NIST SP 800-172

NIST SP 800-172, titled "Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations," builds on the foundation of NIST SP 800-171. It provides additional security controls and enhancements for organizations that handle highly sensitive Controlled Unclassified Information (CUI), particularly when the risk of advanced persistent threats (APTs) is a concern.

Here’s a breakdown of NIST 800-172:

1. Purpose and Scope:

NIST SP 800-172 is designed for environments that require enhanced protection due to a higher threat level. It focuses on mitigating risks from APTs, which are sophisticated, well-resourced adversaries that use a variety of tactics to infiltrate systems and remain undetected. The publication supplements NIST 800-171 and is intended to be used in conjunction with it. While 800-171 establishes baseline protections for CUI, 800-172 is for organizations handling high-value or critical CUI, where the consequences of a breach would be more severe.

2. Advanced Persistent Threats (APTs):

APTs refer to highly skilled and well-funded adversaries that use persistent and sophisticated techniques to infiltrate and exfiltrate sensitive data over long periods. Examples include nation-state actors targeting defense contractors. The enhanced security requirements in 800-172 aim to defend against these advanced threats by implementing more rigorous and layered security controls.

3. Key Security Control Enhancements:

NIST SP 800-172 introduces 35 additional requirements that focus on:

Cybersecurity Resilience: Strengthening the organization’s ability to detect, respond to, and recover from attacks, particularly by building in redundancy and response mechanisms. Exfiltration and Infiltration Protection: Implementing measures to prevent adversaries from stealing or inserting malicious data, such as encrypted data storage and communications, multi-factor authentication, and monitoring for abnormal behavior. Security Monitoring: Increasing the use of security analytics and monitoring tools to detect unusual activities, especially those that might indicate an APT is operating within the network. Incident Response and Recovery: Enhancing the organization’s capability to respond to breaches by setting up robust incident response plans, continuous monitoring, and ensuring system backups and rapid restoration of critical services.

4. Applicability:

NIST 800-172 is not for all contractors but is recommended for organizations handling high-risk CUI or those working on critical federal programs like defense or national security-related projects. For example, defense contractors working on projects with heightened risk from APTs (e.g., sensitive defense technologies, advanced research) would be expected to implement the controls in NIST 800-172 in addition to those required by NIST 800-171.

5. CMMC Impact:

The Cybersecurity Maturity Model Certification (CMMC), which is required for Department of Defense (DoD) contractors, also incorporates NIST SP 800-172 requirements at the highest levels (CMMC Levels 4 and 5). This means contractors handling sensitive DoD information may need to meet both NIST 800-171 and the enhanced protections outlined in 800-172.

6. Key Focus Areas:

Enhanced Protection of CUI: Including encryption, access control, and multifactor authentication to prevent data leakage. Defense Against Cyber Intrusions: Improving monitoring, logging, and response capabilities to detect and mitigate sophisticated cyber intrusions. Data Integrity: Ensuring that information remains accurate and unaltered during storage, processing, or transmission.

Summary:

While NIST 800-171 sets the baseline for protecting CUI, NIST 800-172 introduces enhanced security measures to counter advanced persistent threats (APTs). These additional controls are particularly relevant for organizations dealing with high-value or critical government projects, where the risk and consequences of data compromise are high.

By implementing both 800-171 and 800-172, organizations can ensure that they not only meet federal security requirements but also bolster their defenses against the most sophisticated cyber threats.