The New Math: DoD Estimates Costs for Implementing NIST SP 800-171B
The Initial Public Draft (IPD) for NIST Special Publication (SP) 800-171B,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets was released today.
This standard represents additional security control requirements to protect Controlled Unclassified Information (CUI) in nonfederal systems and organizations when the CUI is part of a critical program or high value asset. Basically, all of the Advanced Persistent Threat (APT) related controls where removed from the original standard and put here.
What makes this call for public comment different is that the DoD has provided a Cost Analysis for implementing the controls. The document is "enlightening" as to how DoD thinks. Network isolation costs are estimated more than the long-term costs of running a Security Operations Center, go figure that one out...
Anyway, this is all about being proactive and shutting down the Defense Industrial Base. Booyah! It remains to be seen whether or not these "estimates" are reasonable and the controls in fact are the best ones to protect CUI from "the APT".
Ps. @SamanthaO_isc2 we really need a "Location" for "Standards" discussions. Can you make that happen? Thanks!