Pillitteri, V.
and Ross, R.
(2026),
Enhanced Security Requirements for Protecting Controlled Unclassified Information, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-172r3, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=962129 (Accessed May 14, 2026)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Enhanced Security Requirements for Protecting Controlled Unclassified Information
Published
Author(s)
, Ron Ross
Abstract
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with a set of recommended enhanced security requirements for providing additional protection to the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and associated with a critical program or high value asset (HVA). It is designed as a supplement to NIST Special Publication (SP) 800-171 to protect against advanced persistent threats (APTs). The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components only when selected and required by federal agencies to manage risks to CUI. The enhanced security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements will be selected by federal agencies. The decision to select a particular set of enhanced security requirements will be based on the mission and business needs of federal agencies and guided and informed by ongoing risk assessments.Citation
Special Publication (NIST SP) - 800-172r3
Report Number
800-172r3
NIST Pub Series
Pub Type
NIST Pubs
Download Paper
Keywords
advanced persistent threat, contractor systems, controlled unclassified information, CUI registry, enhanced security requirement, Executive Order 13556, FISMA, NIST Special Publication 800-172, NIST Special Publication 800-53, nonfederal organizations, nonfederal systems, security assessment, security control, security requirement
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created May 13, 2026