NIST SP 800-172

United States

v2020

17 domains

36 controls

Enhanced Security Requirements for Protecting CUI

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (17)

AC

3 controls

Controls in the AC domain of NIST SP 800-172 — 3 controls
Code	Title	Description
3.1.1e	Dual Authorization for Sensitive System Operations	Employ dual authorization to execute critical or sensitive system and organizational operations affecting CUI.
3.1.2e	Restrict Access to Systems and System Components to Defined Security Domains	Restrict access to systems and components to only those information resources owned, provisioned, or issued by the organ...
3.1.3e	Employ Secure Information Transfer Solutions	Employ secure information transfer solutions to control information flows between security domains on connected systems.

AT

2 controls

Controls in the AT domain of NIST SP 800-172 — 2 controls
Code	Title	Description
3.2.1e	Provide Awareness Training on Advanced Persistent Threat	Provide awareness training upon initial hire, annually, and when system changes occur, focused on recognizing and respon...
3.2.2e	Practical Exercises in Awareness Training	Include practical exercises in awareness training for managers, senior executives, and selected personnel that reinforce...

CA

1 controls

Controls in the CA domain of NIST SP 800-172 — 1 controls
Code	Title	Description
3.12.1e	Penetration Testing by Independent Agents	Conduct penetration testing at least annually, leveraging automated scanning tools and ad hoc tests using subject matter...

CM

3 controls

Controls in the CM domain of NIST SP 800-172 — 3 controls
Code	Title	Description
3.4.1e	Authoritative Source for Software and Firmware	Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approve...
3.4.2e	Automated Detection and Remediation of Unauthorized Software	Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove the compo...
3.4.3e	Automated Inventory of System Components	Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inv...

IA

3 controls

Controls in the IA domain of NIST SP 800-172 — 3 controls
Code	Title	Description
3.5.1e	Identification of Systems, Components, and Devices	Identify and authenticate systems and system components, where possible, before establishing a network connection using...
3.5.2e	Password Manager Use	Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and accoun...
3.5.3e	Multifactor Authentication for Local, Network, and Remote Access	Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and accoun...

IR

2 controls

Controls in the IR domain of NIST SP 800-172 — 2 controls
Code	Title	Description
3.6.1e	Establish Security Operations Center (SOC)	Establish and maintain a security operations center that operates 24/7, with allowance for remote/on-call staff.
3.6.2e	Establish and Maintain a Cyber Incident Response Team	Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours.

MA

1 controls

Controls in the MA domain of NIST SP 800-172 — 1 controls
Code	Title	Description
3.7.6e	Maintenance Operations Performed by Authorized Personnel	Verify the integrity and correctness of security critical or essential software as defined by the organization, ensuring...

NIST SP 800-172: Access Control & Identity

0 controls

Managing access to information systems (NIST SP 800-172)

NIST SP 800-172: Audit & Accountability

0 controls

Audit logging and accountability measures (NIST SP 800-172)

NIST SP 800-172: Configuration Management

0 controls

Managing system configurations securely (NIST SP 800-172)

NIST SP 800-172: Incident Response

0 controls

Detecting and responding to security incidents (NIST SP 800-172)

NIST SP 800-172: Risk Assessment & Management

0 controls

Identifying and managing cybersecurity risks (NIST SP 800-172)

NIST SP 800-172: System & Communications Protection

0 controls

Protecting systems and communications (NIST SP 800-172)

PS

2 controls

Controls in the PS domain of NIST SP 800-172 — 2 controls
Code	Title	Description
3.9.1e	Enhanced Personnel Screening	Conduct enhanced personnel screening that reflects applicable laws, executive orders, directives, policies, regulations,...
3.9.2e	Insider Threat Program	Ensure organizational systems are protected if adverse information develops or is obtained about individuals with access...

RA

6 controls

Controls in the RA domain of NIST SP 800-172 — 6 controls
Code	Title	Description
3.11.1e	Threat-Aware Risk Assessment	Employ threat intelligence, at a minimum from open or commercial sources and any DoD-provided sources, as part of a risk...
3.11.2e	Threat Hunting	Conduct cyber threat hunting activities to search for indicators of compromise in organizational systems and detect, tra...
3.11.3e	Advanced Automation and Analytics Capabilities	Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizati...
3.11.4e	Security Solution Rationale Document	Document or reference in the system security plan the security solution selected, the rationale for the security solutio...
3.11.5e	Assess Effectiveness of Security Solutions	Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, o...
3.11.7e	Supply Chain Risk Management Plan	Develop a plan for managing supply chain risks; protect against supply chain risks; and update the plan at least annuall...

SC

6 controls

Controls in the SC domain of NIST SP 800-172 — 6 controls
Code	Title	Description
3.13.1e	Network Segmentation by Security Domain	Employ secure information transfer solutions to control information flows between security domains on connected systems,...
3.13.2e	Concept of Least Privilege in System Engineering	Apply the concept of least privilege when developing, designing, implementing, configuring, and operating systems, syste...
3.13.3e	Diversification of System Components	Employ diverse system components to reduce the extent of malicious code propagation and the dependence on common compone...
3.13.4e	Use Trusted Communications Paths for Privileged Access	Employ technical and procedural means to confuse and mislead adversaries through deception (decoys, mirages, dazzles, de...
3.13.5e	Randomness in System Operations	Employ technical and procedural means to confuse and mislead adversaries through change-management randomization or unpr...
3.13.6e	Verify Identity of Endpoint Hardware	Employ hardware-enforced trust mechanisms such as TPM-based attestation to verify the identity and integrity of endpoint...

SI

7 controls

Controls in the SI domain of NIST SP 800-172 — 7 controls
Code	Title	Description
3.14.1e	Verify Integrity of Security Critical Software and Firmware	Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic signatu...
3.14.2e	Monitor Organizational Systems with Specialized Capabilities	Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior using adva...
3.14.3e	Information Inputs Validation	Ensure that organizational systems are not reliant on commercial sources of supply that may be compromised by foreign ad...
3.14.4e	Refresh Systems and Components from a Trusted Baseline	Refresh organizational systems and system components from a known, trusted state at a defined frequency to reduce dwell...
3.14.5e	Verify Integrity After Reauthentication	Conduct reviews of persistent organizational storage locations at a defined frequency and remove CUI that is no longer n...
3.14.6e	Use Threat Indicator Information for Detection	Use threat indicator information relevant to the information and systems being protected and effective mitigations obtai...
3.14.7e	Verify Correctness of Security Functions	Verify the correctness of security critical or essential software, firmware, and hardware components through review, ana...

Maps to 1 other framework

36 total controls

NIST SP 800-53 Rev 5

36 source controls mapped|24 target controls covered

100%

Compare NIST SP 800-172 with NIST SP 800-53 Rev 5

Frequently Asked Questions

What is NIST SP 800-172?

NIST SP 800-172 is a compliance framework from United States with 17 domains and 36 controls. Enhanced Security Requirements for Protecting CUI It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-172 have?

NIST SP 800-172 has 36 controls organised across 17 domains. The largest domains are SI (7 controls), RA (6 controls), SC (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-172 map to?

NIST SP 800-172 maps to 1 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (100% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST SP 800-172 compliance?

Start your NIST SP 800-172 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-172 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 36 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required