We’re often asked how to treat Cybersecurity Maturity Model Certification (CMMC) compliance costs. More accurately, we’re often asked “Can we treat CMMC as a direct cost?”

Our answer: No, probably not.

To be clear, we’re talking about your organization’s costs to achieve and maintain CMMC compliance. If you sell CMMC products or services those would absolutely be direct costs.


Let’s have a quick refresher on direct versus indirect costs.

Direct costs are those incurred directly for a specific project or contract and can be easily traced or assigned to that work effort. Buying custom materials for a specific project is direct because they were purchased for use on that project. Direct expenses are for those items or services that are a deliverable on the contract (e.g., they are clearly and easily attributable to a specific contract line-item number (CLIN)).

Indirect costs are those that benefit two or more projects or contracts, the benefiting projects are not easily identified, equitable costs cannot be assigned to the projects, or the cost to do so is not worth the benefit. Indirect costs are accumulated in a pool and allocated over a base such that all benefiting projects or contracts receive their fair share of the costs.

CAS 402 “Consistency in Allocating Costs Incurred for the Same Purpose” states that costs incurred for the same purpose in like circumstances must always be treated as direct or indirect. Said another way, once a cost is determined to be either or direct or indirect it then remains that way. Note that companies can make changes to the treatment of a cost, but the change must be applied across the board and the company cannot waffle on treatment from year-to-year.

From a billing and claimed cost perspective, the cost must be proposed as direct to be claimed as direct. As we recently discussed with one client, changing the treatment of a cost raises eyebrows and can lead to some very difficult conversations. While changing the treatment of a cost mid-contract can be difficult and might lead to unintended financial impacts on the contract, changing the treatment of a cost on the next proposal may lead to additional questions during evaluations and negotiations. Be assured, changing the treatment of a cost will always lead to questions from DCAA or other government accounting auditors.

How would you answer the following questions from DCAA or your customer?

  • What is your reasoning or proof that they are a direct cost? Is CMMC compliance a clearly defined deliverable of the contract?
  • You include IT expenses in G&A (or overhead), how are CMMC expenses different from other IT expenses?
  • What is your causal-beneficial relationship for allocating them differently? How are some contracts benefitting from your CMMC expenses differently from your other IT expenses?
  • How is CMMC compliance (a clause in the terms and conditions of the contract) different from the industrial security, professional liability insurance, or purchasing system compliance clauses?

CMMC compliance benefits all of your customers, projects, and contracts. While it may be a requirement only of your DoD contracts, though it’s quickly expanding to other agencies and the FAR as a whole, you and your clients benefit from enhanced security.