Reflecting recognition of the critical nature of cybersecurity concerns and precautions, the US Department of Defense ("DoD") has announced that certain cybersecurity protection measures may qualify as costs that defense contractors may claim in contracts.
On 3 June 2019 at the Professional Services Council's Federal Acquisition Conference, Katie Arrington, Special Assistant to the Assistant DoD Secretary for Acquisition for Cyber, stated succinctly: "Security is an allowable cost." She pointed to recent DoD directives that cite the need for "risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve [DoD's] goal of cost, schedule and performance, as they are only effective in a secure environment." The DoD is working with John Hopkins University's Applied Physics Laboratory and Carnegie Mellon University's Software Engineering Institute to review and combine various cybersecurity standards into one unified standard for cybersecurity – the Cybersecurity Maturity Model Certification ("CMMC"). Defense contractors would have opportunities for input, including during a dozen collaborative sessions around the country in July/August 2019, and a CMMS plan is anticipated by January 2020. The terms of the plan, and its potential adoption (in same or similar form) by other US government entities will be worthy of further review.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.