We will pick up where we left off on estimating the cost of cyber security by looking at requirements.  Recall from a previous blog that the requirements for Cyber Security are outlined in Appendix E of the National Institute of Standards and Technology (NIST) Special Publication 800-171 document titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” 

In Appendix E, there are a series of tables that outline the requirement, as well as the responsible authority for ensuring those requirements are met.  There are four categories of requirements*:

  • NCO: Not directly related to protecting the confidentiality of CUI (Controlled Unclassified Info)
  • FED:  Uniquely federal, primarily the responsibility of the federal government
  • NFO:  Expected to be routinely satisfied by non-federal organizations without specification
  • CUI:  A basic or derived security requirement is reflected in and is traceable to the security control, control enhancement, or specified elements of the control/enhancement 
  • (*See page E-1, Appendix E, NIST Special Publication 800-171)

Items not directly related to protecting controlled unclassified information were ignored.  Items that are the end responsibility of the federal government were excluded, with the assumption that the contractor would not be undertaking these efforts unless specifically contracted to do so.  Other items that are generally considered to be satisfied as a normal course of the development process were also excluded, because either the effort is minimal or it is already being done. 

Based on our interpretation that only the “CUI” requirements necessitate additional considerations in a program office estimate, we may now proceed in evaluating the impact of CUI requirements on our software development processes.  The requirements are broken out into “families” of similar action items.  Across the 17 families, there are 123 line items that fall under the CUI category.  Approximately half of the requirements involve physical security, personnel processes and training, which are out of scope for the actual software development process. 

How do we incorporate the remaining ~60 items into an estimate?  There are several ways to do this.  In the final blog on this topic, I will address some possible solutions.   Stay tuned!