NIST 800-172

Learn about NIST 800-172 and explore its 35 enhanced security requirements.

Explore the Requirements

  • Purpose

    NIST 800-172 provides enhanced security requirements for the protection of controlled unclassified information (CUI) on nonfederal systems that are related to critical programs or high value assets.

  • Relationship to NIST 800-171

    NIST 800-172's enhanced security requirements supplement NIST 800-171's security requirements, and should be implemented in addition to NIST 800-171's security requirements.

  • Advanced Persistant Threat

    NIST 800-172's enhanced security requirements are meant to counter advanced persistent threats (APTs). An APT is an adversary that possesses sophisticated levels of expertise and significant resources (such as a nation state).

  • Protection Strategies

    NIST 800-172 defines three protection areas: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.

  • Adversary Effects

    NIST 800-172's enhanced security requirements map to effects on the adversary's ability to disrupt and compromise. The five high level effects are: redirect, preclude, impede, limit, and expose. There are fifteen additional classes of effects, including deceive, preempt, contain, and reveal.

  • Organization-defined Parameter Values

    Organization-defined parameter values prompt the organization to define values that are contained in the requirement text, such as defining the frequency of a security review.

NIST 800-171 / CMMC Training
Available Now!

Learn More

NIST 800-172A

Learn about NIST 800-172A and explore its assessment procedures.

Learn More

CMMC 2.0

Learn about the CMMC 2.0 and explore its practices.

Learn More

What is the purpose of NIST 800-172?

NIST 800-172 provides enhanced security requirements for CUI on nonfederal systems that are related to critical programs or high value assets. The requirements are meant to counter advanced persistent threats (APTs).

How is NIST 800-172 related to CMMC?

DoD's Cybersecurity Maturity Model Certification (CMMC) level 3 will incorporate a subset of NIST 800-172's enhanced security requirements.

How many controls does NIST 800-172 have?

NIST 800-172 has 35 controls.

Where did the NIST 800-172 controls come from?

NIST 800-172's controls are derived from NIST 800-53.

Where can I find a list of the NIST 800-172 controls?

We have published the NIST 800-172 controls here: NIST 800-172 Controls

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!

Learn More