Understanding NIST 800-172 Enhanced Security Controls for CMMC Level 3
Learn how NIST 800-172 enhances CMMC Level 3 compliance with advanced security controls for protecting CUI against sophisticated cyber threats.
Cybersecurity is a top priority for the federal government, and with increasingly complex cyberattacks on the rise, such as advanced persistent threats (APTs), new security requirements have been established for the protection of Controlled Unclassified Information (CUI). This includes the release of NIST SP 800-172, which supplements the 110 security requirements in NIST SP 800-171 by providing enhanced protections specifically meant to protect the confidentiality of CUI associated with high-value assets or critical programs when residing on nonfederal systems. It is important to note that these enhanced controls only apply to CMMC Level 3. Keep reading to learn more about NIST SP 800-172, including its purpose and the role it plays in CMMC 2.0 certification.
Purpose of NIST SP 800-172
The first question you may find yourself asking is what the purpose of NIST SP 800-172 is and what it does. NIST SP 800-172, titled “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” builds off of NIST SP 800-171, providing enhanced guidelines to protect CUI related to critical government programs from complex cyberattacks such as APTs. It was created to strengthen the confidentiality of CUI on non-federal systems to make this data more resilient against sophisticated attacks in order to protect national security and economic interests.
NIST SP 800-171 VS 800-172
So, what exactly is the difference between NIST SP 800-171 and 800-172? While NIST SP 800-171 provides baseline security controls essential for protecting CUI on non-government systems, NIST SP 800-172 builds on these controls by providing additional enhanced security requirements specifically designed to address the risk APTs pose to high-value assets and critical data. In essence, NIST SP 800-171 provides a security foundation organizations can use to protect their CUI, while NIST SP 800-172 builds upon it to bridge any security gaps and provide elevated protection for organizations handling highly sensitive information.
CMMC 2.0 and NIST SP 800-172
With the defense industrial base (DIB) facing increasingly frequent and complex cyberattacks that threaten national security, the Department of Defense (DoD) has developed new protocols meant to strengthen cybersecurity within the DIB and better safeguard sensitive DoD information, including CUI. As part of this effort, the DoD has released the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to standardize how DoD contractors secure CUI and to enforce the proper protection of sensitive government data handled on non-federal systems.
CMMC 2.0 requires organizations that handle sensitive DoD data to implement enhanced cybersecurity standards following a tiered model, depending on the type and sensitivity of data they handle. CMMC 2.0 is comprised of three assessment levels. While CMMC Level 1 only requires organizations to self-assess that they have aligned with 15 security controls outlined in FAR 52.204-21, Level 2 requires more advanced security measures, including implementing all 110 security controls from NIST SP 800-171 and assessment by a Certified Third-Party Assessment Organization (C3PAO). In addition to these requirements, organizations that must achieve CMMC Level 3 certification must also implement 24 controls from NIST SP 800-172, and pass a CMMC Level 3 Certification assessment conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). CMMC Level 3 Certification is essential for organizations whose contracts involve sensitive data at high risk of advanced threats. For these organizations, implementing the enhanced security protocols outlined in NIST SP 800-172 is essential to protect their networks and help ensure national security.
Enhanced Security Requirements
NIST SP 800-172 does not function independently. Similar to how DFARS builds on FAR, NIST SP 800-172 builds on the basic requirements outlined in NIST SP 800-171. In NIST SP 800-172’s enhanced security requirements, the three mutually supportive and reinforcing components are penetration-resistant architecture (PRA), damage-limiting operations (DLO), and designing for cyber resiliency and survivability.
These strengthened security strategies underscore the possibility that APTs attempt sophisticated measures. Should this occur, organizations must protect critical programs and high-value assets through the countermeasures of detecting, outmaneuvering, confusing, deceiving, misleading, and impeding the attack. These actions counteract the adversary’s tactical advantage while protecting the organization’s critical programs and high-value assets. The enhanced requirements ensure that someone easily understands the alignment with other NIST publications, particularly that of NIST SP 800-171. For example, the control numbers in NIST SP 800-171 are aligned with those used in 800-172. The “e” designation after the number specifies that the addition is an enhanced control. Additionally, the publication outlines which protection strategies are affected and enhanced by the control of the three described above.
Example:
NIST SP 800-171
Control ID: AU.L2.3.3.1
Title: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
This is a Level 2 control, found in NIST SP 800-171, and part of the CMMC Level 2 requirement set. It requires basic logging functionality.
NIST SP 800-172
Control ID: AU.L2.3.3.1.e
Title (Enhanced): Employ automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
This control uses the same base identifier (AU.L3-3.3.1) but adds an “.e” to signify it is an enhanced control.
An In-Depth Look at Protection Strategies
By building upon the baseline established in NIST SP 800-171, NIST SP 800-172 introduces a more robust, multi-dimensional, defense-in-depth strategy for protecting critical CUI from high-level threats. It does this by providing advanced security requirements that make it harder for advanced cyberattacks to succeed by implementing three mutually supportive and reinforcing protection strategies. The protection strategies outlined in NIST SP 800-172 include:
-
Penetration-resistant architecture: This refers to architecture that uses technology and procedures to limit the opportunities an adversary has to compromise an organizational system and maintain a persistent presence on the system. This means purposefully designing a system with technology and configurations to reduce attacks.
-
Damage limiting operations: Focuses on detecting, isolating, and limiting the scope of successful system compromises by an adversary and limiting the effect of such compromises, both detected and undetected.
-
Cyber resiliency and survivability: Encompasses an organization’s ability to anticipate, withstand, and recover from an attack. It is important to ensure that your organization can also adapt to evolving threats and attacks while continuing to carry out critical missions.
The protection strategies outlined in NIST SP 800-172 are meant to reduce the likelihood of a threat event occurring and the degree of harm it can cause. These protection strategies are meant to have five high-level desired effects on the adversary, which include the following:
-
Redirect: The protection strategies in NIST SP 800-172 are meant to deter, divert, and deceive attackers using a variety of methods, including technologies such as sandboxing, detonation chambers, honeypots, and other practices like tainting that use deliberately misleading systems’ information to lure attackers away from the real CUI.
-
Preclude: Expunge, preempt, negate. The goal is to ensure that the threat does not accomplish the attacker’s desired outcomes.
-
Impede: Contain, degrade, delay, exert. The protection strategies are meant to make it more difficult for threat events to exfiltrate data or maintain persistence.
-
Limit: Shorten or reduce the degree of damage from a threat event. This may involve containment strategies and automated response mechanisms to isolate affected areas.
-
Expose: Detect, scrutinize, reveal. This includes logging, auditing, anomaly detection, and active monitoring of threats and enabling timely responses.
These effects on adversaries reinforce each other and add to a multi-layered defense framework that helps protect high value assets and CUI from advanced persistent threats.
Need Help Complying With NIST SP 800-172? Contact Agile IT Today!
Government contractors and partners who handle highly sensitive information on their systems are increasingly vulnerable to adversarial attacks. Fortunately, NIST SP 800-172 provides enhanced security controls that can help these organizations prevent and mitigate the risks of high-level attacks such as APTs, helping to ensure national security. In particular, these measures can help organizations stay vigilant and provide actionable steps that they can take to protect the CUI they handle, store, and transmit on their systems at all costs.
If you need help implementing cybersecurity practices to help you achieve/maintain compliance and protect the sensitive government data you handle, consider contacting Agile IT today. Our team of experienced compliance professionals can help you secure your CUI and reduce your risk of falling victim to a cyberattack.
