NIST 800-172

Learn about NIST 800-172 and explore its 35 enhanced security requirements.

  • Purpose

    NIST 800-172 provides enhanced security requirements for the protection of controlled unclassified information (CUI) on nonfederal systems that are related to critical programs or high value assets.

  • Relationship to NIST 800-171

    NIST 800-172's enhanced security requirements supplement NIST 800-171's security requirements, and should be implemented in addition to NIST 800-171's security requirements.

  • Advanced Persistant Threat

    NIST 800-172's enhanced security requirements are meant to counter advanced persistent threats (APTs). An APT is an adversary that possesses sophisticated levels of expertise and significant resources (such as a nation state).

  • Protection Strategies

    NIST 800-172 defines three protection areas: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.

  • Adversary Effects

    NIST 800-172's enhanced security requirements map to effects on the adversary's ability to disrupt and compromise. The five high level effects are: redirect, preclude, impede, limit, and expose. There are fifteen additional classes of effects, including deceive, preempt, contain, and reveal.

  • Organization-defined Parameter Values

    Organization-defined parameter values prompt the organization to define values that are contained in the requirement text, such as defining the frequency of a security review.

NIST 800-171 / CMMC Training
Available Now!

NIST 800-172A

Learn about NIST 800-172A and explore its assessment procedures.

CMMC 2.1

Learn about the CMMC and explore its requirements.

NIST 800-172 provides enhanced security requirements for CUI on nonfederal systems that are related to critical programs or high value assets. The requirements are meant to counter advanced persistent threats (APTs).

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!