NIST 172 Cybersecurity

NIST Special Publication 800-172 (aka SP 800-172 or NIST 172) provides an enhanced set of 35 additional security controls to strengthen the protection of any controlled unclassified information (CUI) held by non-federal organizations due to working as suppliers on Federal contracts. The SP 800-172 requirements build on SP 800-171, and the latter must be in place before SP 800-172 gets adopted. NIST 172 is related to the broader Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) regulations.

The requirement to have SP 800-172 controls in place is dependent on the contract and how sensitive the CUI that a non-federal supplier is holding. The need to have SP 800-172 controls in place gets stipulated in bid documentation or contracts drawn up between a federal agency and its contractors. Protection against state-level Advanced Persistent Threat (APT) and the information that they look to steal for defense and other projects is often a driver for requiring SP 800-172 controls.

The updated Cybersecurity Maturity Model Certification (CMMC) 2.0 is currently being finalized. The new CMMC 2.0 Level 3 certification maps to the 35 practices in NIST SP 800-172. Organizations can only achieve CMC 2.0 Level 3 compliance after CMC 2.0 Level 2 certification, so the 110 controls in NIST SP 800-171 and the 35 enhanced controls in NIST SP 800-172 are required for CMMC 2.0 Level 3 certification.