Reflecting recognition of the critical nature of cybersecurity concerns and precautions, the US Department of Defense (“DoD“) has announced that certain cybersecurity protection measures may qualify as costs that defense contractors may claim in contracts.

On 3 June 2019 at the Professional Services Council’s Federal Acquisition Conference, Katie Arrington, Special Assistant to the Assistant DoD Secretary for Acquisition for Cyber, stated succinctly: “Security is an allowable cost.” She pointed to recent DoD directives that cite the need for “risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve [DoD’s] goal of cost, schedule and performance, as they are only effective in a secure environment.” The DoD is working with John Hopkins University’s Applied Physics Laboratory and Carnegie Mellon University’s Software Engineering Institute to review and combine various cybersecurity standards into one unified standard for cybersecurity – the Cybersecurity Maturity Model Certification (“CMMC“). Defense contractors would have opportunities for input, including during a dozen collaborative sessions around the country in July/August 2019, and a CMMS plan is anticipated by January 2020. The terms of the plan, and its potential adoption (in same or similar form) by other US government entities will be worthy of further review.

Joseph Falcone

Joseph Falcone
Partner, New York
+1 917 542 7816

Lawrence Savell

Lawrence Savell
Professional Support Lawyer, New York
+1 917 542 7805