How to control scope (and cost) as your business complies with NIST 800-171.
One of the most pressing concerns for many businesses as they work to implement NIST 800-171 is the cost of compliance. Upgrading security systems can run anywhere from a few thousand dollars to several hundred, depending on the size and complexity of the business. Because of this, it’s hard to place a specific dollar figure on what it will take to bring your business up to standard. However, there are things you can do to help control compliance cost and keep it from running out of hand.
Discussions about compliance cost ultimately boil down to a matter of scope. The more aspects of your business are affected by Controlled Unclassified Information (CUI), the higher the cost is likely to run. At the same time, if you’ve been proactive over the years in keeping your business security up to date, you may not need to do much extra to become compliant. But if you’re looking for ways to control compliance cost, the best thing you can do is control how your business handles CUI.
How is CUI accessed through your IT network?
Much of the new NIST security standard rests on IT security, so you can lower some of the cost by controlling what systems access CUI and therefore what systems need upgrading. For instance, you can control which computers have access to certain files or databases, and then only upgrade those computers. Or you may decide that only certain individuals need to access areas of your cloud storage, therefore only those individuals need their systems upgraded.
Who needs to be working with the CUI?
Does your entire team, by default, work with CUI? And do they need to? There’s not only a compliance cost of upgrading your IT systems, but also of limiting the efficiency of unaffected departments. For instance, security infrastructure which limits browser activity could hinder your marketing department from doing their job. Or the added security measures might slow down the efficiency of departments who aren’t handling sensitive information.
Where is physical CUI stored at your building?
Some of the compliance standards deal specifically with physical CUI and the way it is stored and accessed. Consolidating your CUI can therefore lower the cost of upgrading your entire building. If, for instance, you have a series of warehouses and you currently store CUI in several of them, it would be cheaper to re-arrange your storage so that all your CUI is in one space, leaving you with only one warehouse to secure.
Is the compliance cost of NIST 800-171 worth it?
As we said before, depending on the work you do, the cost of compliance may be anywhere from a few thousand dollars to several hundred thousand dollars. Many businesses look at the restructuring costs and the investment in technology, training, and labor, and decide that the compliance cost of NIST 800-171 isn’t worth the expense for their business. That may be a smart decision for them, especially if government contracts form only a small part of their business. But the more players exit the game, the greater the opportunity for those who remain. The government will still need contractors and subcontractors to fulfill their workload, and meeting the compliance standards can give your business the opportunity it needs to get ahead.
That said, if you plan to fulfill contracts with the DoD or federal government in the future, compliance with NIST 800-171 isn’t optional: your business needs to meet the standards, or have a plan of action showing how you are making progress toward meeting the standards, by the end of 2017. At Brightline, we have the expertise to assess your current IT structure and help your business meet the new security standards in time.