calculator and notepad for calculating budgets

Creating a Budget Plan for NIST 800-171 Compliance

Using a discovery and mapping process to gain a better understanding of project scope.

As we’ve discussed previously on our blog, putting a specific dollar amount on a NIST compliance project can be difficult. While many businesses need a reliable budget figure to make decisions about the value of NIST compliance for their business, delivering a meaningful budget range can be a challenge.

For instance, we’ve built entire environments for $20–30K. However, those systems did not facilitate a large number of users or third-party software. For larger companies, the hardware footprint, ERP licensing, and user count contribute significantly to the overall project cost. For these businesses, project costs (including hardware, software, licensing, and labor) can range from $150K–900K.

Obviously, that’s a huge range. The good news is that any adjustments to the scope of systems, data, people, and processes involved in handling CUI can pay huge dividends for system cost. This is why we begin projects with a discovery and mapping process. The results of our DFARS/CUI discovery and mapping exercises allow us to make scoping adjustments that can significantly reduce project cost.

What do the DFARS/CUI discovery and mapping exercises assess?

Our DFARS/CUI discovery and mapping exercises provide a more accurate picture of the scope of a NIST compliance project. The results of these exercises are twofold: DFARS mapping reveals the number of man-hours needed to bring operations into compliance, while CUI mapping allows us to identify the sheer number of systems involved in handling controlled data. Both of these factors can have a profound effect on overall compliance costs.

For example, an organization with dozens of subcontractors who need to be managed under paragraph (m) of DFARS clause 252.204-7012 will have a much larger commitment in time and human resources than a contractor who delivers their contract purely in-house. Regarding CUI: an organization whose CUI exists only on a file server and email server will incur much lower technology costs than an organization who handles CUI using an ERP system, EDI server, SFTP server, supply chain management software, and a SharePoint site.

Once we have a better understanding of the scope created by DFARS clause and CUI considerations, we can deliver budget estimates. Some other key factors affecting compliance costs are:

  • The number of systems and devices requiring encryption at rest
  • The amount of data to be processed by SIEM tools
  • The number of subcontractor systems receiving controlled data
  • The types of business processes that need to be revised
  • The scope of awareness and training efforts, based on work roles
  • The digital forensics and eDiscovery tools needed to limit the scope of data involved in incident reports

An understanding of your current processes can help us make recommendations for how your business could better handle CUI to cut down on compliance costs. For instance, restricting the number of people who need access to CUI can also reduce the number of devices which need to meet compliance standards and limit the number of employees who need to receive awareness training. With so many interlinking costs, even a small reduction in scope can save your budget significant funds.

Do you need help assessing the scope of your compliance initiative?

We can help. Contact us to start the discovery and mapping process.