Site icon

NIST SP 800-171 vs. 800-172: What’s the Difference?

NIST SP 800-171 featured

The unveiling of CMMC 2.0 last November raised a lot of questions, but also brought a lot of relief. The streamlining of security around Controlled Unclassified Information (CUI) will help defense agencies and contractors better secure their systems without burdening them with operational overhead. This is crucial for organizations who want to support these agencies but don’t know much about either NIST SP 800-171 or NIST SP 800-172, the core documents of CMMC.

 

Controlled Unclassified Information and CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) was originally announced in 2019 to standardize security assessments for contractors in the Defense Industrial Base (DIB) handling CUI. Prior to the advent of CMMC, contractors were expected to self-assess and self-attest through basic reporting and monitoring against NIST standards. CMMC changed this requirement in a few different ways:

CMMC 2.0, initially published for review in November 2021, shifted some of these requirements:

The move from CMMC 1.0 to CMMC 2.0 streamlined compliance, more in line with NIST 800-171 and 800-172.

 

What is NIST Special Publication 800-171?

Forming the backbone of CMMC compliance and protecting CUI, NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations” maps out the series of security controls and practices organizations must implement to protect this critical data. 

These requirements are broken down into several families, each housing several types of measures or controls addressing specific threats or vulnerabilities. 

These control families include the following:

In protecting CUI per CMMC 2.0, an organization will essentially implement all controls and capabilities in this document. While initial CMMC certification at level one will only require 17 controls, it doesn’t allow for actual contracting with agencies in the DIB that handle CUI. 

Furthermore, while extenuating circumstances may allow for self-assessment, Level 2 certification will usually require full audits from a C3PAO across the entirety of NIST SP 800-171.

 

What Is NIST Special Publication 800-172

When an enterprise moves to Level 3 of CMMC 2.0, they will be expected to hit all the controls in NIST 800-171 as a bare minimum. Additionally, they will have to implement controls from NIST Special Publication 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.”

What does NIST 800-172 bring to the table? Several additions to select control families from NIST 800-171. These changes include the following:

Any family from NIST 800-171 not listed in the NIST 800-172 regulations do not have additional components. Additionally, the additions listed here are limited, so make sure to check the actual documentation for full regulations and details. 

The main differences between 800-171 and 800-172 revolve around advanced controls–advanced testing, advanced monitoring, active testing and automation. Because CMMC Level 3 addresses significant security challenges like APTs, these additional measures focus on proactive and ongoing security. 

 

Developing NIST Compliance with Lazarus Alliance

As with control compliance regulations, NIST 800-171 and 800-172 fall into predictable reporting and audits. Lazarus Alliance, an experienced cybersecurity firm, is well versed in NIST audits and regulations, government compliance and CMMC certification more specifically. 

 

Are You Preparing for CMMC, NIST 800-171 or NIST 800-172 Certification?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version