Skip to content

Resources

What is NIST SP 800-172? Requirements for Protecting CUI

NIST Special Publication 800-172 is a companion document to NIST SP 800-171 and is designed to strengthen resilience against advanced cybersecurity risks, such as Advanced Persistent Threats (APTs). It is a series of enhanced security controls that build off the requirements outlined in NIST SP 800-171 and is relevant for any non-federal organization that processes Controlled Unclassified Information (CUI) associated with a critical government programs or high value federal assets.

NIST SP 800-172 is a supplementary document to NIST SP 800-171, which is designed to help safeguard sensitive information on non-federal systems through best practice processes and security controls and applies to federal contractors that handle, process or store CUI on their networks. Examples of organizations who could be subject to NIST SP 800-171 requirements include defense contractors, research institutions, or financial, cloud or communications systems service providers.

NIST SP 800-172 provides an enhanced selection of security controls for when the CUI is related to critical systems and programs. It helps to further strengthen non-federal systems that are particularly at risk from malicious attack. It consists of 35 enhanced requirements that go beyond the 110 controls outlined by NIST 800-171. The aim is to strengthen systems in the US government supply chain against the likes of APTs and to ensure at-risk data is as secure as possible on non-federal systems.

This guide explores NIST SP 800-172, the background to the framework, and its requirements.

What is NIST SP 800-172?

Published in February 2021, NIST SP 800-172 is a supplement publication to NIST SP 800-171. It was designed to strengthen supply chain resilience against sophisticated cybersecurity attacks. NIST SP 800-172 accordingly contains a series of 35 enhanced security controls to safeguard high-risk unclassified information on non-federal systems.

The enhanced controls outlined are selected for inclusion in government contracts by federal agencies based on a risk assessment and operational needs and requirements, and these controls will be implemented alongside the requirement of NIST SP 800-171. Compliance with specific requirements will be outlined in contracts or agreements with suppliers, service providers or research institutions.

What is the purpose of NIST SP 800-172?

The ongoing operation of the US government relies on a range of different IT systems, devices and networks. In many cases these are non-federal systems that relate to critical infrastructure industries, like defense, manufacturing, energy and healthcare. Cybersecurity incidents and data breaches related to a critical government programs can be devastating for US economic and national security, which means non-federal systems connected to critical government programs or systems are an attractive target for a malicious attack. So, CUI in these systems require additional or enhanced levels of protection from complex cyberattacks.

NIST SP 800-172 was created to strengthen the protection of CUI on non-federal systems associated with critical government programs. Its enhanced cybersecurity requirements are designed to provide the foundation for a multi-dimensional, defense-in-depth protection strategy that makes contractors more resilient against breaches and makes it more difficult for sophisticated attacks to proliferate.

 

What is CUI?

CUI stands for Controlled Unclassified Information and includes sensitive government data that’s not classified. Government agencies provide a list of specific definitions of CUI in the CUI Registry, which categorizes different controlled information. Examples include personal data, technical data and patent information. The CUI Registry also includes guidance, policies, and requirements on the handling of CUI.

Government contractors and organizations that provide a service to federal agencies will generally be processing or have access to CUI or Federal Contract Information (FCI). FCI will be government data that’s less sensitive than CUI but is not intended for general release.

NIST SP 800-171 provides security controls for the protection of CUI in non-federal systems. The enhanced security controls outlined by NIST SP 800-172 add another level of protection for CUI associated with critical government programs or high-value federal assets.

What are Advanced Persistent Threats (APT)?

 

Advanced Persistent Threat (APT) is defined in the NIST SP 800-172 publication as an adversary that has the resources and expertise to attack systems through different attack vectors. Channels of attack may include cyber threats, physical system access, or deception campaigns. APTs could be state-sponsored attacks with the aim of gaining sensitive information or simply to disrupt critical services.

An attack by an APT will often be complex, reactive to the organization’s defenses, and take place over an extended period of time. Access may not be instantly detected, as an APT’s objective could be to gain access to a system in preparation for future attacks or data breaches.

CUI related to critical government programs or high-value federal assets are an attractive target for APT groups. In these instances, CUI could be leveraged for ransom or stolen to compromise critical programs, systems or government objectives. NIST SP 800-172’s introduction is intended to make it harder for attackers and, in doing so, making the federal supply chain more resilient.

Who needs NIST SP 800-172?

Organizations that process CUI or provide services for critical government programs may need to be compliant with parts of NIST SP 800-172. Compliance with elements of NIST SP 800-172 will be included in the agreement between the federal agency and non-federal organization. This could be in a contractor agreement, service contract or grant agreement.

Examples of organizations include:

  • Government contractors and subcontractors working on critical programs.
  • Research institutions processing or storing high-risk CUI as part of their research projects.
  • Service provides processing CUI for critical industries like energy, manufacturing, healthcare or defense.
  • Federal service providers of financial, cloud or communications systems.

The requirements outlined by NIST SP 800-172 are applicable to the parts of an organization's system and network that deal with CUI related to a critical program or high-value asset. These are the parts of the system that require enhanced protection against malicious attack. Enhanced security controls outlined in NIST SP 800-172 will be important for any government contractor required to reach CMMC Level 5 certification. The Cybersecurity Maturity Model Certification (CMMC) is a framework of cybersecurity controls for US defense contractors.

NIST SP 800-172 requirements

NIST SP 800-172 outlines 35 enhanced security requirements, organized into the 14 security topics or families. Each control family mirrors the same groupings that make up NIST SP 800-171. The requirements are designed in the same way as in NIST SP 800-171, with a description of the control followed by a discussion section to contextualize it. Some enhanced controls have a degree of flexibility for certain control parameters to be customized to the organization or operation.

Relevant NIST SP 800-172 requirements are selected by federal agencies to protect CUI relating to critical programs, in line with the federal agency’s specific operation and risk assessment. Compliance with the enhanced control will be included in the contract between the government and contractor.

NIST SP 800-172 controls provide the foundation for a three-part enhanced protection strategy for the organization. Each element supports the others as part of the protection strategy and are best practice against Advanced Persistent Threats (APTs). The three elements of the protection strategy are:

  • Penetration-Resistant Architecture
  • Damage-Limiting Operations
  • Cyber Resiliency Survivability

It’s more likely that an organization will need to meet a selection of relevant controls instead of all the requirements outlined by NIST SP 800-172. The enhanced requirements will be balanced across the three areas that make up the protection strategy. This ensures a comprehensive improvement of system resilience across all areas. When the three parts are strengthened, an organization lowers the risk of successful cyberattack against high-value assets.

NIST SP 800-172 control families

Requirements of NIST SP 800-172 are categorized into the same 14 ‘families’ that make up NIST SP 800-171, though only 10 of the families actually contain enhanced requirements. Each family of controls is a different security topic, from access control to system and information integrity. The 10 families of controls that do have enhanced security requirements build off the basic requirements within NIST SP 800-171.

The 14 families of controls are:

Access Control

Access Control consists of three enhanced controls designed to restrict access to critical or sensitive systems. The controls include embedding dual authorization policies when performing critical system changes, so that two qualified individuals must approve any changes to network or system components and settings. Other requirements cover controlling information and data flows and restricting system components to those owned by the organization.

Awareness and Training

Awareness and Training consists of two enhanced controls focusing on building resilience against the unique threats posed by Advanced Persistent Threats. One control covers training to build awareness of advanced and complex security threats, to better detect APTs. The other control focuses on practical drills and exercises built to gain resilience against specific tactics and techniques of cybersecurity attackers.

Configuration Management

Configuration Management consists of three enhanced controls designed to safeguard system configuration and components. The controls include maintaining a comprehensive system inventory and embedding processes to proactively monitor unauthorized changes to system configuration. These controls strengthen the resilience of system architecture and improve the ability to detect attacks.

Identification and Authentication

There are three enhanced requirements in the Identification and Authentication family of controls. Requirements improve processes for authenticating systems components and devices to lower the risk of unauthorized access. They also deal with strengthening password protection policies and the automatic locking out of unrecognized components from the system.

Incident Response

There are two enhanced requirements in the Incident Response family of controls. Both strengthen the processes for detecting and responding to serious cybersecurity incidents. The first focuses on the creation and maintenance of a Security Operations Center (SOC) in the organization, which is in charge of monitoring and defending systems and networks. The other enhanced control focuses on the creation of a cyber incident response team in the organization. The team provides rapid response to cybersecurity incidents to mitigate threats and spearhead the system recovery.

Personnel Security

There are two enhanced requirements within the Personnel Security family of controls. The enhanced controls focus on the assessment and screening of personnel to achieve a secure workforce. Policies include screening any individual that has access to CUI, helping to reduce the potential risk of individuals causing data breaches.

Risk Assessment

There are seven enhanced requirements in the Risk Assessment family of controls. Each requirement builds on the organization’s capabilities to use risk assessment as a tool to develop system architecture and policies. Controls cover proactive searches to identify cyber threats in addition to automated scanning and audit tools. These requirements provide resources for the previously mentioned SOC to properly function. Other enhanced controls in this section deal with embedding risk assessment into the system security plan (SSP) and the ongoing risk management of the supply chain.

Security Assessment

There is one enhanced requirement in the Security Assessment family of controls. It focuses on the effective assessment of security policies and system configurations in the organization. This may include the use of automated network vulnerability scanning tools, regular penetration testing, and ad-hoc audits by cybersecurity experts.

System and Communications Protection

There are five enhanced requirements in the System and Communications Protection family of controls. These requirements are varied and include the use of a diverse selection of system components and isolation techniques to make cross-system attacks more difficult.

System and Information Integrity

There are seven enhanced requirements in the System and Information Integrity family of controls. Each control focuses on the organization's capability to verify and monitor system integrity to lower the risk of ongoing information attacks. Controls cover the monitoring of the system for suspicious activity and the regular review of system component inventory and CUI storage locations.

Audit and Accountability

The Audit and Accountability family of controls has no enhanced requirements as part of NIST SP 800-172.

Maintenance

The Maintenance family of controls has no enhanced requirements as part of NIST SP 800-172.

Media Protection

The Media Protection family of controls has no enhanced requirements as part of NIST SP 800-172.

Physical Protection

The Physical Protection family of controls has no enhanced requirements as part of NIST SP 800-172.

Titania Nipper can help implement NIST SP 800-172

Titania Nipper is a firewall and network configuration audit tool that can help streamline NIST SP 800-172 compliance. It automatically and accurately assesses network devices requirements outlined by NIST 800-172. Automatic vulnerability scans can save your team time and resources. Each scan saves assessors up to three hours per device audit.