How (Best) To Recover the Cost of Cybersecurity: Guest Blog from RKI Accounting

Guest Blog by Ryan M. Koenitzer, CPA from RKI Accounting

When I was a kid I had an option. To eat my broccoli or not to eat my broccoli. If I chose not to then there was no Entenmann’s coffee cake for dessert (we didn’t grow up with much money, so boxed baked goods were top of the line). In USG compliance, you are offered similar, more consequential, options. To comply or not to comply. The DFARS cybersecurity rules have put December 2017 squarely on the map as the date where there will not be any dessert if you don’t eat your broccoli. And contractors across the country are all scrambling to assess those options. However, one such option that might not get as much attention as the actual cybersecurity rule itself is how to compliantly optimize your cost recovery of your investment pursuant to the rule.

The cost of cybersecurity has the ability to be quite simple. “I put all the costs into G&A”. Great, there’s probably nothing non-compliant about that, but it begs the question – was there a more optimal, compliant strategy available?

U.S. Government cost accounting rules provide options for how we bid, book, and bill our costs to U.S. Government contracts. Those options live within regulatory boundaries, but they offer a variety of ways to compliantly recover costs. The cybersecurity rules present some unique questions that all contractors should ask themselves:

  • Are these costs a direct cost to my contract?
  • Are these costs allocable to my commercial contracts?
  • Should I create a federal segment and a commercial segment?
  • Are these costs best recovered in G&A or OH?
  • Can any of these costs be capitalized as a part of my IT infrastructure investment?
  • Are these costs allowable?
  • Are my cybersecurity costs related to a proceeding or investigation initiated by the USG?

Cybersecurity costs, for the most part, are a new cost for USG contractors; at least on this scale. They were not historically a significant element of cost in IT budgets. With that brings with it opportunity within the USG rules, specifically Cost Accounting Standards (CAS), where the incurrence of a new cost is not considered a change in cost accounting practice. That’s significant because a change in cost accounting practice, for CAS covered contractors, requires a cost impact analysis for any change in cost allocation. But for new cost accounting practices, such as the incurrence of a new category of cost, it can be a blank slate. These considerations come with them careful and informed interpretations, based on how an organization stands up its cybersecurity program but the key is – there are options.

Over the course of the past two years we have seen contractors faced with a variety of challenges on how to design their cybersecurity program to comply with the new rules. In many cases this has been a directive from the Board to the Chief Information Officer (CIO) to do ‘whatever it takes’ to get compliant. For those contractors who understand their USG customer best, they also added the directive to the CFO to ensure these costs were considered in forward pricing in a compliant and optimal manner.

It’s been said that “the only thing worse than doing business with the U.S. Government is not doing business with the U.S. Government”. We’re reminded of this adage when new rules of this magnitude arise, particularly when no enforcement mechanism is defined. Not eating broccoli was easy to equate to no dessert, but if your parents didn’t define the consequences, they were interpreted as infinite. The cybersecurity rule and its lack of defined enforcement mechanism remind me of those days as there is no lack of knowledge that the USG closet is already chockfull of infinite enforcement mechanisms, including false claims, debarment and similar news stories sure to get a Board’s attention. The investment in cybersecurity is a required cost of doing business. And that cost has USG cost/pricing considerations. Be sure that you’re considering all options for how you comply with the mandatory requirements, but that you also ask all the right questions for compliant and optimal cost recovery. If you think it through, you might just protect your bottom line, in addition to that covered defense information.

About RKI

Ryan Koenitzer, CPA, leads RKI Accounting, a niche accounting and consulting firm dedicated exclusively to U.S. Government contractors on their accounting and compliance needs. Mr. Koenitzer has over 15 years’ experience in government contract cost accounting, pricing, interpretation and application of federal contract regulatory compliance requirements including the Federal Acquisition Regulation (FAR) and Cost Accounting Standards (CAS), USG business system design and implementation, and internal audit services. He advises clients on a wide range of financial and compliance risks and other regulatory requirements related to U. S. government contracts. He has served clients in the aerospace and defense, architectural and engineering, construction, manufacturing, energy, transportation and technology industries across various Government agencies (e.g., DoD, DOE, etc.). In addition, Mr. Koenitzer is a routine trainer for Federal Publications Seminars and National Contract Management Association (NCMA) on U.S. Government contract matters.

Prior to founding RKI, Mr. Koenitzer worked with KPMG, Navigant Consulting, and Baker Tilly specializing in their risk advisory groups, specifically services benefitting U.S. Government contractors.