RGCI-DFARS Cybersecurity Costs are Allowable So What

Recently, there has been much discussion around comments made by Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD.  She made the following statement before a roomful of vendors at the PSC meeting in Arlington, VA.

“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right? Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.”

I wasn’t in attendance, but this quote has been widely circulated by Federal News Radio and other sources.  I wish I had been there because my response would have been, “Why would you think that it was ever an unallowable cost?” 

It’s clear that the cost of cybersecurity is a cost of doing business--specifically with the U.S. Government and from review of FAR 31.205, there is no prohibition on the allowability of cybersecurity costs.  The better question is: can the cost be charged directly to a single contract and fully recovered?  To that, I think the answer which your contracting officer (and likely DCAA) will provide is that the cost provides a benefit to multiple final cost objectives (contracts), and as a result, should be recovered via an indirect allocation for any contractor who has more than one government contract with the DFARS cybersecurity requirement(s).

What that means, in practical terms, is that depending on your indirect rate structure, the likely place is either G&A, overhead, or maybe even a new service center.  The right place, from a cost recovery perspective, will depend on your specific contract mix and is something that you should have been considering long before now.  Companies that we work with have been spending money on cybersecurity preparation and compliance for several years as the new rules and guidance in this area have taken effect.

This business system area is in no way different to the “costs of compliance” attributed to the other six DFARS business systems, in which companies often spend hundreds of thousands of dollars on internal/external resources and software in the process of achieving and maintaining compliance.  While it would be great to get all the “costs of compliance” recovered against a single contract or even funded by the DOD, the prospect of doing so won’t be a reality for most government contractors (unless you have a single contract with the requirement). 

I applaud Ms. Arrington for recognizing that this is an allowable (and significant) cost of compliance for all defense contractors, but particularly small businesses.  So many times, the guidance from the government is just comply, with no recognition of that cost of compliance.  I would love to hear that companies who propose additional or higher overhead or G&A rates as a result of their efforts to maintain compliance will be rewarded and not penalized when competing against peers who aren’t quite up the ladder yet on their compliance in all business system areas.  To date, though, I haven’t seen any proposals that recognize these efforts in terms of proposal evaluation.  For the most part, it’s simply a “1” or “0” evaluation with no substantive test of a contractor’s actual level of compliance in this or any other business system area.  CMMC will hopefully change that approach going forward, but it’s still several years away, most likely.  I wonder if DOD would consider providing funding sources for contractors to go towards obtaining and maintaining the internal/external resources needed for compliance? 

Absent funding or a very unique contract mix, there are some alternative strategies to maximize the cost recovery associated with compliance for businesses of all sizes, particularly in cost accounting environments with a mix of government and commercial work.  We work with contractors throughout the U.S. and internationally to develop strategies for implementation of business system requirements, indirect rate strategies and proposal compliance strategies that ensure maximum cost recovery for the business.  Let us know if we can help—from customized training to consulting; the Redstone team can help you develop strategies to master the balance of compliance and cybersecurity, both while maintaining a level of cost recovery. For a more hands-on approach, consider the Redstone Success Program, in which we establish a continual relationship with your organization, affording all team members access to Redstone experts, no matter their department.Whitepaper: Audit World's Biggest Myths Download Now

Written by Asa Gilliland

Asa Gilliland Asa is the President & Director of Redstone Government Consulting, Inc. and provides contract compliance services to small and large companies contracting with the U.S. Government. Asa has assisted contractors all over the U.S., as well as worked with clients in Europe, Australia and the Middle East and specializes in DCAA audit compliance and accounting information systems. He frequently serves as a compliance resource to 8(a), HUBZone, SDVOSB, tribally-owned and other small business designation clients and has served as the technical lead in proposal cost-volume preparation, responses to DCAA audit issues and crafting of corrective action plans in response to government issues, and development of complex cost accounting structures. Asa also serves as the compliance lead and project manager for Deltek Costpoint™ and GCS™, where he provides critical oversight and management to ensure that Costpoint services provided to our government contractor clients are conducted in a manner to ensure compliance with relevant regulation. His role as a compliance project manager has also included the technical design lead for the implementation of other accounting systems designed from the ground up to provide compliance with all relevant aspects of the DCAA pre and post-award accounting system audits. Education Mr. Gilliland has a Master of Business Administration from the University of Alabama-Huntsville along with a BSBA in Accounting from the University of Alabama-Huntsville.

About Redstone GCI

Redstone Government Consultants are a team of the most senior industry veterans and the brightest new talent in the industry. Many have held senior government positions including leadership roles in the DCAA. Our new talents bring significant accounting and software experience along with fresh perspectives, inspiration and energy to our team. Through our leadership and combined experience, we provide a unique perspective, bringing both government and contractor proficiencies to bear and ensuring rock-solid government compliance for our clients.

Topics: Compliant Accounting Infrastructure, DFARS Business Systems