NIST 800-172 provides enhanced security requirements for the protection of controlled unclassified information (CUI) on nonfederal systems that are related to critical programs or high value assets.
Relationship to NIST 800-171
NIST 800-172's enhanced security requirements supplement NIST 800-171's security requirements, and should be implemented in addition to NIST 800-171's security requirements.
Advanced Persistant Threat
NIST 800-172's enhanced security requirements are meant to counter advanced persistent threats (APTs). An APT is an adversary that possesses sophisticated levels of expertise and significant resources (such as a nation state).
NIST 800-172 defines three protection areas: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.
NIST 800-172's enhanced security requirements map to effects on the adversary's ability to disrupt and compromise. The five high level effects are: redirect, preclude, impede, limit, and expose. There are fifteen additional classes of effects, including deceive, preempt, contain, and reveal.
Organization-defined Parameter Values
Organization-defined parameter values prompt the organization to define values that are contained in the requirement text, such as defining the frequency of a security review.
Learn about NIST 800-172A and explore its assessment procedures.
Learn about the CMMC 2.0 and explore its practices.
NIST 800-172 provides enhanced security requirements for CUI on nonfederal systems that are related to critical programs or high value assets. The requirements are meant to counter advanced persistent threats (APTs).
DoD's Cybersecurity Maturity Model Certification (CMMC) level 3 will incorporate a subset of NIST 800-172's enhanced security requirements.
NIST 800-172 has 35 controls.
NIST 800-172's controls are derived from NIST 800-53.