ThreatLocker and NIST SP 800-172

NIST SP 800-172 serves as a supplement to NIST SP 800-171 R2. It includes enhanced security requirements to protect Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Organizations are not expected to apply all of these requirements. Specific needs will be based on the mission and business needs of federal agencies. For more information on NIST SP 800-172, please visit: https://csrc.nist.gov/publications/detail/sp/800-172/final 

Disclosure: ThreatLocker does not provide legal or compliance advice and is not a certifying authority for NIST SP 800-172 R1 compliance. The information provided represents ThreatLocker’s best-effort assessment of how its product capabilities may support certain NIST SP 800-172 R1 requirements when properly configured. An organization’s compliance status is dependent on multiple factors beyond the ThreatLocker platform. Any NIST SP 800-172 R1 controls or requirements not explicitly referenced are not currently supported by ThreatLocker.

3.1 Access Control 

Enhanced Security Requirements 

• 3.1.2e - “Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations.”
• ThreatLocker can assist with meeting this requirement.  
• ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
• Application Allowlisting operates using a default deny. No software changes can be made unless they have been approved and are permitted. 

3.11 Risk Assessment  

Enhanced Security Requirements 

• 3.11.3e – “Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.” 
• ThreatLocker can assist with meeting this requirement.  
• ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 

3.14 System and Information Integrity 

• 3.14.1e – “Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures.” 
• ThreatLocker can assist with verifying the integrity of security critical or essential software. 
• Allowlisting operates using a default deny. If a permitted software is altered, it will be blocked unless there is a custom rule in place permitting alterations. 
• 3.14.2e – “Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.” 
• ThreatLocker can assist with monitoring for anomalous or suspicious behavior. 
• ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
• The Unified Audit provides a transactional history of everything ThreatLocker is securing. 

  Updated 4/24/23