Skip to main content

Overview

NIST Special Publication 800-172 provides enhanced security requirements that supplement NIST 800-171. These controls are designed for organizations that handle high-value Controlled Unclassified Information (CUI) or operate in high-risk environments where basic security measures are insufficient. 800-172 requirements go beyond compliance checkboxesthey represent advanced security capabilities including behavior analytics, threat intelligence integration, and cryptographic architecture hardening.

Framework Details

  • Framework: NIST 800-172
  • Version: Final Publication
  • Parent Framework: NIST 800-171 Rev 3
  • Control Count: 32+ enhanced requirements
  • Output Format: OSCAL Assessment Results (JSON)
  • Primary Use Case: High-value CUI, advanced persistent threats (APT), nation-state adversaries

Enhanced vs. Basic Requirements

AspectNIST 800-171NIST 800-172
ScopeBasic CUI protectionEnhanced CUI protection
Threat ModelStandard cyber threatsAdvanced persistent threats (APT)
AutomationRecommendedRequired
AnalyticsEvent loggingBehavior analytics, ML/AI
CryptographyFIPS 140-2 validatedFIPS + key management architecture
Access ControlRBACContext-aware, adaptive access

Assessed Enhanced Control Families

3.1e - Access Control (Enhanced)

ControlTitleAssessment Method
3.1.1eContext-based, adaptive access controlsDetects condition-based IAM policies
3.1.2eDual authorization for privileged commandsOrganizational process (not fully assessable)
3.1.3eMonitor remote access sessions technicallyIdentifies CloudTrail, VPN logging
Example Finding: 
{
  "control": "3.1.1e",
  "finding": "No dynamic access control mechanisms found",
  "evidence_gap": "IAM policies lack conditional logic for IP/time-based restrictions"
}

3.3e - Audit and Accountability (Enhanced)

ControlTitleAssessment Method
3.3.1eAutomated audit record integration and analysisDetects multi-layer logging (API + app + network)
3.3.8eCryptographic protection of audit informationVerifies KMS-encrypted log groups and S3 buckets
Key Requirement: Comprehensive logging across API (CloudTrail), application (CloudWatch), and network (VPC Flow Logs) layers with cryptographic integrity protection.

3.4e - Configuration Management (Enhanced)

ControlTitleAssessment Method
3.4.1eAutomated detection of misconfigured componentsInfrastructure-as-code represents baseline
3.4.2eAutomated response to unauthorized changesDetects AWS Config rules, Azure Policy
3.4.3eAutomated access restriction enforcementIdentifies version-controlled configurations

3.5e - Identification and Authentication (Enhanced)

ControlTitleAssessment Method
3.5.1eMulti-factor authentication for ALL accessVerifies MFA enforcement (not just privileged accounts)
3.5.2eReplay-resistant authentication mechanismsApplication-level control (not fully assessable)
3.5.3eDynamic credential bindingRisk-based authentication (not fully assessable)

3.11e - Risk Assessment (Enhanced)

ControlTitleAssessment Method
3.11.1eAutomated threat detection and responseDetects GuardDuty, Security Hub, Sentinel
3.11.2ePredictive analytics for threat identificationSpecialized platforms (not fully assessable)
3.11.3eAnomalous behavior detectionIdentifies GuardDuty, behavior analytics
Example Evidence: 
"Threat intelligence integration: aws_guardduty_detector.main"
"Insider threat detection capability: aws_securityhub_account.main"

3.13e - System and Communications Protection (Enhanced)

ControlTitleAssessment Method
3.13.1eCryptographic mechanisms for wireless linksDetects HTTPS/TLS listeners, API Gateway security
3.13.2eCryptographic communications integrityVerifies TLS policies, API key requirements
3.13.6ePhysically/logically separated componentsAnalyzes subnet segmentation (requires 2+ subnets + ACLs)
3.13.7eSplit tunneling preventionIdentifies VPN tunnel controls
3.13.8eCryptographic protection at restComprehensive encryption (S3, EBS, RDS)
Advanced Check - Network Segmentation: 
# Requires BOTH:
# 1. Multiple subnets (2+)
# 2. Network ACLs or security groups
status = "satisfied" if (subnet_count >= 2 and has_acls) else "not-satisfied"

3.14e - System and Information Integrity (Enhanced)

ControlTitleAssessment Method
3.14.1eAutomated response to security incidentsDetects Config remediation, Lambda automation
3.14.2eCyber threat intelligence integrationVerifies GuardDuty, Security Hub
3.14.4eIntegrity verification of softwareDetects code signing (AWS Signer, signed Lambda)
3.14.6eAutomated anomalous behavior detectionIdentifies behavior analytics, metric filters

Multi-Cloud Coverage

Cloud-Agnostic Security Posture: The 800-172 enhanced requirements are intentionally cloud-agnostic. While our assessor currently emphasizes AWS resources, the security principles apply universally.Roadmap Priorities:
  1. AWS (Current): GuardDuty, Security Hub, Config, Macie, Detective
  2. Azure (Expanding): Sentinel, Defender, Policy, Security Center
  3. GCP (Expanding): Security Command Center, Cloud Armor, Binary Authorization
  4. Kubernetes: Falco, OPA, admission controllers, Pod Security Standards
We’re actively mapping equivalent security services across cloud providers. Contact us if you need specific resource coverage.

Supported Resource Types by Enhanced Control

3.1e - Adaptive Access (AWS)
  • aws_iam_role (with condition-based assume role policies)
  • aws_iam_policy (with Condition blocks)
3.3e - Advanced Logging (AWS)
  • aws_cloudtrail, aws_cloudwatch_log_group, aws_flow_log
  • aws_s3_bucket (encrypted log storage)
  • aws_kms_key (log encryption keys)
3.4e - Automated Compliance (AWS/Azure)
  • aws_config_configuration_recorder, aws_config_config_rule, aws_config_remediation_configuration
  • azurerm_policy_definition, azurerm_policy_assignment
3.11e - Threat Intelligence (AWS/Azure)
  • aws_guardduty_detector, aws_securityhub_account, aws_securityhub_standards_subscription
  • azurerm_security_center_subscription_pricing
3.13e - Advanced Crypto (AWS/Azure/GCP)
  • aws_kms_key, aws_ebs_encryption_by_default, aws_s3_bucket_server_side_encryption_configuration
  • azurerm_key_vault, azurerm_key_vault_key
  • google_kms_crypto_key, google_kms_key_ring
3.14e - Security Automation (AWS)
  • aws_lambda_function (security automation functions)
  • aws_signer_signing_profile, aws_lambda_function (with code signing)
  • aws_cloudwatch_log_metric_filter (behavior monitoring)

Assessment Workflow

OSCAL Output Structure

Enhanced controls include additional properties to distinguish from basic requirements: 
{
  "observation": {
    "uuid": "obs-uuid",
    "title": "3.1.1e Evidence",
    "description": "Dynamic access control policy: aws_iam_role.admin",
    "props": [
      { "name": "control-id", "value": "3.1.1e" },
      { "name": "enhancement-level", "value": "advanced" },
      { "name": "automated", "value": "true" },
      { "name": "parent-control", "value": "3.1.1" },
      { "name": "framework", "value": "NIST-800-172" }
    ]
  }
}

Example Assessment Request

curl --request POST \
  --url https://api.usenabla.com/v1/cmmc \
  --header 'Content-Type: application/json' \
  --header 'X-Customer-Key: <x-customer-key>' \
  --data '{
  "name": "<string>",
  "format": "oscal",
  "source_type": "terraform_state",
  "source_content": "<string>",
}'
Set include_parent_framework: true to get both 800-171 and 800-172 assessments in a single request.

Common Enhanced Control Gaps

Critical Deficiencies

3.3.1e - Insufficient Logging Coverage 
Finding: "Comprehensive system-wide audit logging not found (need API, application, and network logging)"
Current: CloudTrail only
Required: CloudTrail + CloudWatch + VPC Flow Logs
3.5.1e - MFA Not Universally Enforced 
Finding: "No multi-factor authentication enforcement found"
Current: MFA optional for users
Required: MFA required for ALL access (not just privileged)
3.11.1e - No Automated Threat Detection 
Finding: "No continuous monitoring capabilities found"
Current: Manual log review
Required: GuardDuty or equivalent automated threat detection

Common Misconfigurations

3.13.6e - Inadequate Network Segmentation 
Finding: "Insufficient network segmentation (need multiple subnets with ACLs/security groups)"
Current: Single subnet or no ACLs
Required: 2+ subnets with NACLs/security groups
3.14.1e - Manual Incident Response 
Finding: "No automated security response mechanisms found"
Current: Manual runbooks
Required: AWS Config auto-remediation or Lambda automation

Who Needs NIST 800-172?

Required For

  • Organizations handling high-value CUI (e.g., advanced weapons systems, intelligence)
  • Defense Industrial Base (DIB) companies with APT threat profiles
  • Critical infrastructure providers under CISA guidelines
  • Research institutions with classified/CUI data collaboration

Not Required For

  • Standard government contractors with basic CUI (800-171 sufficient)
  • Commercial SaaS companies (unless handling CUI)
  • Organizations without nation-state threat models

Compliance Strategy

Phased Implementation

Phase 1: Foundation (NIST 800-171)
  1. Implement basic security controls
  2. Achieve 110/110 on 800-171 assessment
  3. Document SSP and POA&M
Phase 2: Enhancement (NIST 800-172)
  1. Add automated threat detection (GuardDuty, Sentinel)
  2. Implement behavior analytics
  3. Enhance cryptographic architecture
  4. Deploy security orchestration (SOAR)
Phase 3: Continuous Assurance
  1. Automated compliance scanning (daily)
  2. Integration with CI/CD pipelines
  3. Real-time OSCAL reporting
  4. Third-party validation

Limitations

Enhanced Control Assessment Limitations:
  • Behavioral Controls: Many 800-172 controls require runtime behavior analysis, not just configuration
  • Threat Intelligence: Integration with threat feeds cannot be fully validated from IaC
  • Organizational Maturity: Controls like dual authorization (3.1.2e) require process validation
  • Predictive Analytics: ML/AI-based threat detection (3.11.2e) requires specialized platforms
  • IaC Scope: Only infrastructure resources are assessedapplication security is out of scope

Best Practices

  1. Layered Defense: 800-172 assumes 800-171 compliancedon’t skip the basics
  2. Automation First: Manual processes do not satisfy enhanced requirements
  3. Evidence Collection: Retain logs, scan results, and OSCAL outputs for audits
  4. Continuous Assessment: Enhanced controls require continuous monitoring, not point-in-time audits
  5. Threat Modeling: Align security investments with your organization’s threat profile

Relationship to Other Frameworks

FrameworkRelationship to 800-172
NIST 800-171Parent frameworkbasic requirements
NIST 800-53Source catalog for many enhanced controls
CMMC 2.0 Level 3Incorporates 800-172 requirements
FIPS 140-3Cryptographic validation referenced by 3.13e controls
Zero TrustArchitectural alignment with adaptive access (3.1e)

Cost Considerations

Implementing 800-172 enhanced controls typically requires:
  • AWS: GuardDuty (48/account/month),SecurityHub(4-8/account/month), Security Hub (0.001/finding), Config ($2-5/rule/month)
  • Azure: Sentinel (25/GBingested),Defender(2-5/GB ingested), Defender (15/server/month)
  • GCP: Security Command Center Premium ($25-100/project/month)
  • Third-Party: SIEM, SOAR, threat intel subscriptions ($10K-100K+/year)
Budget 15-30% above baseline 800-171 costs for enhanced security capabilities.

Official References