Recently, there has been much discussion around comments made by Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD. She made the following statement before a roomful of vendors at the PSC meeting in Arlington, VA.
“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right? Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.”
I wasn’t in attendance, but this quote has been widely circulated by Federal News Radio and other sources. I wish I had been there because my response would have been, “Why would you think that it was ever an unallowable cost?”
It’s clear that the cost of cybersecurity is a cost of doing business--specifically with the U.S. Government and from review of FAR 31.205, there is no prohibition on the allowability of cybersecurity costs. The better question is: can the cost be charged directly to a single contract and fully recovered? To that, I think the answer which your contracting officer (and likely DCAA) will provide is that the cost provides a benefit to multiple final cost objectives (contracts), and as a result, should be recovered via an indirect allocation for any contractor who has more than one government contract with the DFARS cybersecurity requirement(s).
What that means, in practical terms, is that depending on your indirect rate structure, the likely place is either G&A, overhead, or maybe even a new service center. The right place, from a cost recovery perspective, will depend on your specific contract mix and is something that you should have been considering long before now. Companies that we work with have been spending money on cybersecurity preparation and compliance for several years as the new rules and guidance in this area have taken effect.
This business system area is in no way different to the “costs of compliance” attributed to the other six DFARS business systems, in which companies often spend hundreds of thousands of dollars on internal/external resources and software in the process of achieving and maintaining compliance. While it would be great to get all the “costs of compliance” recovered against a single contract or even funded by the DOD, the prospect of doing so won’t be a reality for most government contractors (unless you have a single contract with the requirement).
I applaud Ms. Arrington for recognizing that this is an allowable (and significant) cost of compliance for all defense contractors, but particularly small businesses. So many times, the guidance from the government is just comply, with no recognition of that cost of compliance. I would love to hear that companies who propose additional or higher overhead or G&A rates as a result of their efforts to maintain compliance will be rewarded and not penalized when competing against peers who aren’t quite up the ladder yet on their compliance in all business system areas. To date, though, I haven’t seen any proposals that recognize these efforts in terms of proposal evaluation. For the most part, it’s simply a “1” or “0” evaluation with no substantive test of a contractor’s actual level of compliance in this or any other business system area. CMMC will hopefully change that approach going forward, but it’s still several years away, most likely. I wonder if DOD would consider providing funding sources for contractors to go towards obtaining and maintaining the internal/external resources needed for compliance?
Absent funding or a very unique contract mix, there are some alternative strategies to maximize the cost recovery associated with compliance for businesses of all sizes, particularly in cost accounting environments with a mix of government and commercial work. We work with contractors throughout the U.S. and internationally to develop strategies for implementation of business system requirements, indirect rate strategies and proposal compliance strategies that ensure maximum cost recovery for the business. Let us know if we can help—from customized training to consulting; the Redstone team can help you develop strategies to master the balance of compliance and cybersecurity, both while maintaining a level of cost recovery. For a more hands-on approach, consider the Redstone Success Program, in which we establish a continual relationship with your organization, affording all team members access to Redstone experts, no matter their department.