A. Introduction and Key Take-Aways -

The Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program provides a metric for independent third parties to use in assessing and certifying the progress of the approximately 300,000-350,000 contractors and subcontractors in DOD’s supply chain towards adequate cyber safeguarding of confidential information, including controlled unclassified information (CUI), located on their information systems. The CMMC program is intended to supplement, and not supersede, the existing cybersecurity requirements of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), including DFARS clause 252.204-7012, which incorporates the information security standards and controls of NIST SP 800-171. Implementation of CMMC will affect DOD contractors and subcontractors in many ways, but its greatest impacts will be on cost, conflicts and competition. This article examines the impact that CMMC will have on each of these areas. In particular:

- Cost. DOD officials have stated publicly that CMMC costs are allowable, but that statement is too broad for contractors to rely on. To begin with, there is a wide range of costs that could be considered “CMMC costs,” from the fees the contractor pays a third party to assess the maturity level of its information systems to the labor, software, professional and IT investment costs necessary to raise the maturity level of those systems to the desired CMMC level. The allowability of these costs depends on a number of factors, including the nature and amount of the costs, the manner in which the contractor has accounted for them and similar costs in the past, and the method for allocating such costs to government contracts. Furthermore, even if a particular contractor’s CMMC costs are deemed allowable, the contractor may not be able fully to recover those costs due to competitive pressures and other factors.