Photo of Kate M. Growley, CIPP/G, CIPP/USPhoto of Evan D. WolffPhoto of Michael G. Gruden, CIPP/G

The National Institute of Standards and Technology (NIST) recently released the final public draft of NIST Special Publication (SP) 800-172, formerly known as Draft NIST SP 800-171B. Building on the security requirements in NIST SP 800-171, the applicable standard under DFARS 252.204-7012, 800-172 provides 34 enhanced requirements to protect Controlled Unclassified Information (CUI) associated with critical programs or high value assets from the risks posed by advanced persistent threats (APTs).

Unlike prior drafts, 800-172 incorporates the protection strategy and desired effects on the adversary directly into the implementation guidance for each control. The Department of Defense (DoD) expects 800-172 to impact fewer than one percent of defense contractors. However, numerous requirements from Draft 800-171B were incorporated into the Cybersecurity Maturity Model Certification (CMMC) Levels 4 and 5, likely giving commenters the opportunity to affect future CMMC revisions.

Comments for the final public draft are due August 21, 2020.