NIST SP 800-172
Also known as: Enhanced Security Requirements for Protecting Controlled Unclassified Information
NIST SP 800-172 specifies 24 enhanced security requirements that supplement NIST SP 800-171 for systems handling CUI associated with critical programs or high-value assets. These additional 24 controls are what distinguishes CMMC Level 3 from Level 2.
Related terms
- CMMC Level 3
CMMC Level 3 is the highest CMMC certification tier, reserved for DoD programs involving CUI of the highest priority. It requires implementing NIST SP 800-171 plus 24 enhanced controls drawn from NIST SP 800-172, and triennial assessments performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.