DOD Allows Cybersecurity Costs as an Allowable Cost

Cybersecurity compliance has become an increasingly trending and important area for government review, especially by the Department of Defense (DoD), placing an emphasis on defense contractors and the government alike in ensuring that sensitive government data residing on nongovernment systems are protected from third party intrusion and disclosure.  Indeed, recent cases in False Claims Act litigation have demonstrated just how serious a contractor’s noncompliance with cybersecurity requirements can be.  For example, in U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., the court, in denying the defendant’s motion to dismiss, allowed a non-intervened qui tam complaint to proceed, where the relator alleged that the defendant’s systemic noncompliance with contractual cybersecurity standards resulted in the submission of false claims that the relator claimed warranted the imposition of treble damages that could far exceed the value of the contracts themselves.  2019 WL 2024595 (E.D. Cal. May 8, 2019).  Notably, the court held that the relator had sufficiently pled violations of the False Claims Act even though, as the defendant argued, the regulations in question had recently been issued, frequently amended, and some agency guidance could reasonably be construed as relaxing any requirements.  Id.

As Aerojet indicates, even though cybersecurity requirements and related standards are an evolving area, thus often making it difficult and costly for contractors to stay abreast or determine the exact requirements needed for compliance, they nevertheless remain critical requirements for contractors.  The DoD has recognized these challenges, noting in public comments made by senior leadership at a June 13, 2019 industry conference that DoD will collaborate with industry to develop a unified standard for cybersecurity that more clearly defines contractor compliance obligations in this important area.  One initiative in this regard is DoD’s forthcoming Cybersecurity Maturity Model Certification (CMMC) program which the agency hopes to release, after substantive consultation with the industrial base this July and August, by January 2020.  Aimed at reconciling the inconsistent cybersecurity practices across most defense contractors, the CMMC plan will define and impose five levels of cybersecurity protection for contractors to comply with the standards and controls set forth in NIST Special Publication 800-171 for safeguarding sensitive government data residing on nongovernment systems.  The protection levels will range from basic, more straightforward level 1 compliance geared towards small businesses to more complex, state-of-the-art level 5 compliance for larger defense contractors. The applicable CMMC level that a contractor will need to satisfy will be set forth in DoD solicitations beginning, most likely, in or around mid-2020.

Consistent with the collaborative approach announced by DoD, DoD has stated that costs incurred in connection with cybersecurity implementation and compliance, including those incurred in connection with the CMMC program, are reimbursable for defense contractors under cost-type contracts.  This is very welcome news and guidance for the defense base as it allows contractors to recover such costs, which can be substantial, as part of contract performance.  Ultimately, this arrangement works in the government’s best interests—it provides incentives for contractors on sensitive contracts, which may more likely be cost based, to spend the money necessary to shore up their systems in order to protect sensitive data from falling into the wrong hands—a goal that is certainly in the public interest.  Stay tuned for developments in this quickly evolving area.

By David Y. Yang