Last week, DOD announced the release of CMMC Version 1.0. CMMC Version 1.0 is a comprehensive certification process featuring 171 cybersecurity best practices to ensure that contractors secure their information systems. The question on everyone’s mind is who is going to pay for the certification and all of the work necessary to comply.
DOD has been less than clear on how contractors are expected to pay for CMMC certification. But what is clear is that the costs associated with obtaining CMMC certification will be significant. It is unclear whether contractors can seek reimbursement for these costs. They may be able to claim costs as an allowable indirect cost. We suspect that the cost of certification itself will be covered, but that the greater costs associated with becoming compliant will not be covered as a reimbursable direct cost.
Continue reading at: Fox Rothschild