May 22, 2022

Volume XII, Number 142


May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

NIST Proposes Draft Enhanced Security Requirements for Protecting CUI

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.

The enhanced security requirements focus on promoting (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designs to achieve cyber resiliency and survivability. While these requirements apply to critical programs and high value assets, NIST did not include guidance on determining which organizational programs or assets fall under these categories. Such determinations will be left to organizations/agencies mandating the use of the enhanced security requirements and such organizations should look to applicable laws, executive orders, directives, regulations or policies.

NIST envisions that federal agencies can implement these enhanced security requirements comprehensively or they may select a subset of requirements as a part of their risk management strategy. Federal contractors can expect that agencies may contractually require certain enhanced security requirements contained in the publication regarding the handling of CUI.

The enhanced security requirements themselves are derived from the security controls in SP 800-53, which focuses on the security of government systems, and are particularly focused on the following elements, which are essential for addressing advanced persistent threats:

  • Applying a threat-centric approach to security requirements specification;

  • Employing alternative system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines, and containers

  • Implementing dual authorization controls for the most critical or sensitive operations;

  • Limiting persistent storage to isolated enclaves or domains;

  • Implementing a comply-to-connect approach for systems and networks;

  • Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components;

  • Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components;

  • Employing a security operations center with advanced analytics to support continuous monitoring and protection of organizational systems; and

  • Using deception to confuse and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.

Putting it Into Practice: While not finalized yet, companies that contract with the federal government and have access to CUI associated with critical programs or high value assets should consider how these enhanced security requirements may affect their operations. NIST is accepting comments from the public on SP 800-172 until August 21, 2020.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 211

About this Author

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Jonathan E. Meyer, Sheppard Mullin, International Trade Lawyer, Encryption Technology Attorney

Jon Meyer is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Mr. Meyer was most recently Deputy General Counsel at the United States Department of Homeland Security, where he advised the Secretary, Deputy Secretary, General Counsel, Chief of Staff and other senior leaders on law and policy issues, such as cyber security, airline security, high technology, drones, immigration reform, encryption, and intelligence law. He also oversaw all litigation at DHS,...