Posted on:

In this Article

  • NIST Special Publication 800-172 (formerly known as 171B) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for High-Value Assets” was released in February 2021.
  • The special publication identifies requirements for protecting CUI that is a part of a critical program or high-value asset.
  • Learn how the CMMC will incorporate NIST SP 800-172, at which levels, and how this could affect your organization’s contract with the DOD.

Previously known as NIST SP 800-171B with drafts released in June 2019 and July 2020, the final version of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 arrived in February 2021.

The special publication follows the SolarWinds breach in which Russia-sponsored attackers gained access to the organization’s update servers and pushed malware out to federal agencies and major corporations alike. The attack left a trail of clues to investigate, but the full scope of the damage is still unknown, and incident response may be a long way off. High-stakes incidents like these are expected to increase in number and intensity, giving extra precedent to passing further litigation for DOD contractors’ most valuable assets.

NIST SP 800-172 is supplemental to NIST SP 800-171, a framework required by DFARS 252.204-7012 to protect Controlled Classified Information on all DoD contracts. In the past, according to the DOD, the required NIST cyber controls haven’t been fully implemented across the board, and the self-assessment was often an issue for organizations that lack resources, budget, or bandwidth.

The Cybersecurity Maturity Model Certification (CMMC) program aims to tackle the risks of loss and breach associated with sensitive data and CUI by ensuring security through third-party verification. The program, which will roll out over the next five years to include all DOD contractors and subcontractors, is based on the NIST standards and other relevant frameworks. The new “172” NIST guidelines will likely show up in DOD contracts where especially sensitive information is involved.

Key Takeaways from NIST SP 800-172

While NIST SP 800-171 provides basic cybersecurity controls to protect CUI, NIST SP 800-172 defines a set of enhanced controls to protect CUI subject to more advanced threats such as adversarial nation-states or foreign state-sponsored groups.

NIST SP 800-172 is particularly for programs and contractors that might be targets of Advanced Persistent Threats (APTs), which are stealthy threat actors who seek to gain access to networks undetected. State-sponsored hackers have high levels of expertise, ample resources, and can attack using multiple vectors, whether cyber, physical, or social.

The fundamental difference between 171 and 172 is in approach: where the pre-existing special publication’s controls are based on mitigating present risks, the supplement’s intent is to provide guidance on proactively deterring threats and assuming the worst-case scenario will become a reality. In its own language, it aims for, “Damage limiting operations, [and] a cyber-resilient and survivable design.” In other words, 172 is for active and aggressive cybersecurity management.

The advice in 172 is a mix of old and new: some practices should already be in place, such as using complex passwords, multi-factor authentication, and automated tracking of authorized network users. But some controls require more effort to achieve and maintain, like having a cyber-response team at the ready in case of a major incident.

How NIST SP 800-172 Ties Into CMMC and Your Contract with the DOD

If you aren’t familiar with CMMC documentation, then you may not be familiar with the four levels of threats. The level of sensitivity of the information your organization uses is relative to the level of threat and to the necessary CMMC Level required to combat the said threat, whether external, internal, or an attacker of the supply chain.

  1. Unskilled Threat Actors: CMMC Level 2, or Intermediate Cyber Hygiene required. Contractors comply with 17 controls from NIST SP 800-171.
  2. Moderately Skilled Threat Actors: CMMC Level 3, or Good Cyber Hygiene required. Contractors must comply with 48 additional NIST SP 800-171.
  3. Advanced Threat Actors: CMMC Level 4, or Proactive level required. Contractors must comply with 11 from NIST SP 800-172 plus 15 extra controls.
  4. Most-Advanced Threat Actors: CMMC Level 5, or Advanced/Progressive level required. Contractors must comply with the final 4 controls from NIST SP 800-172 plus 11 extra controls.

A majority of DOD contractors and subcontractors won’t feel the effects of NIST SP 800-172, because it will apply to contracts that require CMMC Level 4 and CMMC Level 5, and organizations that are at risk from Advanced Persistent Threats.

Do you still have questions about NIST SP 800-172 and how it impacts your organization and your ability to achieve your desired level of security to get and maintain your DOD contracts? Schedule a one-on-one meeting with one of our CMMC subject matter experts, or read more about CMMC on our services page.

Categories: CUI, cmmc, NIST