NIST 172 Cybersecurity

NIST 172 Cybersecurity

NIST Special Publication 800-172 (aka SP 800-172 or NIST 172) provides an enhanced set of 35 additional security controls to strengthen the protection of any controlled unclassified information (CUI) held by non-federal organizations due to working as suppliers on Federal contracts. The SP 800-172 requirements build on SP 800-171, and the latter must be in place before SP 800-172 gets adopted. NIST 172 is related to the broader Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) regulations.


The requirement to have SP 800-172 controls in place is dependent on the contract and how sensitive the CUI that a non-federal supplier is holding. The need to have SP 800-172 controls in place gets stipulated in bid documentation or contracts drawn up between a federal agency and its contractors. Protection against state-level Advanced Persistent Threat (APT) and the information that they look to steal for defense and other projects is often a driver for requiring SP 800-172 controls.

The updated Cybersecurity Maturity Model Certification (CMMC) 2.0 is currently being finalized. The new CMMC 2.0 Level 3 certification maps to the 35 practices in NIST SP 800-172. Organizations can only achieve CMC 2.0 Level 3 compliance after CMC 2.0 Level 2 certification, so the 110 controls in NIST SP 800-171 and the 35 enhanced controls in NIST SP 800-172 are required for CMMC 2.0 Level 3 certification.

Critical Insight contact background

Talk to one of our cybersecurity experts

245 4th St Ste 405Bremerton, WA 98337

Looking for careers?

View all job openings

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.