Enhanced Security Requirements for Protecting Controlled Unclassified Information

Date Published: September 29, 2025
Comments Due: January 16, 2026
Email Comments to: [email protected]

Planning Note (11/13/2025):

The public comment period has been extended through January 16, 2026.

Author(s)

Ron Ross (NIST), Victoria Pillitteri (NIST)

Announcement

As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:

• SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
• SP 800-172Ar3 ipd (initial public draft),  Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.

Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3. 

NIST seeks feedback on both drafts during a 45-day public comment period, from September 29 through November 14, 2025 January 16, 2026. NIST is specifically interested in comments, feedback, and recommendations on the following topics:

• The additional enhanced security requirements to protect critical systems and high value assets
• The mappings between the enhanced security requirements to the SP 800-160 protect strategies and adversary effects
• The usefulness of the information in the supplementary Appendices

Learn More about the Protecting CUI Project.

Control Families

None selected