The National Institute of Standards and Technology (NIST) is often coming out with new information for contractors on how to handle sensitive information. One of the newest additions to NIST’s long list of publications is SP 800-172.
Because it was released so recently and the requirements for contractors are constantly changing, there are a lot of questions surrounding 800-172 and who must comply with it.
Keep reading to learn about what it all means for you and your contracts.
What Is NIST 800-172?
NIST 800-172 is a special publication that was released in an effort to enhance cybersecurity requirements that are linked to sensitive government information. This document is intended to be a supplement to NIST 800-171, which lays the security framework for Department of Defense contractors.
The title of the 800-172 publication is “Enhanced Security Requirements for Protecting Controlled Unclassified Information”. Unlike 800-171, which is titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, the focus here is on providing even more information on how contractors can protect highly sensitive CUI.
So while 800-171 sets the framework and basic guidelines for protecting CUI, 800-172 takes it even further by detailing enhanced security measures to protect against more advanced threats.
A Quick Note on APT
While 800-171 protects against general cyber attacks, this document is more aimed at protecting contractors who could be targeted by something called Advanced Persistent Threats, APT for short.
According to the official publication, “An APT is an adversary or adversarial group that possesses the expertise and resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception.”
This is a broad term that categorizes cyber attack campaigns in which the intruder establishes a long-term unauthorized presence within a network that contains highly sensitive data – in this case, CUI. As you can probably guess, the main targets of these threats are none other than government networks.
Who Must Comply With 800-172 Requirements?
Not every single DoD contractor is required to comply with NIST 800-172 protocols. Complying with 800-171 has been dubbed as a requirement by the DFARS 252.204-7012 clause, but no such clause exists for 800-172.
However, that doesn’t mean you’re off the hook for taking 172 into consideration. Since 800-172 is meant for contractors who are at risk of being a victim of Advanced Persistent Threats, that’s exactly who should be complying with this publication.
Even if your organization is not seen as a target for APT, it’s still not a bad idea to take the information within 800-172 to heart. Regardless of whether or not you’re not at risk of this advanced type of threat, practicing good cyber hygiene is the best way to stay protected against cyber attackers.
How Does NIST 800-172 Affect Contractors?
The main effect that NIST 800-172 has on contractors is an added layer of protection for those who need it. Contractors who are unlikely to be directly targeted by APT won’t be affected at all by 800-172 since it will likely only apply to contracts that are considered high risk and must defend against APT.
How 800-172 Fits Into the CMMC Framework
The Cybersecurity Maturity Model Certification (CMMC) is a set of standards that is intended to unify cybersecurity measures and protocols across the Defense Industrial Base (DIB). This model is currently being phased in and will become a requirement for all contractors by 2026.
The CMMC is made up of 5 different maturity levels, going from 1 as the most basic and progressing to 5 as the most advanced. Levels 4 and 5 are required for contractors who handle more sensitive information and/or are at a higher risk of cyber threats.
Both of these levels (4 and 5) include 15 of the NIST 800-172 (formerly NIST 800-171B) security controls.
Preparing for NIST 800-171, 800-172, CMMC & More
DoD cybersecurity compliance requirements are constantly evolving, so it’s no wonder why so many contractors are feeling lost and overwhelmed. But the fact of the matter is that you don’t have to go at it alone, and outsourcing to a cybersecurity professional allows you to focus on fulfilling your contracts rather complying with complicated security frameworks.
Contact VAAXA for more information on our services and how we can help your organization apply NIST 800-172 into your security plan.