can easily take 1,000 – 2,000 consultant hours.

For example, it could take 100 hours for your Linux administrator to fully secure a single Red Hat database server. Then repeat for your web server, your file server, your directory services, your desktops, your backup solution… Every time you add a new type of system, you need to review your CMMC requirements against it. For example, even if you secure your database server, if your file server uses the password “password”, you have a problem.

How will CMMC auditors determine the network scope before a contract?

Will CUI data need to be on the network before auditing is performed? That doesn’t seem logical for a company that doesn’t have a contract yet.

Will the focus of the CMMC include all corporate networks? That seems very expensive, especially when the contractor hasn’t won a bid yet. It is also likely to need re-work, since many companies will want to implement a more secure network for DoD contracts.

What about corporate networks used for other contracts and private sector? Are they included in the audit?

Does a company need to show that they are using their evaluated network? Especially when the contract hasn’t been awarded yet?

Next article: What is FCI in the CMMC and how does it affect scope?

I want to hear from you!

I would love to hear your thoughts, and if you’ve heard any clarification about cybersecurity being an allowable cost. Please leave a comment below!

5 thoughts on “CMMC “allowable cost” discussion and thoughts

  1. John Mendes says:

    How does one become an “accredited and independent third party commercial certification organization” to perform the CMMC audits?

    • Amira Armond says:

      (Per the listening tour that I attended a few months back), the intent seemed to be..
      1) The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)) would help stand up a 3rd party CMMC accreditation body, ideally a non-profit organization, that would be in charge of approving new auditors.
      2) Once the non-profit organization is running, they will create the process/requirements for becoming an auditor.
      3) The first wave of auditors are approved and begin certifying organizations against CMMC.

      What has actually happened? Around September/October 2019, OUSD(A&S) released a Request for Information (RFI) HQ0034SS10032019 asking for inputs on defining the CMMC Accreditation Body. If this is like other contract cycles, the next step is to release a Request for Proposal (RFP) and get bids from companies that want to perform the work. We will have to wait for the RFP or more word from OUSD(A&S) to know for sure.

      Here is the updates page from OUSD(A&S): https://www.acq.osd.mil/cmmc/updates.html

Leave a Reply

Your email address will not be published. Required fields are marked *