Key Differences Between NIST SP 800-171 and NIST SP 800-172

The level of urgency to protect sensitive data has never been higher. It is something that organizations both large and small are spending extra resources on now as they understand the vitality of protecting the precious resource that is their data. This is exactly why it is necessary for organizations to understand both the NIST SP 800-171 and NIST SP 800-172.

What is the NIST SP 800-171?

This is a set of security regulations handed down by the federal government regarding how non-federal agencies are required to protect Controlled Unclassified Information (CUI) within their systems and networks. It applies to any agency that stores any CUI data for the federal government regardless of the mission of that organization. Among the specific agencies that are included are:

• Contractors and sub-contractors
• Universities and colleges
• Defense contractors

These are just some of the organizations that routinely store CUI data for the government, and they must play by the rules laid out in the NIST SP 800-171 in order to maintain their contracts and continue to do business with the government. There are many types of security controls that must be taken to keep data protected under NIST SP 800-171 regulations, and it is very important that all agencies who are required to meet these standards put in the work necessary to do so.

What is NIST SP 800-172?

Another set of standards that some organizations are subject to are known as the NIST SP 800-172 standards. These are an updated set of regulations that are designed to remain relevant in today’s constantly changing cybersecurity landscape. While the NIST SP 800-171 standards are viewed as a baseline standard of regulations, the NIST SP 800-172 standards are meant to add an extra blanket of protection over the organizations that use them. In doing so, these standards add a little extra peace of mind for those who have them in place.

Comparing NIST SP 800-171 to NIST SP 800-172

It is useful to run a comparison between the NIST SP 800-171 and NIST SP 800-172 standards to understand what each set of standards really is and why they matter. Here are some things that you should know:

• Threats Addressed – In terms of the types of threats that each set of standards addresses, you should know that the NIST SP 800-171 standards are meant to handle routine cyber threats. These include known threats and typical avenues of attack. However, they might not be enough to handle the more sophisticated types of threats that are popping up nearly every day. That is where the NIST SP 800-172 standards are more useful.

• Security Focus – The NIST SP 800-171 standards are designed to keep CUI material safe and secure. NIST SP 800-172 standards are also meant to help with this, but they take it a step further by also working on the detection of incoming threats before they become an issue.

• Connection to CMMC – The NIST SP 800-171 standards are connected to Level 2 CMMC security whereas the NIST SP 800-172 standards are connected to CMMC Level 3 security standards.

As you can tell, the NIST SP 800-172 standards simply take things a few steps further than what you get with NIST SP 800-171 standards. As such, you can get a little more peace of mind when you go with the highest level NIST standards currently out there.

When to Use 800-171 vs 800-172

Knowing when to use each of the NIST standards is something that will serve you well as you seek to obtain the level of security that you truly need around the data that you have been entrusted with. There are some basic rules of the road that you can follow to determine if you should use NIST SP 800-171 or NIST SP 800-172:

• NIST SP 800-171 Standards are Fine for Non-National Security Data – Contractors who handle data that doesn’t have a national security purpose can get away with using the NIST SP 800-171 standards. Keep this in mind as you consider the level of security that is necessary to ensure that your data is safe from those who might want to take advantage of any security flaws.

• Smaller-Scale Contractors Can Often Use NIST SP 800-171 – This is not a universal rule, and you should always keep your case-specific factors in mind, but smaller-scale contractors can often use NIST SP 800-171 instead of NIST SP 800-172 standards because they are more likely to handle material that is not necessarily as sensitive as what larger-scale contractors do.

• NIST SP 800-172 Standards are Necessary for High Value Data – Data that is of a high value and that serves some type of national security purpose should always fall under the umbrella of NIST SP 800-172 standards. This is a requirement because those are the only standards that are truly strong enough to fully keep that data and information under lock and key. Getting too lax about how you protect sensitive data like that could lead to devastating consequences.

These are all things that must be carefully considered when reviewing which set of standards are right for you. At the end of the day, it is typically the case that the value of the data that you are securing is the ultimate deciding factor.

Important Takeaways

When it is all said and done, NIST SP 800-171 and NIST SP 800-172 might sound very similar to one another, but they are not. Although their names are similar, the level of security that must be maintained under these standards is very different. Those who handle the most important and sensitive data that our government holds should be aware that they must use NIST SP 800-172 standards to keep that information away from those who want to steal it.

You are responsible for running a comprehensive accounting of the data that you hold to determine which set of standards you need to adhere to. Once you have done so, then you can begin to implement the appropriate set of standards for your services.

For more information on the differences between NIST SP 800-171 and NIST SP 800-172, reach out and contact us today. We are happy to walk you through all of the various ways that these standards differ.