NIST SP 800-172
Dayton area defense contractors may already be aware of the NIST SP 800-171 requirements. This publication was first developed to provide recommended controls for protecting controlled unclassified information (CUI) for non-federal entities. Companies handling CUI must implement these requirements to demonstrate their provision of adequate security to protect information included in their defense contracts. While these controls are deemed effective, they do not provide safeguards to protect CUI against advanced persistent threats (APTs).
This NIST Special Publication (SP) was released February 2, 2021. This publication provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of controlled unclassified information (CUI). NIST 800-172 is built upon the foundation of NIST-171 as a supplement for controls not designed to protect against advanced persistent threats (APTs). NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI against these APTs. These NIST 800-172 controls are only required when mandated by a federal agency in a contract, grant, or other agreement.
The NIST 800-172 security requirements provide the foundation for a defense-in- depth protection strategy that includes three mutually supportive components:
- Penetration-resistant architecture,
- Damage-limiting operations, and
- Cyber resiliency and survivability.
Penetration-resistant architecture must use technology and procedures to limit the opportunities for an adversary to compromise the system. Much of the 35 controls in NIST 800-172 impact the architecture’s creation and security.
Damage limiting operations focuses on detecting compromises and limiting the effect of detected and undetected system compromises.
Cyber resiliency and survivability are the ability to anticipate, withstand, and recover from an attack.
The NIST 800-172 controls are necessary for safeguarding CUI against APTs. This SP is only required for Defense contractors and supply chain entities whose contracts specify the required implementation of these controls.
We realize the information security requirements for defense contractors is an evolving topic. As you start to work through these requirements, LMSolutions is here to help guide your company on this journey. Contact us https://lmsolutionsllc.com to see how our teams can work through this minefield together.