The government recently released a new federal acquisition regulation that requires NIST SP 800-53 controls for federal information systems operated by contractors. Buried inside that rule are several cost estimates for implementing and maintaining SP 800-53. Meanwhile, the government has never published cost estimates for NIST SP 800-171 even though it is derived directly from SP 800-53. In this episode we use are knowledge of SP 800-53 to do the impossible and estimate SP 800-171 using the government's own numbers.

Episode Links:

LinkedIn Poll: https://www.linkedin.com/posts/jacob-evan-horne_information-hazards-are-one-of-my-favorite-activity-7116107489045004288-BfrM

FAR Rule: https://www.federalregister.gov/documents/2023/10/03/2023-21327/federal-acquisition-regulation-standardizing-cybersecurity-requirements-for-unclassified-federal

Fuzzy Math @ CS2 San Diego (2021): https://www.youtube.com/watch?v=843K3hkLquk

SolarWinds Hack: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

EO 14028: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

DFARS 7012: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.

DFARS 7010: https://www.acquisition.gov/dfars/252.239-7010-cloud-computing-services.

FIPS 199: https://csrc.nist.gov/pubs/fips/199/final

SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

SP 800-171: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final

SP 800-171B cost estimate (2019): https://csrc.nist.gov/pubs/sp/800/171/b/ipd