CMMC “allowable cost” discussion and thoughts

*Updated August 13, 2020*

CMMC cybersecurity is an “allowable cost” for DoD contractors?

“The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.”

“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”

FAQ for CMMC ( https://www.acq.osd.mil/cmmc/faq.html )

This statement about allowable cost is reassuring. However, as someone familiar with the RFP process, I’m not sure how that would work in reality.

Cybersecurity during contract performance

Once a contract is awarded, I can certainly see cybersecurity as an overhead cost. Yearly renewals for security licenses, full time cybersecurity engineers, regular penetration testing, audit and certification costs all make sense. These will continue over the life of your contract.

I would expect to see defense contractors leaning more toward subscription models of computing, since these charges would occur primarily during the contract and be more justifiable as a cost. It will be difficult to justify costs for upgrades and security before a contract starts.

Is preparing for CMMC an allowable cost?

But what about the cost to increase security and obtain CMMC certification before the contract is awarded? During the listening tour I attended, it was stated that an RFP response requires certification at Level X as a “go / no-go” to even qualify.

What if ten companies bid on the contract and your company is not chosen? You still had to certify your network against CMMC. How can you translate that into an allowable cost?

What if you aren’t lowest price anymore?

If you implement more cybersecurity than the minimum required by the contract, your costs will be higher than your competitors. This is a problem because you have to win the contract or the renewal in order to charge it back to the government.

The cost of CMMC (and all cybersecurity) compliance

The initial cost of cybersecurity compliance is high. Just writing policies and gathering proof of compliance will take 300-600 hours for existing networks at Level 3. (This is a ballpark estimate from my experience, please comment with your thoughts.) Depending on the complexity of your network, engineering, testing, and applying secure configurations will take much longer. Bringing existing systems up to the required level of security can easily take 1,000 – 2,000 consultant hours.

For example, it could take 100 hours for your Linux administrator to fully secure a single Red Hat database server. Then repeat for your web server, your file server, your directory services, your desktops, your backup solution… Every time you add a new type of system, you need to review your CMMC requirements against it. For example, even if you secure your database server fully, if your file server has a weak password policy, you have a problem.

How will CMMC auditors determine the network scope before a contract?

Option 1: “Secure” enclave

Let’s imagine a company that wants to bid on a CMMC Level 3 contract. The company doesn’t currently have any Level 3 contracts, so they set up a “secure enclave” with one server and one PC to get audited at level 3.

Will CUI data need to be on the network before auditing is performed? That doesn’t seem logical for a company that doesn’t have a contract yet.

How would the company show that they are operating with mature processes, if they aren’t using the network yet?

Does a company need to show that they are using their evaluated network? Especially when the contract hasn’t been awarded yet?

Option 2: Audit the entire corporate network

Will the focus of the CMMC include all corporate networks? This could be a total show stopper for large multi-national corporations. We might see a wave of decentralization where rather than a central IT department, each building or unit has its own zero-trust network.

For wanna-be contractors that haven’t won a bid yet, it would be very expensive to secure and audit their entire network at level 2+ when they don’t know if they will win a bid.

What about corporate networks used for other contracts and private sector? Are they included in the audit?

What to do?

These questions still exist even in August 2020.

I don’t have answers to these questions. The DoD will need to provide more guidance.

The best advice I have for new companies (that don’t have contracts yet) is to concentrate on CMMC level 1 first and win a few contracts at that level before investing more in security. As you try to reach higher levels of CMMC compliance, the costs increase dramatically.

Please comment with your thoughts, or if you’ve heard any answers to these questions!

Next article: How to prepare for CMMC Level 1

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.

I want to hear from you!

I would love to hear your thoughts, and if you’ve heard any clarification about cybersecurity being an allowable cost. Please leave a comment below!