ThreatLocker and NIST SP 800-172

3 min. readlast update: 10.21.2024

NIST SP 800-172 serves as a supplement to NIST SP 800-171 R2. It includes enhanced security requirements to protect Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Organizations are not expected to apply all of these requirements. Specific needs will be based on the mission and business needs of federal agencies. For more information on NIST SP 800-172, please visit: https://csrc.nist.gov/publications/detail/sp/800-172/final 

When configured correctly, ThreatLocker can assist your organization in meeting the requirements outlined below. 

3.1 Access Control 

Enhanced Security Requirements 

  • 3.1.2e “Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations.”
    • ThreatLocker can assist with meeting this requirement.  
    • ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
    • Application Allowlisting operates using a default deny. No software changes can be made unless they have been approved and are permitted. 

3.11 Risk Assessment  

Enhanced Security Requirements 

  • 3.11.3e Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.” 
    • ThreatLocker can assist with meeting this requirement.  
    • ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 

3.14 System and Information Integrity 

  • 3.14.1e“Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures.” 
    • ThreatLocker can assist with verifying the integrity of security critical or essential software. 
    • Allowlisting operates using a default deny. If a permitted software is altered, it will be blocked unless there is a custom rule in place permitting alterations. 
  • 3.14.2e“Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.” 
    • ThreatLocker can assist with monitoring for anomalous or suspicious behavior. 
    • ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
    • The Unified Audit provides a transactional history of everything ThreatLocker is securing. 

 

  Updated 4/24/23

Was this article helpful?