NIST SP 800-172: Advanced Security Controls for an Advanced Persistent Threat

By Richard Brechwald • September 1, 2020

Recently, the National Institute of Standards and Technology (NIST) re-released the Draft Special Publication (SP) 800-171B as Draft SP 800-172. This document is in final draft review with all comments due August 21, 2020.

What is new in NIST 800-172?

The new NIST 800-172 is intended as a supplement to NIST 800-171, the cybersecurity framework required by DFARS 252.204-7012 on all DoD contracts to protect Controlled Unclassified Information (CUI). While NIST 800-171 provides the basic cybersecurity controls required to protect CUI on a majority of DoD programs and suppliers, NIST 800-172 defines enhanced cybersecurity controls intended to protect CUI subject to enhanced threats. In particular, NIST 800-172 aims to protect programs and contractors that might be the target of one or more Advanced Persistent Threats (APT). An APT is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. As such, it requires enhanced cybersecurity activities to prevent an APT from accessing a contractor’s network, or even identifying that an APT has already gained unauthorized access to a contractor’s systems or networks.

How will NIST SP 800-172 Affect My Contracts?

One question that comes up is, “How will NIST 800-172 affect my contracts?” Currently, the answer is that it does not directly. Unlike NIST 800-171, the required cybersecurity framework imposed on all DoD contracts that handle CUI through DFARS 252.204-7012, no DFARS clause requires NIST 800-172. Once NIST 800-172 has completed the NIST Draft comment phase and been formally released, an individual contract that is considered high risk from an APT may call out part or all of the NIST 800-172 cybersecurity controls as requirements, but this is likely to be very rare. The more likely scenario for these contracts will be adopting the Cybersecurity Maturity Model Certification (CMMC) framework at Maturity Levels 4 or 5. But even this is expected to be a rare situation. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, estimates that .06% of all contractors will require CMMC Level 4 or 5 certification.

CMMC’s Incorporation of NIST 800-172

The CMMC framework was formally released in January 2020 and is currently positioned as a replacement for NIST 800-171. CMMC defines five (5) cybersecurity maturity levels. Maturity Level 3 corresponds roughly to NIST 800-171, incorporating all 110 security controls from NIST 800-171 plus 20 new controls drawn from other frameworks. CMMC Maturity Levels 4 and 5 provide 41 additional cybersecurity controls specifically targeted at contracts and contractors considered subject to an APT. CMMC Levels 4 and 5 include 15 of the NIST 800-172 (formerly NIST 800-171B) controls.

The DoD is working now to publish a new DFARS clause and contract language to allow DoD agencies to include the new CMMC framework in future requests for proposals (RFPs). Once this has completed the public comment and final release phases, the DoD plans to roll out the CMMC over the next five years, starting with approximately 15 “Pathfinder” programs in FY2021.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.