Calculate the Cost of Manually Tracking RMF and FedRAMP Compliance vs. Automation
Have you ever calculated the cost of manually tracking your RMF or FedRAMP system packages? You know, the way most do it — manually editing and viewing checklists and spreadsheets, scan PDFs and reports. There are plenty of articles that talk on cyber breaches and the tangible and intangible costs on businesses, people, and brands from that for sure. Have you ever tracked the same cost of manually doing the upfront work on compliance, that leads toward better cybersecurity, versus automating it?
We have. And you can too with our free calculator. Automating helps reduce time and money spent in this area, freeing up resources to do other value added things. Like hardening your network and applications! Let’s discuss…
Calculating Costs for Manual Efforts
To calculate the costs of doing this manually at a high level, you need to collect at least two loaded hourly rates of people. What is your fully loaded rate of cybersecurity personnel (cyber professionals, developers, system admins, network admins) filling out manual checklists and importing manual scans. And what is your fully loaded rate of the cybersecurity lead person managing, tracking, reporting, and briefing all this information.
Now with those in hand, calculate the hours they spend doing these things:
- importing SCAP scans to create or update checklists, per machine, per checklist required
- upgrading checklists to the newer quarterly release updates from DISA
- tracking all vulnerability numbers for reporting or data calls (# of Category 1 open, Category 2 open, Category 3 open, N/A, Not Reviewed and Not a Finding) per checklist and across the whole system package
- tracking all patch vulnerabilities across the whole system package for the devices
- tracking all patch vulnerabilities down to the device or hostname/server
- tracking all POAM entries and updating them as required/allowed
- correlating all vulnerabilities against the CCIs per vulnerability, then relating to the required NIST controls, then tracking if any are Open or Not Reviewed
That is a LOT to handle manually, especially if you have a fairly sizable network you are tracking. You may not even do all these items as you move forward, only when asked to do a data call. Or you may just not do them as you have too many other multiple PRIORITY 1’s pulling you and your team away from actively managing this. And there may be more to this calculation than just the points we are illustrating as well. That is the point! We need to automate.
Now calculate out the total cost (if you want to) by hand based on those. Or just use our online calculator to see the manual costs.
I used to do this very thing: data calls for the total open vulnerabilities per machine or per system package = hours spent diving through checklists, XLSX files, PDFs and talking with teammates. And it ticked me off as a developer. When looking at this through the lenses of a program manager, government budget officer, contract officer or even company business leaders it should call them to action as well.
There had to be a better way — so we invented one. It is called OpenRMF Professional and it automates a LOT of what this is listing above. And it will do so much more in the next year with our product roadmap and integrations we have underway.
Reducing Costs through Automation
Let’s run through this web form linked above to do this calculation. It is on our website at Soteria Software. It is done all through Javascript locally in the browser, so no data goes back to anyone. It is only for you to get numbers and context around the work that OpenRMF Professional automates. You need those rates mentioned above and a good idea on hours spent by individuals doing the work manually as discussed. Or just use the default numbers we have on our calculator to start.
Following along on the form, the rates are filled out with average rates. They may be lower or higher (probably) for your team. Type in the rate for the average cyber professional and then your lead cyber person.
Importing SCAP Scans and Checklists: Enter the time you and your team spends per checklist importing SCAP scans or filling out by hand. Even if you use SCAP for automated updates and then fill in the manual ones yourself. This would include resetting false positives that come up (something we have a fix for in OpenRMF Professional).
Then enter the total SCAP results you will have for the whole year. That can be an average if you want to track it that way across multiple system packages. Or do it per project you run. And then enter the total # of system packages (ATO, IATT, ATC) this applies to that you currently track.
Upgrading Checklists for New Quarterly Releases: Now enter the average time it takes to copy the old checklist data to the new checklist upgraded quarterly, only for those that are upgraded. Then enter the types of checklists that were updated, and how many devices have these types of checklists on average. This happens 4x a year. DISA just released some this past late October 2021.
Tracking All Vulnerabilities: You may or may not be doing this right now as it is very hard to keep accurate and up-to-date. Enter the time in hours (1920 = a full work year) your team spends tracking all vulnerabilities across all checklists, by category and status. That includes STIG Checklist vulnerabilities and Patch vulnerabilities from things like ACAS or Nessus scans. Tracking the individual checklist or server patch vulnerability numbers, total numbers across devices and total numbers across your whole system package.
This also includes time spent on responding to data calls when asked by your PM, government rep, cyber lead or other group things like “How many CAT 1’s do we have open?” or “How many Critical and High patch vulnerabilities do we have on our latest scans of the network?”. That can get pretty expensive in lost productivity when stopping everything to do that. Include the hours for that in this field.
Correlating All Vulnerabilities to NIST Controls: You definitely have to do this. And it has to be correct. Enter the time spent on tracing each vulnerability in checklists to the CCIs in that STIG checklist. Then track that CCI to the actual NIST Control or subcontrol. And then make sure you need to track to that control or subcontrol. If not, put it into CM-6 Configuration Management.
When you do this, you also need to make sure if there are any Open or Not Reviewed items you note them so the overall status for that control or subcontrol is correct. And make sure you keep these up-to-date as your checklists and scans are updated across your whole system package.
Then for each checklist, you need to view just the vulnerabilities pertaining to that NIST Control or subcontrol so you can dive into what checklist item is causing you to not be compliant.
THIS is a MASSIVE time spender. It is not a time waster. However, it IS a big time expense for sure and a big area to reduce time and money. Automation is key here to not only speed this up. Automation is key to ensure it is done correctly. So you and your customers can trust the process. And so you and your team make sure it is done correctly, the same way, every time, on every system package you track and monitor. Based on experience we use 10% for a time estimation by the cyber lead.
Estimated Total Reduction in Cost and Time per Year
So what does this equate to? What would you actually reduce as far as time and money given this information?
Well using the default information on our calculator online showing the rates, 3 minutes per SCAP importing to a checklist, 50 total SCAP scans a year (that is very small) and 2 ATO packages this applies to = reducing this to about 5 hrs and just under $500.00 per year. Very small amount. But it is reduced through automation. Add in the OpenRMF Professional API in v2.6 we created to automatically ingest SCAP or CKL along with Nessus/ACAS scan reports and this goes to almost 0 hours spent manually.
For upgrading checklists, 15 minutes per upgrade and 5 checklist types (i.e. Windows 2016 server, .NET Framework, Google Chrome, etc.) across 30 devices is about a $15,000.00 reduction / year. Again not bad, but not HUGE.
Now let’s look at the Tracking Vulnerabilities and Correlating the Vulnerabilities to NIST Controls. THIS is where the huge time and money reduction happens. Tracking all these checklists across categories, open items, and those not reviewed is very manually intensive. And then correlating them as you have time to see the compliance is just as manually intensive. This is a person’s full time job realistically.
So the cost reduction here is about $191,000 based on average cyber personnel rates. And the correlating vulnerability work cost reduction here is around $28,000 based on the numbers used in our example.That is a big deal. If you have a larger package or multiple packages you track (if you can even handle that data overload) this reduction is even more impressive!
Most folks have some super magic Excel pivot table helping them correlation and compliance generating along with exporting STIG Checklists to CSV and then converting to XLSX. That largely manual process also goes away with OpenRMF Professional. And in OpenRMF Professional it is calculated in real time as edits happen, not when you are asked or you have a data call pressing you to go through all this data. It is already done! Just go run it and view it.
Finally you have tracking POAM entries manually. We estimated 8 hours per month total. That reduction there, where OpenRMF Professional can automatically show Open / Completed items and automate updates based on scans and edits, is about $12,000. And we link the POAM entry to the actual checklist vulnerability or patch scan item causing the POAM record to be created. Again a good amount of money and time reduced.
All told with our example: estimated to reduce 2,151 hours and $247,000. PER YEAR. EVERY YEAR you track this information. That is a big deal. And you get a single source-of-truth for this information that is tracked, searched, reported, version controlled, and audited for all actions against it.
We encourage you to enter your own info and click the green “ESTIMATE COST REDUCTION” button to see what you can do!
Refocus Effort and Energy into Value Added Work
We have run through this with customers several times live, during demos, because they want to see the cost reduction. One recent customer with a medium sized team and 2 system packages showed repurposing 2 people to do other items versus tracking vulnerabilities and data calls manually, reallocating about $427,000. Even for smaller teams that track a lot of servers, the price of people’s time and effort is massive! Those hours and that energy can be reallocated and repurposed into other efforts that are value added.
Spend it on actually minimizing open ports, securing servers, applying patches, and automating scans and ingest of those scans into OpenRMF Professional for a more continuous monitoring platform for you and your team. Spend it on tracking trends and risk and adjusting your tasks and workload for people.
Or just reduce and keep the money and have people manage more RMF and FedRAMP packages efficiently and effectively. It is really up to you on how to use that cost reduction and reduced hours. There is no doubt that automation’s time has come to RMF and FedRAMP.
And it is all done through the automation built for you and your team in OpenRMF Professional.
