NIST 800-172

Q: What is the purpose of NIST 800-172?

NIST 800-172 provides enhanced security requirements for CUI on nonfederal systems that are related to critical programs or high value assets . The requirements are meant to counter advanced persistent threats (APTs).

Q: How is NIST 800-172 related to CMMC?

DoD's Cybersecurity Maturity Model Certification ( CMMC ) level 3 will incorporate a subset of NIST 800-172's enhanced security requirements.

Q: Where did the NIST 800-172 controls come from?

NIST 800-172's controls are derived from NIST 800-53 .

Q: Where can I find a list of the NIST 800-172 controls?

We have published the NIST 800-172 controls here: NIST 800-172 Controls

Learn about NIST 800-172 and explore its 35 enhanced security requirements.

Explore the Requirements

Purpose

NIST 800-172 provides enhanced security requirements for the protection of controlled unclassified information (CUI) on nonfederal systems that are related to critical programs or high value assets.
Relationship to NIST 800-171

NIST 800-172's enhanced security requirements supplement NIST 800-171's security requirements, and should be implemented in addition to NIST 800-171's security requirements.

Advanced Persistant Threat

NIST 800-172's enhanced security requirements are meant to counter advanced persistent threats (APTs). An APT is an adversary that possesses sophisticated levels of expertise and significant resources (such as a nation state).
Protection Strategies

NIST 800-172 defines three protection areas: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.

Adversary Effects

NIST 800-172's enhanced security requirements map to effects on the adversary's ability to disrupt and compromise. The five high level effects are: redirect, preclude, impede, limit, and expose. There are fifteen additional classes of effects, including deceive, preempt, contain, and reveal.
Organization-defined Parameter Values

Organization-defined parameter values prompt the organization to define values that are contained in the requirement text, such as defining the frequency of a security review.

NIST 800-171 / CMMC Training
Available Now!

Learn More

NIST 800-172A

Learn about NIST 800-172A and explore its assessment procedures.

Learn More

CMMC 2.1

Learn about the CMMC and explore its requirements.

Learn More

What is the purpose of NIST 800-172?

NIST 800-172 provides enhanced security requirements for CUI on nonfederal systems that are related to critical programs or high value assets. The requirements are meant to counter advanced persistent threats (APTs).

How is NIST 800-172 related to CMMC?

How many controls does NIST 800-172 have?

Where did the NIST 800-172 controls come from?

Where can I find a list of the NIST 800-172 controls?

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!

Learn More

NIST 800-172

Purpose

Relationship to NIST 800-171

Advanced Persistant Threat

Protection Strategies

Adversary Effects

Organization-defined Parameter Values

NIST 800-172A

CMMC 2.1

What is the purpose of NIST 800-172?

How is NIST 800-172 related to CMMC?

How many controls does NIST 800-172 have?

Where did the NIST 800-172 controls come from?

Where can I find a list of the NIST 800-172 controls?

CMMC Training

GRC Academy

Contact Us

Partners

Student Reviews

Affiliate Program

Connect With Us