NIST Special Publication 800-172 is a supplementary publication that builds on the security controls outlined by NIST 800-171. It’s relevant to any federal government contractor that stores or processes Controlled Unclassified Information (CUI) for a critical government program.

Any organization that deals with CUI for the US government must be compliant with NIST 800-171 cybersecurity standards. NIST 800-172 builds on these controls with a series of 35 enhanced security requirements. It was introduced to strengthen non-federal systems against advanced persistent threats (APTs).

Organizations connected to critical government systems require this enhanced level of protection from cyberattacks. Relevant controls from the NIST 800-172 publication will be highlighted in the government contract or agreement when required.

NIST 800-172 was published in February 2021 so many contractors may not be up to speed with the changes. This NIST 800-172 checklist outlines the 35 steps needed to be compliant with every control. Contractors may only need to comply with a portion of the requirements, therefore we would suggest focussing on the parts of the checklist covering the controls outlined by your contract.

NIST SP 800-172 checklist of 35 enhanced requirements

The advanced security requirements outlined by NIST 800-172 will be selected by the federal agency based on a risk assessment. Compliance with the enhanced requirements will be a part of the contract or grant agreement. Ten of the families of security controls found in NIST 800-171 have enhanced security controls in NIST 800-172. Here is a checklist of the 35 enhanced controls split up into the ten families.

Access Control checklist 

Three enhanced controls restrict access to critical or sensitive systems and manage the flow of sensitive data.

  • Two-person control (dual authorization) is required to execute critical system operations or commands, such as software configuration changes.
  • System access is allowed only to devices issued by the organization. Access by personal devices, or those issues by other organizations, are restricted.
  • Data flow is controlled through security policies and enforcement processes based on the type of information and its path.

Awareness and Training checklist

Two enhanced security controls focus on training personnel about complex security threats and completing drills and exercises.

  • Individuals undergo regular awareness training to recognize suspicious behaviour and different channels for advanced persistent threats, including emails and social engineering.
  • Practical exercises and training simulations are provided in line with emerging cybersecurity threats.

Configuration Management checklist

Three enhanced controls secure the configuration of systems and the resilience of system architecture.

  • Create an accurate inventory of system components and configuration change logs across hardware, firmware, software and firewalls.
  • Use automated tools to monitor changes to system component configuration and compliance with security policies. Create security responses for when configurations deviate.
  • Use automated tools to maintain and update the inventory of system components to ensure accountability.

Identification and Authentication checklist

Three enhanced controls focus on authenticating user access and system components, including authentication policies.

  • Authenticate and identify devices and system components before they connect to the network using a cryptographically based authentication system.
  • Create policies to automatically protect, rotate and manage passwords and pins for parts of the system or network that can’t use multifactor authentication.
  • Set security policies to stop devices from connecting to the system unless components are authenticated as properly configured or in a known trust profile.

Incident Response checklist

Two enhanced controls ensure best practice processes and personnel for responding to cybersecurity incidents.

  • Establish a security operations center staffed with cybersecurity professionals to monitor systems and networks and respond to incidents.
  • Create a cybersecurity incidents response team to be deployed during critical incidents to improve recovery and response time.

Personnel Security checklist

Two enhanced requirements focus on screening personnel and individuals with access to CUI.

  • Perform enhanced screening of personnel for positions with access to CUI, such as performing additional background checks.
  • Create a policy to protect systems and CUI if new adverse information about an individual is discovered, such as limiting future access and auditing previous actions taken by the individual.

Risk Assessment checklist

Seven enhanced requirements within the Risk Assessment family build proactive risk assessment capabilities within the organization.

  • Integrate cybersecurity threat intelligence into the risk assessment process for system and network development and all areas of risk management.
  • Proactively search and audit systems for cyber threats to detect and disrupt cybersecurity threats.
  • Embed automated and predictive analytics tools to discover threats, identify organizational risks, and help make data-led decisions.
  • Enhance existing system security plan (SSP) by documenting the rationale behind each security decision and risk level to help ongoing reassessment and accountability.
  • Embed a process for assessing the ongoing effectiveness of security policies and products based on evidence from aggregated threat intelligence.
  • Monitor and resolve any risks or threats in the supply chain that may affect systems and networks.
  • Create an up-to-date security plan to manage supply chain risks, including systems and services from external providers.

Security Assessment checklist

One enhanced requirement focuses on network vulnerability audits and assessment of security policies.

  • Perform regular network penetration tests and vulnerability scans using automated auditing tools and cybersecurity audit experts.

System and Communications Protection checklist

Five enhanced requirements protect and isolate system components to safeguard against cross-system malicious attacks.

  • Diversify system components to lower the impact of cross-system cyberattacks, such as deploying different overlapping security products from different vendors.
  • Embed elements of unpredictability into system security management processes, such as randomizing the time of day that system changes are deployed.
  • Design and launch security processes to misdirect, disinform or confuse unauthorized users.
  • Deploy isolation policies (physical and logical) within the system architecture to limit the flow of sensitive data and lower the risk of a cybersecurity incident spreading across the system.
  • Fragment or relocate at-risk system resources and components across different storage environments to make it harder for a targeted data breach.

System and Information Integrity checklist

Seven enhanced requirements focus on monitoring and reviewing system components.

  • Regularly verify the health and integrity of essential system components to identify any corrupted software leveraged during a cybersecurity incident.
  • Continuously record, monitor and audit systems and logs to detect suspicious actions or unusual behavior.
  • Segregate devices and system components that connect to the internet such as Internet of Things devices or operational technology. If these devices process CUI, include them in the enhanced security requirements.
  • Introduce a policy of non-persistence for relevant system components, activating when needed and terminating at the end of the session.
  • Introduce a retention policy and regularly review CUI in persistent storage, securely disposing of CUI that is no longer needed.
  • Incorporate threat intelligence from external cybersecurity specialist organizations into detection policies.
  • Confirm that the security properties of critical system components, such as firmware, hardware or software, have been formally verified.

Speed up NIST SP 800-172 compliance with Titania Nipper 

With these new requirements of NIST SP 800-172 possibly being added to your contracts, assessing your compliance can require even more significant resources and time.

Titania Nipper is a firewall and network device configuration audit tool that can accurately assess core network device requirements outlined by NIST 800-172, saving up to three hours per device audit. Nipper will help to streamline both NIST 800-171 and NIST 800-172 compliance, reducing the time and resources needed to maintain a secure and compliant environment.

Get a free trial of Titania Nipper today: