Starting in 2019, analysts from The Mitre Corporation and PRICE® Systems, LLC evaluated budget and expenditure data downloaded from the OMB IT Dashboard (www.itdashboard.gov/) to determine if the data had value for estimating the cost to implement cybersecurity measures in federal information technology (IT) systems. The IT Dashboard is an open-source website that provides federal agencies and the public with the ability to view details of federal IT investments online and to track their progress over time. Our intent was to see if we could isolate specific historical expenditures for cybersecurity activities across several IT programs that could be used to develop factors or methods to estimate future IT program cybersecurity costs.
In the last year, PRICE Analysts have continued this research with updated OMB data. Our intent now is to develop factors that can be incorporated into our TruePlanning® framework. We expanded the database to include more years (2011 – 2020) and to add operations and support costs to the scope of the analysis. We are specifically researching the potential to add factors and methods to the common element models used to estimate program management, system engineering, data, test, training, and system integration costs.
Starting with a revised baseline of 31,358 individual investment activities, drawn from 448 IT systems across 26 executive branch departments and agencies, we eventually identified 772 activities focused only on cybersecurity. We divided these activities into the standard cost categories shown below in Table 1 and 2 for analysis. The category names were informed by the DoD’s Mil-Std-881E (Work Breakdown Structures), and use terms found in the OMB data activity descriptions.
Table 1. Development Cost Categories
Table 2. Operations and Support Cost Categories
The best fit for the OMB data as a factor to estimate cybersecurity costs is shown here:
Cyber Category Development Costs$ = XX% of Total IT System Investment Cost$
Cyber Category Operations and Support Costs$ = XX% of Annual IT System O&S Cost$
Tables 3 and 4 summarize the updated factors from 2021 created for development and sustainment. These factors are specific for each cost category and do not represent any individual IT system, federal agency, or fiscal year.
Two metrics were developed for each cost category: the Average cost and the Median Cost of all activities in each category. For example: “Cyber Program Management” was the primary effort for 83 of the development activities evaluated. On average, these 83 data points represented 0.88% of the Total Investment Cost for their individual host IT systems. The Median value for the 83 data points was only 0.27%. Each category had one or two very large activities that skewed the results, as shown by the data points representing the highest percentage of total cost for each IT program.
Table 3. Updated Cyber Development Cost Factors
The following results and conclusions were drawn from the analysis of these Development factors:
- The first 6 categories shown on Table 3 represent 76% of all Development activities. When summed, their individual factors equate to 9.77% (on average) of Total Investment Cost for an IT System. The median sum equals 1.98% of Total Investment Cost. So while they are pervasive across agencies and programs, they are not cost drivers for the programs when they occur.
- The remaining categories represent 24% of all activities. When summed their individual factors equate to 28.3% of development costs. However, they do not occur often (less than once in the life cycle of an IT system), and they do not impact very many agencies. So while the 28% seems to be a driver, the activities are not common.
- Recommendation: apply the first 6 categories annually to each program, but only apply the remaining categories at most once in each program life cycle.
Table 4. Updated Cyber Sustainment Cost Factors
The following results and conclusions were drawn from the analysis of the Sustainment factors:
- The first 4 categories shown in Table 4 represent 95% of all Sustainment activities. When summed, their individual factors equate to 12.2% (on average) of Total Sustainment Cost for an IT System. The median sum equals 5.64% of Total Sustainment Cost.
- The remaining categories represent only 5% of all activities. When summed their individual factors equate to 10.78% of development costs. However, they do not occur often (less than once in the life cycle of an IT system), and they do not impact very many agencies.
- Recommendation: apply the first 4 categories annually to each program, but only apply the remaining categories occasionally in the program life cycle.
Join us June 23rd for our webinar on the topic, as we talk more in-depth about the updates and findings – click here to register