Sum IT Up Podcast: Estimating the Cost of NIST SP 800-171 (2024)

This episode is from the Sum IT Up podcast. Click here to learn more.

The cost of CMMC is an often asked question among the DIB that’s rarely answered. Honestly, most people don’t even know where to look. Today we finally get some answers.

Taking a hatchet to the thicket of jargon and legalese, Jacob and Jason guide us from NIST SP 800-171, back through SP 800-53 (that 800-171 is based on), and home again with a treasure-trove: CMMC cost considerations to share with your team.

In this Episode You'll Learn:

1. News in cost estimation: Last week the government released a FAR rule that estimates the cost of SP 800-53 implementation across the low, moderate, and high baselines. That may seem irrelevant for folks working with NIST 800-171, but it’s actually great news.
2. The path to estimating your cost: With sufficient knowledge of the percentage of SP 800-53 represented in SP 800-171, we can develop a ballpark estimated cost for DIB organizations NIST SP 800-171implementations. In the same way SP 800-171 is derived from SP 800-53 we can derive cost estimates for SP 800-171 from the cost estimates of SP 800-53.
3. Complications in the calculations: The estimates provided in SP 800-53 last week have lots of caveats. There are countless variables that make the government nervous to name a number for SP 800-171 implementation in the DIB. In 2013, 2016, and 2020 the DoD refused to estimate the cost of implemented SP 800-171 by citing the exact same caveats. 
4. Hope for the number-cruncher: This week Jason and Jacob took it upon themselves to do the impossible: provide a broad but realistic cost estimate for DIB organizations to implement NIST SP 800-171 . The good news? What they found ended up being eerily close with what we've seen in practice.  

Further Resources

We know you don’t want to fact check us…but in case you hope to begin your own intrepid journey to scale the heights of the NISTY mountains, here are all the resources:  

• Jacob Horne’s LinkedIn Poll: https://www.linkedin.com/posts/jacob-... .  
• FAR Rule: https://www.federalregister.gov/docum... .  
  Fuzzy Math @ CS2 San Diego: https://www.youtube.com/watch?v=843K3hkLquk 
• SolarWinds Hack: https://www.gao.gov/blog/solarwinds-c... .  
• EO 14028: https://www.whitehouse.gov/briefing-r... . 
• DFARS 7012: https://www.acquisition.gov/dfars/252.... .  
• DFARS 7010: https://www.acquisition.gov/dfars/252.... .  
• FIPS 199: https://csrc.nist.gov/pubs/fips/199/f... .  
• SP 800-53: https://csrc.nist.gov/pubs/sp/800/53/... .  
• SP 800-171: https://csrc.nist.gov/pubs/sp/800/171... .  
• SP 800-171B cost estimate (2019): https://csrc.nist.gov/pubs/sp/800/171... 

Our Hosts 

Jacob Horne and Jason Sproesser are more than guys with beautiful flowing beards and gorgeous olive skin. They’re also super nerds who talk about government contracting compliance, cybersecurity news, and government regulations. 

Reach Out

Jacob Horne:

• LinkedIn 
• Email 

Jason Sproesser:

• LinkedIn 
• Email