Date Published: November 13, 2024
Comments Due: January 10, 2025
Email Comments to:
800-171comments@list.nist.gov
SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171r3 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
Significant changes in SP 800-172r3 include:
Submit Your Comments
The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
For more information, see the NIST Protecting CUI Project.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
None selected
Publication:
https://doi.org/10.6028/NIST.SP.800-172r3.ipd
Download URL
Supplemental Material:
Comment template (xlsx)
Protecting CUI
Document History:
11/13/24: SP 800-172 Rev. 3 (Draft)
advanced persistent threats, continuous monitoring, planning, risk assessment
Laws and RegulationsFederal Information Security Modernization Act, OMB Circular A-130