Thoughts on How the U.S. Government Calculates Cost of Compliance with Cybersecurity Regulations

How the U.S. Government calculates the cost of complying with the cybersecurity provisions of acquisition regulations.

In 2017 the Department of Homeland Security proposed to amend the Homeland Security Acquisition Regulation (HSAR) to address requirements for the safeguarding of Controlled Unclassified Information (CUI). 82 FR 6429 (Jan. 19, 2017). Although this rule is not final, we note that the proposed rule mandates that a contractor must submit a “Security Authorization Package”, in conformity with NIST SP 800-53, that has been validated by an independent third party.

As an independent third party assessor, we are watching this rule, along with many other anticipated rulemakings, that could impact our clients. For example, our maritime industry clients with Navy contracts who have worked with us to comply with DFARS 7012, many also have Coast Guard contracts subject to HSAR.

One (of many) things that caught our attention about the DHS rule was the identified costs associated with compliance.
In its rulemaking process, DHS provided some relevant data about the costs to implement its cybersecurity rule. Specifically, the rule states:

  1. The cost of an independent assessment can range from $30,000 to $150,000 with an average cost of $112,872; (2) the equipment costs to perform continuous monitoring can range from $76,340 to $350,000 with an average cost of $213,170 while the labor costs to perform continuous monitoring can range from $47,000 to $65,000 for an average cost of $55,674; (3) the cost of reporting an incident to DHS ranges between $500 and $1,500 per incident; (4) the cost of notifying individuals that there has been an incident with their PII ranges from $1.03 to $4.60 per person; (5) the cost of credit monitoring services range between $60 and $260 per person; (6) a specific cost for the certificate of sanitization of Government and Government-Activity-Related files and information cannot be determined as the methods of sanitization vary widely depending on the categorization of the system and the media on which the data is stored; and (7) costs associated with Full-time Equivalent (FTE) oversight of the requirements of proposed clause Safeguarding of Controlled Unclassified Information ranges from $65,000 to $324,000.

Sera-Brynn performs third party validations and assessments of commercial organizations subject to government-issued cybersecurity regulations, and we understand cost is a practical concern for our clients. It factors into how we help identify a client’s risk tolerance. It factors into our recommendations for remediation and technical solutions. We know that cost matters.
If your organization is looking for assistance with interpreting or applying compliance controls to manage risk and control cost, we can help.

Reach us at or call 757-243-1257.

Author: Colleen Johnson, Sera-Brynn Senior Cyber Legal Analyst