Are costs incurred due to a cyber incident considered allowable under CAS?
The following response is based solely on the question and background information provided. As we do not have all the facts particular to your situation, we highly recommend you consult, as applicable, your contracting officer and/or Legal Office for further guidance.
Open full Question Details
The quick response is YES. The question is, "HOW?"
Since we do not have the details of your situation, we must use the scenario as stated, i.e. "a cyber incident". The implication is that an unplanned event such as a hack or some other breach occurred. Whether it is directly chargeable or should be captured as indirect costs must be tied to the nature of the incident, the terms and conditions of the contract, and the method of accounting used by the company including its disclosure statement if one exists. If we assume this incident occurred in whole or in part because of the contract, it would likely be reasonably assumed to be a direct charge. IF this company happened to be a random target or the incident does not appear to be related to the contract in question, then the charges would seem to be more appropriately characterized as indirect charges.
You will need to address your decision to the specific facts of your contract and program.