A Complete Guide to NIST 800-172


NIST 800-172 rev. 2, Difference Between NIST 800-171 and NIST 800-172 and What They Mean to DoD Contractors


The National Institute of Standards and Security (NIST) has recently released a new publication, NIST 800-172. It is an enhanced version of security requirements concerning controlled unclassified information (CUI) for non-federal organizations and systems. The final version was released on February 2nd,2021, and it contains essential data about the integrity, confidentiality, and availability of CUI, focusing on its protection.

How Can IVTAS Help You Comply with NIST 800-171 R2?

Cybersecurity specialists from IVTAS have many years of experience leading federal contractors through essential frameworks and compliances, including NIST 800-171. We will introduce you to the most recent changes in the framework, ensuring you understand each segment and achieve compliance more quickly. You can contact us and schedule a free compliance assessment and discover the most efficient strategies for taking your cybersecurity to new heights.

  • Initial NIST assessment to determine your current compliance levels
  • Present a complex assessment report with a suggested security plan
  • Show the roadmap for achieving NIST compliance
  • Adopt managed security services
  • Bring improvements to your cybersecurity infrastructure
  • Monitor your security controls to check if they’re still effective
  • Detect and fix flaws and vulnerabilities in the system.

What is NIST SP 800-171 Revision 2?

The goal of NIST SP 800-172 is to supplement the requirements described in NIST 800-171 under the DFARS 252.204-7012 standards. It includes 35 additional requirements that aim to safeguard controlled unclassified information (CUI) from advanced persistent threats (APTs) that could affect national security.

However, NIST 800-172 doesn’t include guidance for identifying assets that are highly valuable to organizations. The organization is, instead, required to maintain discretion for those in charge of the enhanced security requirements.

Initially, the NIST indicated that the changes wouldn’t alter any existing technical information in the framework but further explain what organizations should do to improve their security practices and enhance the protection of CUI. Additionally, the changes aim to resolve ambiguity in previous versions of the framework.

NIST 800-172 vs. 171

Although NIST 800-171 R2 didn’t bring any significant changes to the previous standards, it outlines 35 enhanced requirements for increasing the protection of the CUI’s integrity, confidentiality, and ability in non-federal systems. It aims specifically at protection from advanced persistent threats (APTs) targeting critical programs and high-value assets.

These enhanced requirements help strengthen the defense strategy through the following:

  • Penetration-resistant architecture: The architecture should use technology and procedures to mitigate the risk of adversaries that could compromise the system.
  • Damage-limiting operations: These operations are focused on detecting compromises and limiting the effect of detected and undetected system compromises.
  • Cyber resiliency and survivability that support and enforce each other: It involves the ability to anticipate, withstand, and recover from an incident.

Additionally, the following adversarial effects support these strategies:

  • Redirect: Deter, divert, and deceive using advanced technologies like sandboxing, detonation chambers, honeypots, and similar practices.
  • Preclude: This practice ensures that the threat doesn’t have the attacker’s desired outcomes.
  • Impede: This stage involves actions to make it more difficult for threat events to cause severe consequences.
  • Limit: Its goal is to shorten or reduce the damage of a cybersecurity incident.
  • Expose: This action involves threat hunting and participation in threat intelligence data feeds.

The reason why NIST introduced these enhancements is to strengthen the systems’ protection against APTs by developing more efficient cybersecurity practices. Namely, in the past, APTs could find their ways to breach defenses despite mature security measures that were in place.

NIST 800-172 Key Areas

Like NIST 800-171, the second version also contains 14 key areas. Additionally, it has 35 enhanced security measures.

In the section below, you can see what measures have been added to the framework.

 Access Control

  • Dual authorization to execute critical system and organizational operations;
  • Restrict access to system components to information resources that are owned, provisioned, or issued by the organization;
  • Employ secure solutions to control information flows between security domains on connected systems.

Awareness and Training

  • Provide awareness training on recognizing APTs and update the training if needed;
  • Include practical exercises in awareness training;

Audit and Accountability

No enhanced security requirements have been added to this section.

Identification and Authentication

  • Identify and authenticate before establishing a network connection; use bidirectional, cryptographically-based, and replay-resistant authentication;
  • Employ automated mechanisms to generate, protect, rotate, and manage passwords for systems that don’t support multi-factor authentication;
  • Implement automated mechanisms to prevent system components from connecting to unknown, unauthenticated, or untrusted organizational systems;

Incident Response

  • Implement and maintain a security operations center capability;
  • Establish and maintain a cyber incident response team that can be deployed by the organization;


No enhanced security requirements have been added to this section.

Media Protection

No enhanced security requirements have been added to this section.

Personnel Security

  • Conduct personnel screening for individuals and reassess individual positions and access to CUI;
  • Make sure the organizational systems are protected in case adverse information is obtained about persons with access to CUI.

cmmc 2.0 changes

Physical Protection

No enhanced security requirements have been added to this section.

Risk Assessment

  • Employ threat intelligence as a part of a risk assessment;
  • Conduct cyber threat hunting activities;
  • Develop advanced automation and analytic capabilities to predict and identify risks to organizations, systems, and system components;
  • Document or reference in the system security plan, the rationale for the security solution, and the risk determination;
  • Assess the security solutions effectiveness to address anticipated risks to organizational systems;
  • Assess, monitor, and respond to supply chain risks associated with organizational systems and system components;
  • Develop a plan for managing supply chain risks concerning organizational systems and system components. Update the plan when needed;

Security Assessment

  • Conduct penetration testing through leveraging automated scanning tools and ad hoc tests using subject matter experts;

System and Communication Protection

  • Foster diversity in organization-defined system components to mitigate the extent of malicious codes;
  • Employ the changes to organizational systems and system components to introduce unpredictability into operations;
  • Employ technical and procedural means to confuse and mislead potential adversaries;
  • Use organization-defined physical isolation techniques in organizational systems and system components;
  • Distribute and relocate system functions or resources;

cmmc 2.0 changes

System and Information Integrity

  • Verify the integrity of essential software using root-of-trust mechanisms or cryptographic signatures;
  • Monitor organizational systems and system components on an ongoing basis for suspicious behavior;
  • Ensure that system components are included in the scope of the specific enhanced security requirements or are isolated in purpose-specific networks;
  • Refresh systems and system components from a known and trusted state;
  • Conduct reviews of persistent organizational storage locations and remove CUI that’s no longer needed;
  • Use threat indicator information obtained from external organizations to guide and inform intrusion detection and threat hunting;
  • Check the correctness of critical software, firmware, and hardware components using organization-defined verification methods;

Who Needs to Comply with NIST 800-172?

Not every DoD contractor is legally required to comply with NIST 800-172 standards. However, it doesn’t mean that enhanced protocols should be ignored. It is highly recommended that organizations consider implementing security practices to protect their critical data from advanced persistent threats and learn how to practice better cyber hygiene.

NIST 800-172 aims to offer an extra layer of protection to contractors that are likely to be targeted by APTs. On the other hand, contractors that are not at risk of advanced threats won’t be forced to implement enhanced security solutions.

Understand NIST 800-172 with IVTAS By Your Side

Although you’re not required to adopt the latest changes in NIST 800-171 framework, it’s highly recommended to consider enhanced security practices to strengthen your security, reduce risks of APTs, and create better cybersecurity hygiene in your organization. If you’re looking for long-time improvements, don’t hesitate to reach out to us and continue working with the government efficiently and with peace of mind.