Who Pays For CMMC Certification?

Fox Rothschild LLP

Fox Rothschild LLPLast week, DOD announced the release of CMMC Version 1.0. CMMC Version 1.0 is a comprehensive certification process featuring 171 cybersecurity best practices to ensure that contractors secure their information systems. The question on everyone’s mind is who is going to pay for the certification and all of the work necessary to comply.

DOD has been less than clear on how contractors are expected to pay for CMMC certification. But what is clear is that the costs associated with obtaining CMMC certification will be significant. It is unclear whether contractors can seek reimbursement for these costs. They may be able to claim costs as an allowable indirect cost. We suspect that the cost of certification itself will be covered, but that the greater costs associated with becoming compliant will not be covered as a reimbursable direct cost. In response to comments regarding DFARS 252.204-7012 in 2013, DOD stated that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 certification should be an allowable cost.

More recently, has claimed that costs associated with CMMC “will not be prohibitive,” but it seems that DOD has yet to work out all the kinks on what exactly that means. For one, not all contractors will need to meet the same level certification. DOD has emphasized that prime contractors will be expected to achieve a higher level of certification than smaller subcontractors. This will cut down on costs for subcontractors. SBA may also assist small businesses with the cost of certification, but has not given any specifics on how they intend to do so.

In a press conference following the release of CMMC, DOD officials stated they are working with large DOD prime contractors to address costs. It’s too early to tell whether these conversations result in solutions on keeping costs down. In the meantime, it appears that contractors will bear the large majority of costs associated with achieving CMMC certification.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.