Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-172 Rev. 3 (Initial Public Draft)

Enhanced Security Requirements for Protecting Controlled Unclassified Information

Date Published: November 13, 2024
Comments Due: January 10, 2025
Email Comments to: 800-171comments@list.nist.gov

Author(s)

Ron Ross (NIST), Victoria Pillitteri (NIST)

Announcement

SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171r3 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.

Significant changes in SP 800-172r3 include:

  • Increased the specificity of the enhanced security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
  • Revised the enhanced security requirements for consistency with the source security control language in SP 800-53
  • Updated the numbering system for enhanced security requirements and added titles to the requirements
  • Added new enhanced security requirements based on (1) the latest threat intelligence, (2) empirical data from cyber attacks, and (3) the expansion of security objectives to include integrity and availability
  • Added new requirement families for consistency with SP 800-171r3: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR)
  • Removed outdated and redundant enhanced security requirements
  • Implemented a one-time “revision number” change for consistency with SP 800-171r3.

Submit Your Comments

The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

For more information, see the NIST Protecting CUI Project.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy  Inclusion of Patents in ITL Publications.

Abstract

Keywords

advanced persistent threat; contractor systems; controlled unclassified information; CUI registry; enhanced security requirement; Executive Order 13556; FISMA; NIST Special Publication 800-172; NIST Special Publication 800-53; nonfederal organizations; nonfederal systems; security assessment; security control; security requirement
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-172r3.ipd
Download URL

Supplemental Material:
Comment template (xlsx)
Protecting CUI

Document History:
11/13/24: SP 800-172 Rev. 3 (Draft)