What Should NIST Compliance Actually Cost?
Cyber compliance is now, quite simply, a cost of doing business in the defense sector. And it’s the thousands of small businesses working on specialized solutions that the government worries about most.
But in creating our solution, we asked ourselves the hard question:
“How is a small business ever going to be able to afford what’s required for compliance?”
Most commercial cyber solutions come with enterprise-size pricing. And open source solutions are free but require hundreds or thousands of man-hours to integrate…and that’s assuming they’re implemented correctly.
Affordable, achievable compliance became a guiding value for everything from our product development to our pricing model. We also learned a lot along the way, and share our thinking in hopes that it helps our peers and our community.
WHERE SHOULD YOU START?
Figuring out how, and if you want to, achieve NIST compliance is like buying a car. The vehicle needs to meet certain requirements. You have options about how to research and make the right choices for your needs, and where to purchase the car. And you have to balance all that with the fact that you have a budget that you can’t exceed.
So, where do you start?
You could simply focus on the price tag of compliance, and settle on the least expensive option. But this approach doesn’t consider things like:
- the indirect costs of compliance (time investment, for example)
- future costs for maintenance, quality assurance, and longevity
- Your starting point, which determines how much you actually need to change to achieve compliance
Take a step back for a more strategic approach.
- Clarify the elements of compliance, and their associated costs
- Orient yourself to the breadth of compliance options, and their implications
- Compare your compliance requirements with the different methods to become compliant, to see which makes sense from a work and fiscal perspective.
What should you expect to invest — in dollars or HR costs? It depends on the IT resources you have available to you, and your starting point.
With their current infrastructure, many companies are between 20 and 40 percent compliant, and use at least one of the following four methods to achieve 100% compliance:
- Do it yourself
- Hire a Managed Service Provider
- Hire a consultant
- Use a turnkey software solution like the NeQter Compliance Engine*
*Full disclosure: Not every company is ideally suited to use the NeQter Compliance Engine on its own, which is why we’ve built out our network of highly qualified and vetted partners!
Here’s what you can expect from each approach:
- Do it yourself – requires a lot of time and energy to figure out what’s required, integrate all required technologies, and create plans and policies on your own. This “human capital” approach saves on out-of-pocket costs, but could end up requiring $55,000-65,000 in man-hour costs.
- Purchase a managed solution – a qualified Managed Service Provider (MSP) will complement your internal resources, speed your time-to-compliance, and generally makes sure it’s done right. This approach generally achieves compliance for $50,000-60,000.
- Hire a consultant – for companies that must prove compliance quickly or whose contracts are at risk, this highly personalized and often worry-free approach could end up costing $100,000.
- Use a turnkey software solution like the NeQter Compliance Engine – achieves the majority of technical requirements out-of-the-box, and includes wizards and embedded guidance to address non-included compliance requirements like creating system security plans (SSPs), a plan of actions and milestones (POAM), and policies. The cost of our solution, plus an enterprise firewall and the internal resources required to take action and train employees, will generally cost less than $35,000.
COMPLIANCE COMPONENTS AND ASSOCIATED COST TYPES
NIST cyber compliance requires attention to a number of areas of your business. This list contains potential items on which you might expect to spend time or money in order to achieve and maintain compliance (the list is not all-inclusive).
Now, the million-dollar question:
IS NIST CYBER COMPLIANCE WORTH IT?
Ways to think about answering this question:
- What’s your current income from DoD business?
- Is there an opportunity to win new DoD business from those who do not become compliant?
- What’s the potential for damage to your reputation if you’re hacked? Can you operate without your systems if they’re frozen or confiscated during an investigation?
- How will you respond if a customer requests documentation of your SSP, POAM, or progress toward compliance?
Malicious attempts to steal or ransom our best engineering know-how are increasingly frequent, and are hitting small business networks every single day. If you are supporting a critical program in the Defense chain, compliance is not a choice. All suppliers in the Defense supply chain are obligated to achieve and maintain NIST compliance.
Your choices lie in whether or not you want to achieve compliance, and, if so, how you want to do so.