IT security costs

Definition
In determining information and IT security costs, Federal agencies must consider the following criteria to determine security costs for a specific IT investment:


 * 1. The products, procedures, and personnel (Federal employees and contractors) that are primarily dedicated to or used for provision of IT security for the specific IT investment. Do not include activities performed or funded by the agency IG. This includes the costs of:
 * risk assessment
 * security planning and policy
 * certification and accreditation
 * specific management, operational, and technical security controls (to include access control systems as well as telecommunications and network security)
 * authentication or cryptographic applications
 * education, awareness, and training
 * system reviews/evaluations (including security control testing and evaluation)
 * oversight or compliance inspections
 * development and maintenance of agency reports to OMB and corrective action plans as they pertain to the specific investment
 * contingency planning and testing
 * physical and environmental controls for hardware and software
 * auditing and monitoring
 * computer security investigations and forensics
 * reviews, inspections, audits and other evaluations performed on contractor facilities and operations.


 * 2. Other than those costs included above, security costs must also include the products, procedures, and personnel (Federal employees and contractors) that have as an incidental or integral component, a quantifiable benefit to IT security for the specific IT investment. This includes system configuration/change management control, personnel security, physical security, operations security, privacy training, program/system evaluations whose primary purpose is other than security; systems administrator functions; and, for example, system upgrades within which new features obviate the need for other stand alone security controls.


 * 3. Many agencies operate networks, which provide some or all necessary security controls for the associated applications. In such cases, the agency must nevertheless account for security costs for each of the application investments. To avoid “double-counting” agencies should appropriately allocate the costs of the network for each of the applications for which security is provided.

In identifying security costs, some agencies find it helpful to ask the following simple question, "If there was no threat, vulnerability, risk, or need to provide for continuity of operations, what activities would not be necessary and what costs would be avoided?" Investments that fail to report security costs will not be funded therefore; if the agency encounters difficulties with the above criteria they must contact OMB prior to submission of the budget materials.