Date Published: September 29, 2025
Comments Due:
Email Comments to:
Author(s)
Ron Ross (NIST), Victoria Pillitteri (NIST)
Announcement
As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:
- SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
- SP 800-172Ar3 ipd (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.
Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3.
NIST seeks feedback on both drafts during a 45-day public comment period, from September 29 through November 14, 2025. NIST is specifically interested in comments, feedback, and recommendations on the following topics:
- The additional enhanced security requirements to protect critical systems and high value assets
- The mappings between the enhanced security requirements to the SP 800-160 protect strategies and adversary effects
- The usefulness of the information in the supplementary Appendices
Learn More about the Protecting CUI Project.
The protection of controlled unclassified information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with assessment procedures for the security requirements in NIST SP 800-172. The assessment procedures are flexible and can be tailored to the needs of federal agencies and assessors. Security requirement assessments can be conducted as (1) self-assessments; (2) independent, third-party assessments; or (3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on federal agency-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the security requirements.
The protection of controlled unclassified information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication...
See full abstract
The protection of controlled unclassified information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with assessment procedures for the security requirements in NIST SP 800-172. The assessment procedures are flexible and can be tailored to the needs of federal agencies and assessors. Security requirement assessments can be conducted as (1) self-assessments; (2) independent, third-party assessments; or (3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on federal agency-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the security requirements.
Hide full abstract
Keywords
assessment; assessment procedure; assurance; enhanced security requirement; enhanced security requirement assessment; controlled unclassified information; Executive Order 13556; nonfederal organization; nonfederal system; security assessment
Control Families
None selected
