NIST SP 800-172

NIST Special Publication 800-172 provides enhanced security requirements for protecting CUI in nonfederal systems and organizations when the CUI is associated with critical programs or high-value assets. These requirements go beyond 800-171 and are designed to defend against Advanced Persistent Threats (APTs).

The enhanced requirements in 800-172 focus on penetration-resistant architecture, damage-limiting operations, cyber resiliency, and security-focused system design. They form the basis for CMMC Level 3 requirements. Most defense contractors won't need 800-172 compliance, but those working on the most sensitive programs will.

Why It Matters

If your contracts require CMMC Level 3, you'll need to implement the enhanced requirements from NIST SP 800-172 in addition to the base 800-171 requirements. Understanding whether 800-172 applies to your work helps you plan your compliance investment.