Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
NIST Releases Draft Enhanced Security Requirements and Assessment Procedures for Protecting CUI
The new enhanced security requirements in SP 800-172r3 support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5. SP 800-172Ar3 provides a set of assessment procedures for the enhanced securi
NIST has released Special Publication (SP) 800-172r3 (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, and SP 800-172Ar3 (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, for public comment.
The new enhanced security requirements in SP 800-172r3 support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5. SP 800-172Ar3 provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5. Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3.
NIST seeks feedback on both drafts during a 45-day public comment period, from September 29 through November 14, 2025. NIST is specifically interested in comments, feedback, and recommendations on the following topics:
- The additional enhanced security requirements to protect critical systems and high value assets
- The mappings between the enhanced security requirements to the SP 800-160 protect strategies and adversary effects
- The usefulness of the information in the supplementary Appendices