Definition and purpose

NIST 800-172 establishes enhanced security requirements for providing additional protection for CUI in non-federal systems. These enhanced requirements supplement the security requirements in NIST Special Publication 800-171. While NIST 800-171 focuses primarily on confidentiality protection, the enhanced security requirements in NIST 800-171 address confidentiality, integrity, and availability protection.

The primary purpose of NIST 800-172 is to respond to the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses the expertise and resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. Since an APT is likely to target CUI that is associated with a critical program or a high value asset, it requires additional protection. 

Governing Body

The National Institute of Standards and Technology (NIST) is the governing body responsible for the 800 series of publications, including NIST 800-172.

Last updated

NIST 800-172 was published in February 2021. There have been no major updates since.

Applies to

NIST 800-172 is applicable to non-federal systems and organizations that process, store, or transmit CUI. It has implications for a wide range of industries that handle sensitive information on behalf of the U.S. government.

Controls and requirements

NIST 800-172 outlines specific security requirements aimed at protecting CUI. These are organized into 14 families:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

Note: The Audit and Accountability, Maintenance, Media Protection, and Physical Protection families do not contain enhanced security requirements at this time.

Please refer to the official NIST SP 800-172 publication for a detailed list of controls and requirements.

Audit type, frequency, and duration

NIST 800-172 is essential for organizations that must comply with CMMC 2.0  Level 3, also known as L3 contractors. Level 3 (the “Expert” level), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

The Department intends for L3 contractors to undergo assessments conducted by government officials every three years.