The Pitfalls of Factoring in Security and CMMC Costs
The need to elevate security as a primary metric in Defense Department acquisitions — along with cost, schedule and performance — will invariably require that the government’s perspectives on procurement costs be recalibrated.
It is a certain truth that enhancing security for contractor networks and systems and incorporating security into development and operations, will increase costs for contractors performing on defense contracts.
The requirements, including Defense Federal Acquisition Regulation Supplement clauses 252.204-7012 and 252.204-7021, have already resulted in increased costs for contractors. The former requires the safeguarding of Covered Defense Information through the application of the security requirements set forth in Special Publication 800-171 of the National Institute of Standards and Technology, while the latter sets forth the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) requirements.
Costs to address the requirements are expected to grow as cybersecurity threats increase and organizations are forced to continually evaluate and remediate identified vulnerabilities, as well as demonstrate compliance with evolving standards.
Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment and the driving force behind the CMMC program, has publicly stated that “security is an allowable cost.” But such assurance does little to assist contractors in understanding how the department expects the costs to be accounted for.
To date, specific guidance related to the requirements has not been issued by the Defense Contract Audit Agency, though it can be expected that they will scrutinize any cyber-related cost increases being passed onto the government. Prior experience has made contractors all too aware of the risks of making assumptions on the appropriate methods for accumulating and allocating costs under cost-reimbursable contracts.
Given current circumstances, contractors should be aware of and consider existing regulations, including the Cost Accounting Standards and the Federal Acquisition Regulation Cost Principles, as well as legal precedent that may guide them in the absence of further guidance from the government.
To conform with contract requirements, vendors are incurring additional costs to enhance cybersecurity capabilities and architect secure enclaves, whether on premise or in the cloud. While certain costs will be non-recurring, such as hardware upgrades and related engineering, other costs will be incurred on an ongoing basis.
The costs of procuring equipment, maintaining security assessment and continuous monitoring programs, salaries of security personnel, fees of managed security service providers, and renewals of security software licenses and subscriptions, should generally be considered as allowable for reimbursement under FAR Part 31 and the associated cost principles. However, much less clear is how contractors should allocate these costs to their contracts for recovery.
What criteria should a contractor consider when determining if costs are directly benefiting a contract, and therefore should be directly charged to a specific contract? And if costs benefit multiple contracts, including commercial work, how should they be allocated to the final cost objectives in accordance with Cost Accounting Standards? Answers to these questions ultimately affect whether the costs will be considered allowable by contracting officers.
As previously stated, the guidance behind the allowability of CMMC program costs has been general and limited. Regarding cost allocation, in an interview with Federal Computer Week, Stacy Bostjanick, CMMC director of policy in the office of the undersecretary of defense for acquisition and sustainment, stated: “Up to [CMMC] Level 3 will be included in your indirect rates. So, you don’t get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business.”
She continued that Levels 4 and 5, which are more complex and expensive to implement, may likely be a direct charge to the contract. As it stands, contractors will be forced to make decisions that could impact their profitability and competitiveness when submitting bids for defense contracts.
Costs related to information technology and cybersecurity are fundamental to business operations. Though accounting treatment may differ depending on organizational structure, contractors must adhere to generally accepted accounting principles as well as the FAR and Cost Accounting Standards where applicable. Many contractors chose to utilize an IT service center to centrally collect most service costs, including cybersecurity. Likewise, contractors may use a home office residual pool to allocate the costs across the business. Other contractors will allocate IT and cybersecurity costs to a specific segment. Lastly, while not common, it is also possible that costs can be charged directly to a contract as an “other direct cost” if the costs were incurred for the benefit of a specific contract.
Cost Accounting Standards 403 provides the criteria for allocating home office expenses to the segments of an organization on the basis of the beneficial or causal relationship between the supporting and receiving activities. Per the guidance, expenses shall be grouped into logical and homogeneous expense pools and allocated as an indirect cost across all segments based on the service furnished to or received by each segment. This prevents double counting of IT/cybersecurity expenses.
In cases where IT/cybersecurity costs are centralized and not performed by the segments, CAS 403 further states that centralized service functions shall be allocated on the basis of the service furnished to or received by each segment. This is frequently done through an IT service center or home office pool where costs are allocated based on a customized algorithm.
Though removed from recent versions, the DCAA Contract Audit Manual Section 7-000 previously included guidance related to “computer cost allocation,” which provides a conceptual basis for IT and cybersecurity cost treatment when an algorithmic model is used.
Modern cybersecurity costs could be viewed in a similar manner, and any algorithm used to allocate costs could be based on IT and cybersecurity allocation bases including, but not limited to, the number of end points monitored, number of software licenses, amount and source of network traffic, number of incident response tickets, etc. The greater the variation in types of application or services provided, the greater the need for a more complex algorithm.
If the IT and cybersecurity costs can be allocated to the segment level, CAS 410 and CAS 418 provide further guidance. CAS 410 provides the criteria for the allocation of business unit general and administrative expenses to business unit final cost objectives. CAS 410-40(a) requires that such expenses of a business unit be grouped in a separate indirect expense pool and allocated only to final cost objectives.
The allocation base for general and administrative expenses must include all significant elements of cost input that represent the total activity of the business unit. Per CAS 410-50(d), the allocation base must be either total cost input, value-added cost input, or single element cost input. The determination of which allocation base best represents total activity of a business unit is determined on the basis of the circumstances of the segment or contracts.
Lastly, CAS 418 provides the criteria for consistent determination of direct and indirect costs as well as the criteria for the accumulation of indirect costs, including service center and overhead costs, in indirect cost pools. It also includes guidance relating to the selection of allocation measures based on the beneficial or causal relationship between an indirect cost pool and cost objectives. Notably, a business unit must have written policies classifying costs as direct or indirect and the policies must conform to the requirements laid out further in CAS 418.
A related cause for concern among contractors is that it is not clear that the Defense Department understands the true costs associated with its cybersecurity requirements. While the Interim Rule DFARS case 2019-D041 attempted to quantify costs associated with a small company receiving a CMMC certification, it posited that contractors are already performing and accounting for the 110 controls under NIST SP 800-171 and excluded costs associated with those controls from their calculations. (See figure 1)
Preliminary estimates from some larger contractors have placed the costs of complying with the requirements in the millions. Associated with concerns regarding the accuracy of the department’s assumptions, contractors are faced with questions that are fundamental to their ability to appropriately estimate costs for proposal. These questions include: How will cybersecurity related costs be evaluated by DCAA for allowability and reasonableness? Are CMMC assessment preparation costs, which are separate from certification costs, allowable and how should they be recovered if the bid is rejected? How should a contractor address concern that CMMC implementation will affect the company’s cost competitiveness when proposing for fixed-price contracts?
Based on the guidance provided by generally accepted accounting practices and CAS, contractors may choose to treat CMMC related costs in a manner consistent with their current practices. The predicament, however, is that not only will this raise their indirect rates, but auditors are likely to closely examine costs incurred to conform with requirements based on their benefit to the business as a whole versus specific government contracts, and cost reasonableness.
Given the variety of companies that make up the defense industrial base and the unique circumstances of each as they look to comply with the new requirements, auditors may develop creative methods to evaluate the allowability of cybersecurity costs charged to contracts, a prospect that is never comforting to contractors.
There are many challenges to the implementation of a compliant cybersecurity program beyond the collection and allocation of costs. Contractors will have to make decisions regarding developing their internal cybersecurity functions with dedicated staff or outsourcing aspects of the program to third-party providers, utilizing a managed service model or a move to the cloud.
In addition, contractors will have to decide the level of security they wish to adopt, such as CMMC Levels 1, 2, 3, etc. The level of security will impact the costs incurred and the contracts that will bear those costs. To date, many contractors have rightly been focusing on how the cybersecurity requirements impact their business from an IT and information governance standpoint; but in parallel, companies should ensure that their finance, accounting and estimating functions are appropriately considering how the costs of compliance are accounted for and billed to the government for maximum recovery while avoiding the risk of CAS noncompliance.
As for the chosen cost accounting practice to collect and allocate cost to contracts, be prepared to provide justification for the basis of allocation in accordance with CAS that will stand up to scrutiny from auditors and regulators. From a compliance and risk management perspective, contractors should ensure that considerations are incorporated into their existing internal financial control framework. This will require detailed policies and procedures that describe your cost treatment and accounting practices, compliant systems to capture and report costs accurately, and a comprehensive Disclosure Statement for CAS-covered contracts.
Michael Tomaselli (email@example.com) is senior manager and Charles Battad a senior associate at Chess Consulting LLC.