Skip to main content

NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases Draft Enhanced Security Requirements and Assessment Procedures for Protecting CUI

The new enhanced security requirements in SP 800-172r3 support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5. SP 800-172Ar3 provides a set of assessment procedures for the enhanced securi

NIST has released Special Publication (SP) 800-172r3 (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, and SP 800-172Ar3 (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, for public comment. 

The new enhanced security requirements in SP 800-172r3 support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5. SP 800-172Ar3 provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5. Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3.

NIST seeks feedback on both drafts during a 45-day public comment period, from September 29 through November 14, 2025. NIST is specifically interested in comments, feedback, and recommendations on the following topics:

  • The additional enhanced security requirements to protect critical systems and high value assets
  • The mappings between the enhanced security requirements to the SP 800-160 protect strategies and adversary effects
  • The usefulness of the information in the supplementary Appendices

Learn More about the Protecting CUI Project.

Released September 29, 2025
Was this page helpful?