What is NIST SP 800-172? Requirements for Protecting CUI
NIST Special Publication 800-172 is a companion document to NIST SP 800-171 and is designed to strengthen resilience against advanced cybersecurity risks, such as Advanced Persistent Threats (APTs). It is a series of enhanced security controls that build off the requirements outlined in NIST SP 800-171 and is relevant for any non-federal organization that processes Controlled Unclassified Information (CUI) associated with a critical government programs or high value federal assets.
NIST SP 800-172 is a supplementary document to NIST SP 800-171, which is designed to help safeguard sensitive information on non-federal systems through best practice processes and security controls and applies to federal contractors that handle, process or store CUI on their networks. Examples of organizations who could be subject to NIST SP 800-171 requirements include defense contractors, research institutions, or financial, cloud or communications systems service providers.
NIST SP 800-172 provides an enhanced selection of security controls for when the CUI is related to critical systems and programs. It helps to further strengthen non-federal systems that are particularly at risk from malicious attack. It consists of 35 enhanced requirements that go beyond the 110 controls outlined by NIST 800-171. The aim is to strengthen systems in the US government supply chain against the likes of APTs and to ensure at-risk data is as secure as possible on non-federal systems.
This guide explores NIST SP 800-172, the background to the framework, and its requirements.
What is NIST SP 800-172?
Published in February 2021, NIST SP 800-172 is a supplement publication to NIST SP 800-171. It was designed to strengthen supply chain resilience against sophisticated cybersecurity attacks. NIST SP 800-172 accordingly contains a series of 35 enhanced security controls to safeguard high-risk unclassified information on non-federal systems.
The enhanced controls outlined are selected for inclusion in government contracts by federal agencies based on a risk assessment and operational needs and requirements, and these controls will be implemented alongside the requirement of NIST SP 800-171. Compliance with specific requirements will be outlined in contracts or agreements with suppliers, service providers or research institutions.
What is the purpose of NIST SP 800-172?
The ongoing operation of the US government relies on a range of different IT systems, devices and networks. In many cases these are non-federal systems that relate to critical infrastructure industries, like defense, manufacturing, energy and healthcare. Cybersecurity incidents and data breaches related to a critical government programs can be devastating for US economic and national security, which means non-federal systems connected to critical government programs or systems are an attractive target for a malicious attack. So, CUI in these systems require additional or enhanced levels of protection from complex cyberattacks.
NIST SP 800-172 was created to strengthen the protection of CUI on non-federal systems associated with critical government programs. Its enhanced cybersecurity requirements are designed to provide the foundation for a multi-dimensional, defense-in-depth protection strategy that makes contractors more resilient against breaches and makes it more difficult for sophisticated attacks to proliferate.
What is CUI?
CUI stands for Controlled Unclassified Information and includes sensitive government data that’s not classified. Government agencies provide a list of specific definitions of CUI in the CUI Registry, which categorizes different controlled information. Examples include personal data, technical data and patent information. The CUI Registry also includes guidance, policies, and requirements on the handling of CUI.
Government contractors and organizations that provide a service to federal agencies will generally be processing or have access to CUI or Federal Contract Information (FCI). FCI will be government data that’s less sensitive than CUI but is not intended for general release.
NIST SP 800-171 provides security controls for the protection of CUI in non-federal systems. The enhanced security controls outlined by NIST SP 800-172 add another level of protection for CUI associated with critical government programs or high-value federal assets.
What are Advanced Persistent Threats (APT)?
Advanced Persistent Threat (APT) is defined in the NIST SP 800-172 publication as an adversary that has the resources and expertise to attack systems through different attack vectors. Channels of attack may include cyber threats, physical system access, or deception campaigns. APTs could be state-sponsored attacks with the aim of gaining sensitive information or simply to disrupt critical services.
An attack by an APT will often be complex, reactive to the organization’s defenses, and take place over an extended period of time. Access may not be instantly detected, as an APT’s objective could be to gain access to a system in preparation for future attacks or data breaches.
CUI related to critical government programs or high-value federal assets are an attractive target for APT groups. In these instances, CUI could be leveraged for ransom or stolen to compromise critical programs, systems or government objectives. NIST SP 800-172’s introduction is intended to make it harder for attackers and, in doing so, making the federal supply chain more resilient.
Who needs NIST SP 800-172?
Organizations that process CUI or provide services for critical government programs may need to be compliant with parts of NIST SP 800-172. Compliance with elements of NIST SP 800-172 will be included in the agreement between the federal agency and non-federal organization. This could be in a contractor agreement, service contract or grant agreement.
Examples of organizations include:
- Government contractors and subcontractors working on critical programs.
- Research institutions processing or storing high-risk CUI as part of their research projects.
- Service provides processing CUI for critical industries like energy, manufacturing, healthcare or defense.
- Federal service providers of financial, cloud or communications systems.
The requirements outlined by NIST SP 800-172 are applicable to the parts of an organization's system and network that deal with CUI related to a critical program or high-value asset. These are the parts of the system that require enhanced protection against malicious attack. Enhanced security controls outlined in NIST SP 800-172 will be important for any government contractor required to reach CMMC Level 5 certification. The Cybersecurity Maturity Model Certification (CMMC) is a framework of cybersecurity controls for US defense contractors.
NIST SP 800-172 requirements
NIST SP 800-172 outlines 35 enhanced security requirements, organized into the 14 security topics or families. Each control family mirrors the same groupings that make up NIST SP 800-171. The requirements are designed in the same way as in NIST SP 800-171, with a description of the control followed by a discussion section to contextualize it. Some enhanced controls have a degree of flexibility for certain control parameters to be customized to the organization or operation.
Relevant NIST SP 800-172 requirements are selected by federal agencies to protect CUI relating to critical programs, in line with the federal agency’s specific operation and risk assessment. Compliance with the enhanced control will be included in the contract between the government and contractor.
NIST SP 800-172 controls provide the foundation for a three-part enhanced protection strategy for the organization. Each element supports the others as part of the protection strategy and are best practice against Advanced Persistent Threats (APTs). The three elements of the protection strategy are:
- Penetration-Resistant Architecture
- Damage-Limiting Operations
- Cyber Resiliency Survivability
It’s more likely that an organization will need to meet a selection of relevant controls instead of all the requirements outlined by NIST SP 800-172. The enhanced requirements will be balanced across the three areas that make up the protection strategy. This ensures a comprehensive improvement of system resilience across all areas. When the three parts are strengthened, an organization lowers the risk of successful cyberattack against high-value assets.
NIST SP 800-172 control families
Requirements of NIST SP 800-172 are categorized into the same 14 ‘families’ that make up NIST SP 800-171, though only 10 of the families actually contain enhanced requirements. Each family of controls is a different security topic, from access control to system and information integrity. The 10 families of controls that do have enhanced security requirements build off the basic requirements within NIST SP 800-171.
The 14 families of controls are:
Titania Nipper can help implement NIST SP 800-172
Titania Nipper is a firewall and network configuration audit tool that can help streamline NIST SP 800-172 compliance. It automatically and accurately assesses network devices requirements outlined by NIST 800-172. Automatic vulnerability scans can save your team time and resources. Each scan saves assessors up to three hours per device audit.