Last week, DOD announced the release of CMMC Version 1.0. CMMC Version 1.0 is a comprehensive certification process featuring 171 cybersecurity best practices to ensure that contractors secure their information systems. The question on everyone’s mind is who is going to pay for the certification and all of the work necessary to comply.
DOD has been less than clear on how contractors are expected to pay for CMMC certification. But what is clear is that the costs associated with obtaining CMMC certification will be significant. It is unclear whether contractors can seek reimbursement for these costs. They may be able to claim costs as an allowable indirect cost. We suspect that the cost of certification itself will be covered, but that the greater costs associated with becoming compliant will not be covered as a reimbursable direct cost. In response to comments regarding DFARS 252.204-7012 in 2013, DOD stated that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 certification should be an allowable cost.
More recently, has claimed that costs associated with CMMC “will not be prohibitive,” but it seems that DOD has yet to work out all the kinks on what exactly that means. For one, not all contractors will need to meet the same level certification. DOD has emphasized that prime contractors will be expected to achieve a higher level of certification than smaller subcontractors. This will cut down on costs for subcontractors. SBA may also assist small businesses with the cost of certification, but has not given any specifics on how they intend to do so.
In a press conference following the release of CMMC, DOD officials stated they are working with large DOD prime contractors to address costs. It’s too early to tell whether these conversations result in solutions on keeping costs down. In the meantime, it appears that contractors will bear the large majority of costs associated with achieving CMMC certification.