Articles

Get the Gist of NIST SP 800-172

July 18, 2022

Tailor your approach and safeguard sensitive informative using NIST SP 800-172.

If you are a consultant, system integrator, or member of the defense industrial base, you have probably been thinking a lot about CMMC certification, CUI, and NIST SP 800–172 lately. While many in the DIB have been handling CUI and may already be a step ahead on CMMC compliance, we know some defense contractors in the DIB have much work to do.

Most will be seeking Level 2 CMMC certification for those handling CUI. Some, however, will need to seek Level 3 certification—for those handling CUI on the DoD’s most sensitive programs. For Level 2, you must align with the 110 controls of NIST SP 800-171. Many in the DIB have been doing that for years, but the new CMMC process for certification now requires a self-assessment.

For Level 3, you need to align with all those same controls, plus additional ones from NIST SP 800-172. You will also need to submit to a third-party audit. Being audit-ready and achieving third-party-verified compliance with DFARS and NIST 800 involves much more than documentation. Receiving accreditation cost-effectively for your organization is paramount. Understanding the relationship between NIST and CMMC and having a well-defined Plan of Action & Milestone (POAM), by leveraging automation will shorten your compliance efforts.

First things first—identify vulnerabilities.

They say the first step is the hardest. But with cybersecurity, it doesn’t have to be as hard as you think.

The first step is to identify vulnerabilities in your system. You may do this through a regular internal system review or you may be informed by a third party during an audit. The easy part is that you can also scan for issues using an automated solution like SteelCloud’s ConfigOS that works in any environment and also remediates the issues, which is your second step.

The goal is to create a secure baseline from which to operate. Baselines are key because every time you update configurations, install a security patch or purchase a new server, your system can stop working. The baseline acts as a fallback position—a configuration you know works while sorting out the details of the new configuration.

Every time you update, you can automate the remediation of any issues that crop up. Automation reduces your operational costs and downtime while ensuring system stability over time. It also removes a huge and annoying burden from the shoulders of your IA staff.

Meeting CMMC assessment criteria with POAMs.

So, you’ve scanned and remediated, but maybe not all your controls have been met. You can still operate, but you need a plan of action for when and how you will remediate.

Software applications are rarely designed to operate in government and commercial organizations with have mandated compliance requirements, so they get stuck on the starting line waiting months for the authority to operate (ATO). POAMs and waivers provide additional flexibility to organizations by allowing a plan of actions and milestones and waiver process that can waiver certification on a limited basis and in mission-critical instances. help you be operational on that software in the interim, In that way, POAMs accelerate timelines, objectives and CMMC security requirements.

Reporting is a critical component of your cybersecurity efforts.

NIST 800-172 and its advanced CUI protections build on the basic requirements of NIST 800-171 and include three mutually supportive and reinforcing components:

Penetration-resistant architecture (PRA)
Damage-limiting operations (DLO)
Designing for cyber resiliency and survivability

These measures require continual scanning and remediation of your system, as well as careful documentation of your efforts. But again, automation provides the means for doing all of the above quickly and error-free.

SteelCloud’s ConfigOS features SIEM 2.84 capabilities, creating bulk STIG Viewer checklists and integrating human and machine controls into data feeds for eMASS and Splunk integration. With data presented through ConfigOS DashView, this integration dramatically reduces the time spent monitoring, detecting, and maintaining your enterprise’s DISA STIG or CIS Benchmark infrastructure hardening compliance. And SteelCloud’s ConfigOS keeps you in compliance, preventing configuration drift. When all is said and done, ConfigOS reduces the effort to harden an endpoint by 90% and remediate and maintain an endpoint by 70%.

Automation is the industry standard when it comes to compliance.

Members of the DIB that handle sensitive information are continually vulnerable to adversarial attacks. That’s why security compliance with CMMC is critical to reducing risk and protecting CUI at all costs. Automation makes achieving compliance with all 110+ controls CMMC Level Two and Level Three faster and more efficiently.

ConfigOS is proven to speed compliance with multiple government mandates, such as STIG and CIS, each incorporating NIST SP 800-171 components and some from 172. They are similar and, in most cases, have more stringent mandates than CMMC. So ConfigOS has you covered as you move through the accreditation and CMMC certification process that will secure your enterprise, enhance your government relationships, and protect CUI.

Share This Resource:

CMMC / CMMC 2.0 / commercial cloud / disa stigs / enterprise infrastructure / Federal Contractor / Federal System Integrator / FedRAMP / NIST SP 800-171 / RMF / Security Technical Implementation Guide / STIG compliance

SteelCloud Extends Microsoft Active Directory Compliance with New Patent Prev post

PODCAST: Automating the Secure Configuration Management Process Next post

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Tailor your approach and safeguard sensitive informative using NIST SP 800-172.

First things first—identify vulnerabilities.

Meeting CMMC assessment criteria with POAMs.

Reporting is a critical component of your cybersecurity efforts.

Automation is the industry standard when it comes to compliance.

Resource Library

Recent Resources

Featured Resources

Visual Guide to System Hardening and Automation

How to Harden Systems Easily and Affordably

VIDEO: How to Overcome Budget and Staff Cuts with Automation

What We Do

Company

Support