Originally posted on https://www.marketwatch.com/press-release/dod-contractors-to-be-reimbursed-for-cmmc-cybersecurity-compliance-2019-09-15

Sep 15, 2019 (Investing Alerts) — Over the last several years, U.S. Private Defense Contractors who supply products and services for the Department of Defense (DoD), have been racing to implement cybersecurity standards (specifically NIST SP 800-171) into their IT systems to comply with the passage of the Defense Acquisition Federal Regulation Supplement, also known as DFARS.

However, many contractors have struggled to implement the standards due to a lack of resources or the costs associated with it. Large contractors, with the necessary internal resources, have been able to achieve compliance themselves, while others have outsourced their needs to cybersecurity companies specializing in NIST SP 800-171. This all comes at a cost, however, and even with the availability of third-party assistance, many contractors have failed to implement the required security standards.

With continued pressure from the White House to guarantee the protection of the U.S. defense supply chain from foreign and domestic cyber threats, the DoD is taking steps to ensure 100% cybersecurity adoption and announced that these costs will be reimbursable within the Cybersecurity Maturity Model Certification (CMMC). The CMMC, which is still in development, is being described as the new “verification component” of DFARS. According to the CMMC website, “the cost of [CMMC] certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP). This means that DoD contractors will now be able to get reimbursement for CMMC compliance services as well as the remediation work that needs to be done to meet the appropriate level of cybersecurity controls specified in each contract.

This announcement comes as welcome news for DoD contractors who have been very concerned about retaining business with the Department of Defense. After all, for many companies, contracts with the Department of Defense (DoD) make up a substantial part of their business.

More information about the CMMC can be found at the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification website.

Sources:

https://www.acq.osd.mil/cmmc/index.html

https://www.sysarc.com/services/managed-security-services/cybersecurity-maturity-model-certification-cmmc-guide-for-dod-contractors/

https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf