U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases SP 800-172r3 and SP 800-172Ar3: Enhanced Security Requirements and Assessment Procedures for Protecting CUI

As part of ongoing efforts to strengthen protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released SP 800-172r3, Enhanced Security Requirements for Protecting Controlled Unclassified Information, and SP 8

Share

As part of ongoing efforts to strengthen protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following final publications:

  • SP 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI associated with critical programs and high value assets, and are consistent with the source controls in SP 800-53r5. Key changes in this revision include:
    • Expanded security requirements that address access controls, network segmentation, asset management, and supply chain security practices
    • New mappings to SP 800-160 protection strategies and adversary effects to better support cyber resiliency objectives
    • Revised structure for consistency with SP 800-171r3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and supplementary appendices for improved usability
    • Alignment with SP 800-171r3 security requirement families and source controls from SP 800-53, Security and Privacy Controls for Information Systems and Organizations
  • SP 800-172Ar3 (Revision 3),  Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides assessment procedures for the enhanced security requirements in SP 800-172r3. Key changes in this revision include:
    • Updated assessment procedures aligned to the new and revised enhanced security requirements in SP 800-172r3
    • Assessment procedures derived from the source assessment procedures in SP 800-53Ar5

Both publications implement a one-time revision number change for consistency with SP 800-171r3 and SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information.

In addition to these documents, NIST is also releasing both the enhanced security requirements and assessment procedures in the Cybersecurity and Privacy Reference Tool (CPRT) and in Open Security Controls Assessment Language OSCAL data formats, available through the publication details pages for both SP 800-172r3 and SP 800-172Ar3  .

Learn More about the Protecting CUI Project.

Please send questions and comments to: sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov)

Released May 13, 2026
Was this page helpful?