The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172. 

What Is NIST 800-172?

NIST 800-172 addresses APTs by introducing improved or enhanced security requirements to engage the critical security controls covered in NIST SP 800-171. It has been developed to guide organizations in improving their security posture against APTs using advanced security measures. 

Some of the top ways in which NIST 800-172 addresses APTs include:

• Advanced Security Controls: This document includes comprehensive and advanced security controls beyond NIST SP 800-171. These security controls are intended to provide better defense against mature threats that use sophisticated ways such as social engineering, insider threats, and advanced malware.
  
• Security System Engineering: Ground-up security reduces weaknesses in systems that APT could leverage.
• Detection and Recovery Capability: NIST 800-172 enhances detection and recovery mechanisms, especially for incidents involving APTs. Therefore, it centers on constant monitoring, a detection system, and swift responses.
• Insider Threats: As APT attacks usually unfold from inside due to insider access, the magazine advises on detection and responses to inside threats within a firm. This means logging user activity and implementing higher access restrictions.
• Encryption and Key Management: NIST 800-172 advises that strong encryption techniques and robust key management are used to protect sensitive information. Both help protect data if the network perimeter is compromised.
• Supply Chain Risk Management: APTs infiltrate through third-party vendors or the supply chain. NIST 800-172 defines risk assessment and risk mitigation from suppliers and people in the provision of services.
• Least Privileges and Separation of Duties: An organization must enforce the concept of least privileges and separation of duties for the users. Following these guidelines enables organizations to manage access security more granularly. 

NIST 800-172 Control Families

NIST Special Publication 800-172 builds upon the security requirements outlined in NIST SP 800-171. While it focuses on these enhanced requirements, it is structured similarly to NIST SP 800-171, which organizes its security requirements into 14 families. 

The 14 control families in NIST SP 800-171 (and by extension, relevant to the context of NIST SP 800-172’s enhancements) are:

• Access Control (AC): Policies and procedures that manage access to information systems, including physical and logical access controls.
• Awareness and Training (AT): Procedures to ensure that all users know the security risks associated with their activities and the applicable policies, standards, and procedures related to the system’s security.
• Audit and Accountability (AU): Mechanisms to create, protect, and retain system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
• Configuration Management (CM): This involves managing security features and assurances by controlling changes made to hardware, software, firmware, documentation, tests, test fixtures, and documentation throughout an information system’s life cycle.
• Identification and Authentication (IA): Processes that manage and validate the identity of users, processes, or devices as a prerequisite to allowing access to resources in an information system.
• Incident Response (IR): Established operational procedures to address and manage the aftermath of a security breach or attack (incident).
• Maintenance (MA): Procedures for performing and documenting routine preventive and corrective maintenance on the information systems to ensure their integrity and availability.
• Media Protection (MP): Procedures to protect, control, and dispose of information system media containing CUI, both paper and digital.
• Personnel Security (PS): Policies and procedures to ensure that individuals who have access to CUI are trustworthy and meet established security criteria for those roles.
• Physical Protection (PE): Physical security measures protect information systems, buildings, and supporting infrastructure against threats from physical events and environmental hazards.
• Risk Assessment (RA): Processes to identify, evaluate, and plan for the security risks to the information system and the information it processes, stores, or transmits.
• Security Assessment (CA): Processes for assessing the security controls in federal information systems and operating environments to ensure they are implemented correctly, operating as intended, and producing the desired outcome regarding meeting the security requirements.
• System and Communications Protection (SC): Controls and techniques to protect information transmitted over networks and ensure the security of networked systems.
• System and Information Integrity (SI): Procedures and mechanisms to protect information systems against malware and to monitor system and information integrity.

NIST SP 800-172 enhances these control families with additional requirements to address and mitigate the threats posed by APTs. Due to their sophisticated nature, it focuses on the need for more advanced protective measures.

NIST and Defense-In-Depth for APTs

Defense-in-depth principles are an applied set of enhanced security requirements for protecting CUI. NIST 800-172 defines these three principles as:

• Penetration-Resistant Architecture: This cybersecurity approach emphasizes evolving systems and networks as inherently resilient against penetration by attackers. Strong security controls are employed within and at the perimeter of networks to defend against unauthorized access and support detection. General network segmentation, the use of firewalls, intrusion detection and prevention systems, and code/API security are the factors that can make a system resistant to penetration.
• Damage-Limiting Operations: If an attacker successfully breaks the first layer of defense, damage-limiting operations confine the effects and keep the attacker from achieving their goal. This means setting up various controls and procedures that limit damage. Access control, data sensitivity encryption, and least privilege access ensure protection from any system part that the attackers can breach. This also involves having things in place for monitoring and quick response to security incidents.
  
• Cyber Resiliency and Survivability: This section discusses how systems will continue to operate when cybercriminals are probed and attacked and how rapidly they can re-enter once any damage has occurred. System and process designs must be as resilient and adaptive to the likelihood of attack as they are to the results of an attack. This is important for backup and recovery procedures, redundancy in the most critical systems, and quick isolation of the affected systems. 

The three are complementary, and the components combine to make up a three-pronged whole in the defense-in-depth strategy.

What Are Adversary Effect Categories?

Part of the control classification used in NIST 800-172 is “adversary effects,” or how a control addresses threats in a specific way. Because APTs are typically ongoing and multi-faceted, these effects must be tailored to the long-term longevity of the system’s security across different approaches. 

These high-level effects include:

• Redirect: These effects help “deter, divert, and deceive” attackers and tools working through the system. The expected results are that the threat ceases to exist or is directed to an incorrect target.
  
• Preclude: These “negate, preempt, and expunge” threats from the system. The threat is essentially halted or forced to be wasted.
  
• Impede: These “contain, degrade, or exert” threats by making their work harder within the system, if not isolating them outright. The danger will be restricted, limited in scope, or only function with partial success.
  
• Limit: These “shorten and reduce” a threat’s lifetime within a system. The threat’s effectiveness is limited in terms of timeframe or availability.
  
• Expose: These “detect, reveal, and scrutinize” threats or potential threats within a system. This includes removing any tools used for stealth or misdirection so that security can deploy a response. 

Maintain Your CMMC Compliance with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171 & 172
• CMMC
• SOC 1 & SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075 & 4812
• COSO SOX
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria
• And dozens more!

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.