A New Supplement to NIST SP 800-171: NIST SP 800-172
The basic federal requirements for safeguarding Controlled Unclassified Information (CUI) in nonfederal systems have relied for some time now on the 110 controls within NIST SP 800-171 rev.2 (February 2020). The National Institute of Standards and Technology (NIST), in response to advance persistent cybersecurity threats, has now released an important supplement to SP 800-171 designated as NIST SP 800-172.
This 84-page supplement is intended to enhance the previously existing SP 800-171 confidentiality controls as well as to provide additional integrity and availability protections for CUI. It applies to all nonfederal systems that agencies determine are processing, storing, or transmitting CUI associated with a critical program or high-value asset, as well as system components that provide protection to such systems.[†]
The new security requirements may be selectively applied by federal agencies implementing the new SP 800-172 standards. We expect the new requirements to start to show up in federal RFPs and contracts.
Similar to SP 800-171, the purpose, target audience, and fundamentals of the development approach for the new SP 800-172 controls are contained in chapters one and two of the publication. The specific enhanced requirements also build on SP 800-171 by relating to the same 14 categories of controls that are contained in chapter 3 of the earlier publication.
Also similar is Appendix C to SP 800-172, which maps the enhanced controls to the security controls contained in NIST SP 800-53 rev. 5 (dated September 2020) following the approach found in Appendix D of SP 800-171. SP 800-53 of course sets out mandatory minimum controls for federal information systems.
The enhancements of SP 800-172 promote the protection of CUI through additional controls for penetration-resistant architecture, damage-limiting operations, and designs in order to achieve greater cyber resiliency and survivability. Of the original 14 families of security requirements found in SP 800-171, enhancements have been made to the following 10 categories:
3.1 Access Control
3.2 Awareness and Training
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.9 Personnel Security
3.11 Risk Assessment
3.12 Security Assessments
3.13 System and Communications Protection
3.14 System and Information Integrity
Care should be taken to both completely understand the changes in SP 800-172 and how they affect your organization. This may be achievable through your internal resources or can be accomplished with the assistance of subject matter experts such as RegDOX Solutions.
It is acknowledged in SP 800-172 that “[c]ertain enhanced security requirements may be too difficult or cost-prohibitive for organizations to meet internally…. [and that] the use of external service providers can be leveraged to satisfy the requirements.”[‡] Included among those are those relating to threat intelligence, threat and adversary hunting, system monitoring and security management, IT infrastructure, platform and software services, threat, vulnerability, and risk assessments, response and recovery, and cyber resiliency.
RegDOX, with its ITAR and DFARS-compliant secure data storage and collaboration platform for CUI, can both jump-start and also ensure continuing compliance by organizations in satisfying these requirements. Contact us through our website at www.RegDOX.com or call 1-800-517-3171 and we will be glad to explain how.
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.
[†] Covering system components including mainframes, workstations, servers, input and output devices, cyber-physical components, network components, mobile devices, operating systems, virtual machines, and applications.
[‡] Quoting SP 800-172, page 10.