Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Invites Comments on Enhanced Security Requirements for Protecting Controlled Unclassified Information
November 13, 2024

Extended Comment Period

(1/8/25) The public comment period has been extended through January 17, 2025.

The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.

SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171r3 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.

Significant changes in SP 800-172r3 include:

  • Increased the specificity of the enhanced security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
  • Revised the enhanced security requirements for consistency with the source security control language in SP 800-53
  • Updated the numbering system for enhanced security requirements and added titles to the requirements
  • Added new enhanced security requirements based on (1) the latest threat intelligence, (2) empirical data from cyber attacks, and (3) the expansion of security objectives to include integrity and availability
  • Added new requirement families for consistency with SP 800-171r3: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR)
  • Removed outdated and redundant enhanced security requirements
  • Implemented a one-time “revision number” change for consistency with SP 800-171r3.

Submit Your Comments

The public comment period is open through January 10 January 17, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

For more information about the NIST Protecting CUI Project and other resources, see
https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information.

Created November 05, 2024, Updated January 08, 2025