For some time, the US Department of Defense has been working to revise its funding procurement procedures referred to as the Defense Federal Acquisition Regulation Supplement, or DFARS. Most important among all the details are the included requirements in the regulations (under 252.204-7012), which mandate that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled [but] Unclassified Information (CUI).
NIST 800-171, unlike NIST 800-53, was written for non-government entities such as government contractors and service providers. With that being said, though NIST 800-171 is required for contractors, the DFARS regulation also necessitates the more comprehensive FedRAMP authorization for cloud service providers.
Whether it is an ISO 27001 certification, SOC 2 examination or a FedRAMP assessment, companies are often challenged by the need to address customer requirements while ensuring a return on compliance investment.
The most important factor in scoping a potential assessment is understanding what deliverable the recipient (i.e. your customer or partner) is expecting.
Once we have scoped your environment and needs, there are several factors that contribute to Schellman’s pricing: