NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Assessing Enhanced Security Requirements for Controlled Unclassified Information

Published

Author(s)

Ronald S. Ross, Victoria Yan Pillitteri, Kelley L. Dempsey

Abstract

The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. This publication provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The assessment procedures are flexible and can be tailored to the needs of organizations and assessors. Assessments can be conducted as 1) self-assessments; 2) independent, third-party assessments; or 3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on customer-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the CUI enhanced security requirements.
Citation
Special Publication (NIST SP) - 800-172A
Report Number
800-172A
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.SP.800-172A
Local Download

Keywords

assessment, assessment method, assessment object, assessment procedure, assurance, enhanced security requirement, Controlled Unclassified Information, coverage, CUI Registry, depth, Executive Order 13556, FISMA, NIST Special Publication 800-53, NIST Special Publication 800-53A, nonfederal organization, nonfederal system, security assessment, security control.
Risk management and Cybersecurity and privacy

Citation

Ross, R. , Pillitteri, V. and Dempsey, K. (2022), Assessing Enhanced Security Requirements for Controlled Unclassified Information, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-172A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934399 (Accessed October 14, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created March 15, 2022, Updated November 29, 2022
Was this page helpful?