NIST SP 800 172 and Enhanced Guidelines for Cybersecurity Maturity Model

The final edition of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 appeared in February 2021. It was formerly known as NIST SP 800-171B, with drafts issued in June 2019 and July 2020.

The special publication comes in the wake of the SolarWinds breach. Russia-backed assailants gained access to the company’s update servers and spread malware to government agencies and major enterprises. The attack left a trail of evidence to follow, but the entire extent of the damage is unclear, and incident response might take a long time. These kind of high-stakes situations are projected to rise in frequency and severity, providing more precedent for passing additional lawsuits for DOD contractors’ most valuable assets.

NIST SP 800-172 is a supplement to NIST SP 800-171, a framework for protecting Controlled Classified Information on all CMMC for DoD contractors agreements that is mandated by DFARS 252.204-7012. According to the DOD, the needed NIST cyber controls haven’t consistently been fully implemented all across the spectrum, and self-assessment has been a challenge for businesses with limited resources, finance, or bandwidth.

The Cybersecurity Maturity Model Certification (CMMC) program attempts to address the risks of loss and breach connected with sensitive data and CUI by assuring security through third-party certification. The initiative, which will include all DOD involved parties over the next five years, is based on NIST standards and other related frameworks.

The new “172” NIST recommendations are anticipated to appear in DOD contracts involving sensitive material.

NIST SP 800-172 Key Takeaways

While NIST SP 800-171 specifies basic cybersecurity measures to safeguard CUI, NIST SP 800-172 specifies additional controls to protect CUI from more sophisticated threats such as adversary nation-states or foreign state-sponsored organizations.

Advanced Persistent Threats (APTs) are sneaky threat actors that strive to acquire access to networks unnoticed, and NIST SP 800-172 is specifically for projects and contractors that may be targets of APTs. State-sponsored attackers have extensive experience, vast resources, and the ability to strike via various avenues, including cyber, physical, and social.

The main difference between 171 and 172 is the approach. Although the controls in the pre-existing special edition are centered on reducing current risks, the supplement’s goal is to give recommendations for proactively preventing threats and anticipating the worst-case scenario would occur. It strives for damage limiting procedures, [and] a malware and survivable design. In other terms, 172 is for cybersecurity governance that is proactive and aggressive.

Some procedures, like utilizing rugged credentials, multi-factor authentication, and automatic tracking of authorized network users, should already be in place, according to 172. However, other measures, such as having a cyber-response team ready in the event of a significant catastrophe, require more work to implement and maintain.

How NIST SP 800-172 Connects to CMMC and Your DOD Contract

You may not be aware of the four degrees of danger if you are unfamiliar with CMMC documents. The amount of sensitivity of the data your company utilizes is proportional to the level of threat and the CMMC Level required to battle the threat, whether foreign, administrative or a supply chain attacker.

Unskilled Threat Actors: Intermediate Cyber Hygiene or CMMC Level 2 is necessary. NIST SP 800-171 specifies 17 controls that contractors must follow.

Threat Actors with Moderate Skill: CMMC DFARS Level 3 or Good Cyber Hygiene is necessary. Contractors must also adhere to 48 additional NIST SP 800-171 requirements.

CMMC Level 4 or Proactive level is necessary for Advanced Threat Actors. Contractors must adhere to 11 NIST SP 800-172 controls and 15 other controls.

CMMC Level 5 or Advanced/Progressive level is necessary for most advanced malicious attackers. Contractors must adhere to the final four controls from NIST SP 800-172 and an additional 11 controls.

Because NIST SP 800-172 only applies to contracts requiring CMMC Level 4 and CMMC Level 5, as well as enterprises at risk from Advanced Persistent Threats, the bulk of DOD contractors and suppliers, will be unaffected.cmmc for dod contractors