Posts RSS
Subscribe via Email
The End is Near–FISMA to cost $29B!
Posted December 11th, 2007 by rybolov
OK, so it’s about as sensationalist as government news gets (but still way sedate when compared to Brit-nay news), but check out this article on reauthorization of FISMA.
Let’s do some numbers:
- Assuming a $64B IT budget for the federal government (budget request for FY 2007)
- Assuming $29B for 4 years (OK, so we conveniently clipped that out of the headline)
- That is $7.25B/year (29/4)
- That is 8.83% of the total IT budget. (64/7.25)
Now before everybody shows up outside the Capitol with their torches and pitchforks because we’re spending $29B on FISMA (which doesn’t work, and SANS will attest to it), let’s think about that number.
The 9% of the total IT budget is about right on track (some say less, some say more) with large companies. The problem is, the CBO reports don’t tell us what exactly is behind the numbers. IE, $29B could be any combination of the following:
- Direct FISMA costs such as quarterly reporting
- Semi-direct FISMA costs such as C&A, contingency planning, and risk assessments
- Direct security costs such as policy, procedures, firewalls and IDS
- Indirect security costs such as processes taking longer because you have the security layer of abstraction
If it only includes the first point, then I’m shocked but it figures that the study would only include the direct costs. If it includes points 1, 2, and 3, then it’s inline with what I think the budget should be. If it includes all 4 points, then I think it’s a little bit on the light side for a number.
Thing is, the contractors are looking at $29B and thinking it’s a huge market. The FISMA critics will look at FISMA and say it’s horribly expensive.
It’s all different sides of the same coin: does anybody really know what FISMA means?
Similar Posts:
Posted in FISMA | 
3 Comments »
December 11th, 2007 at 3:48 pm
What’s this? A balanced commentary on FISMA? I think you are now required to turn in your blogging credentials to the authorities for not towing the FISMA-is-a-failure line.
Good analysis of the CBO report. One nitpick, the $29B is for the whole act, at least $1B+ is parceled out for a variety of services, databases, training, programs and projects not directly related to FISMA. I wonder whether this bill is expected to pay for costs relating to OMB’s mandates on the Federal Desktop Core Configuration (FDCC) program and the collapse of all Federal Internet connections down to 50 connections.
On a tangential note, could I request an argument from a FISMA basher that doesn’t use FISMA reports as proof of FISMA being a failure? I mean recursive evidence is great as an ironic construct for nod and wink humor but it lacks something when used to construct a logical argument.
December 11th, 2007 at 5:12 pm
Hi Dan
Nice catch. What’s $1B between friends, anyway? =)
I think FDCC is going to be a pretty sizeable indirect cost. If it were me, I don’t know if I would try to figure out how much it would cost, only the audit burden associated with it.
January 4th, 2008 at 2:05 pm
Drop in the bucket, I would pay twice that.
That’s like a couple days in Iraq.