The government recently released a new federal acquisition regulation that requires NIST SP 800-53 controls for federal information systems operated by contractors. Buried inside that rule are several cost estimates for implementing and maintaining SP 800-53. Meanwhile, the government has never published cost estimates for NIST SP 800-171 even though it is derived directly from SP 800-53. In this episode we use are knowledge of SP 800-53 to do the impossible and estimate SP 800-171 using the government's own numbers.
Episode Links:
LinkedIn Poll: https://www.linkedin.com/posts/jacob-evan-horne_information-hazards-are-one-of-my-favorite-activity-7116107489045004288-BfrM
FAR Rule: https://www.federalregister.gov/documents/2023/10/03/2023-21327/federal-acquisition-regulation-standardizing-cybersecurity-requirements-for-unclassified-federal
Fuzzy Math @ CS2 San Diego (2021): https://www.youtube.com/watch?v=843K3hkLquk
SolarWinds Hack: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic
EO 14028: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
DFARS 7012: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
DFARS 7010: https://www.acquisition.gov/dfars/252.239-7010-cloud-computing-services.
FIPS 199: https://csrc.nist.gov/pubs/fips/199/final
SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
SP 800-171B cost estimate (2019): https://csrc.nist.gov/pubs/sp/800/171/b/ipd