Skip to content ↓ | Skip to navigation ↓

NIST’s timely new release of Special Publication (SP) 800-172 (formerly referred to in draft form as 800-171B) provides exactly what its title says, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171. Yet it goes a step further to protect controlled unclassified information (CUI) specifically from APTs.

According to Scott Goodwin, IT audit and security supervisor with OCD Tech and Tripwire guest blog contributor, the latest NIST guidance “…introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs). These sophisticated attacks are most often executed by nation-state-backed cyber-criminals whose goal is to steal data relevant to national security.” 

As witnessed in the SolarWinds Orion attack and recent others, threats that go undetected can be the most damaging to both private and public sector environments. As an entity supported by thousands of non-federal service providers, the government has to make certain that CUI stored by commercial partners is protected.

This was the government’s intent for NIST’s original SP 800-171. It was that nonfederal entities supporting government business would not only have guidance for securing CUI but would also have a solid framework for complying with requirements such as the DoD’s DFARS clause 252.204-7012. If companies want to continue doing business with the government, SP 800-171 and now SP 800-172 need to be top priority for program managers, CIOs, system auditors, etc.

“We developed SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the APT,” Ross said. “Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security.”

Tripwire can help implement SP 800-171

All in all, NIST 800-172 is a much needed and timely update to NIST 800-171. It goes a long way towards enhancing the security requirements, and it is intended to supplement the security requirements in SP 800-171 that are in use by federal agencies that utilize contractual vehicles as well as other agreements established between those agencies and non-federal organizations. It’s a good update not only for government systems but also for private and public organizations.

Tripwire can help your organization successfully implement and monitor the suggested system security controls offered in SP800-171. For more information, be sure to check out Tripwire Enterprise.

For a breakdown of SP 800-172 (formerly 171B) requirements, visit