Estimating the Cost of NIST SP 800-171

Показать описание

The government recently released a new federal acquisition regulation that requires NIST SP 800-53 controls for federal information systems operated by contractors. Buried inside that rule are several cost estimates for implementing and maintaining SP 800-53. Meanwhile, the government has never published cost estimates for NIST SP 800-171 even though it is derived directly from SP 800-53. In this episode we use are knowledge of SP 800-53 to do the impossible and estimate SP 800-171 using the government’s own numbers.

Episode Links:
.
.
.
.
.
.
.
.
.
.
.

Chapters:
(0:00 – 1:35): Housekeeping
(1:36 – 6:53): Federal vs Nonfederal Information Systems
(6:54 – 8:45): FIPS 199 Categorization vs NIST SP 800-53
(8:46 – 14:42): Cost Estimate Caveats
(14:42 – 16:45): Cost estimates for SP 800-53 & FedRAMP
(16:46 – 18:15): Overlooking Small Contractors
(18:16 – 21:35): DoD has avoided estimates for SP 800-171 for years
(21:35 – 25:50): CMMC costs vs SP 800-171 costs
(25:51 – 32:50): Deriving SP 800-171 estimates from SP 800-53 estimates
(32:51 – 34:06): SP 800-171r2 considerations
(34:07 – 36:16): Cost vs SMB conundrum
(36:17 – 41:26): SP 800-171B estimates

#cmmc #nist #dfars #dod #dib #cybersecurity

Рекомендации по теме

Комментарии

Not "rants" - you're mirroring what many of us are thinking - and that is encouraging as we move forward - lol

mikekrawczyk

Attackers first gained access to the SolarWinds systems in September 2019. The attack was not publicly disclosed until December 2020. This is not a criticism, just a timeline correction for your backstory.

Ramr

The other side of the coin is all the money that was estimated was in labor hours. The other big factor is the software licensing costs for all of the automated monitoring and Fed-Ramp\DFARS\ITAR US person rules.

ClayinSWVA

Where, specifically, are the costs estimates documented? The real numbers are more staggering when you consider the costs associated with day-to-day operations on top of the costs associated with each product/service and SSP.

jodygreene

Estimating the Cost of NIST SP 800-171

Estimating the Cost of NIST SP 800-171

The Real Cost of Fixing Production Bugs | NIST Report | Cost Calculation And Analysis

How Much Does It Cost To Get Compliant Right Now? | DFARS NIST SP 800-171 CMMC Compliance Tip

Panel Session: Cost-Benefit Analysis and NIST Cybersecurity Framework

NIST 800-53 Rev5 Moderate Baseline Cybersecurity Policies & Standards

Have You Seen The Cost Of CMMC? | DFARS, NIST SP 800-171 and CMMC Compliance Tip

NIST 800-171 & CMMC Policies & Standards - NIST 800-171 Compliance Program (NCP)

Understanding Life Cycle Cost

Editable NIST CSF Policies & Standards Template

Editable NIST CSF Procedures Template

NIST CSF: Profiles, Tiers, & Core Functions Explained

NIST/CMMC 2.0 Compliance, Faster, Better, More Cost Effective

NIST/CMMC 2.0 Compliance, Faster, Better, More-Cost Effective

Exploring the NIST Cybersecurity Framework 2.0: What You Need to Know

The world depends on a collection of strange items. They're not cheap

CyberIntel - The NIST Phish Scale

FSE 2018 - Analysis and Improvement of Entropy Estimators in NIST SP 800-90B for Non-IID Entropy Sou

Lattices and the NIST PQ-crypto Standardization Process

Sum IT Up Episode 4: CMMC, NIST, CUI, & DFARS News and Analysis for December 2022

Learn about the New NIST Tool for Evaluating Whole Building Sustainability Performa

Mastering NIST CSF 2.0: Building Risk Management Function [GV.RM ]

Spotlight on Post Quantum Cryptography Migration as NIST Releases PQC Standards

Self Security Control Assessments (NIST SP 800-171 Rev2) Vs CMMC - The C3PAOs Requirements

Getting Started - Applying the NIST Cyber Framework to Your Company