Date Published: May 2026
Supersedes:
SP 800-172A (03/15/2022)
Planning Note (05/13/2026):
The assessment procedures in SP 800-172Ar3 are available in multiple data formats. The PDF of SP 800-172Ar3 is the authoritative source of the assessment procedures. If there are any discrepancies noted in the content between the CPRT dataset, OSCAL dataset, and the SP 800-172Ar3 PDF, please contact [email protected] and refer to the PDF as the normative source.
Author(s)
Victoria Pillitteri (NIST), Ron Ross (NIST)
The protection of controlled unclassified information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with assessment procedures for the enhanced security requirements in NIST SP 800-172. The assessment procedures are flexible and can be tailored to the needs of federal agencies and assessors. Security requirement assessments can be conducted as (1) self-assessments; (2) independent, third-party assessments; or (3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on federal agency-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the security requirements.
The protection of controlled unclassified information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication...
See full abstract
The protection of controlled unclassified information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with assessment procedures for the enhanced security requirements in NIST SP 800-172. The assessment procedures are flexible and can be tailored to the needs of federal agencies and assessors. Security requirement assessments can be conducted as (1) self-assessments; (2) independent, third-party assessments; or (3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on federal agency-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the security requirements.
Hide full abstract
Keywords
assessment; assessment procedure; assurance; enhanced security requirement; enhanced security requirement assessment; controlled unclassified information; Executive Order 13556; nonfederal organization; nonfederal system; security assessment
Control Families
None selected
