NIST Releases Draft Enhanced Security Requirements and Assessment Procedures for Protecting CUI 

SP 800-172r3 and SP 800-172Ar3 Now Available for Public Comment!

As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:

  • SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
  • SP 800-172Ar3 ipd (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.

Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3.

Public Comment Period

A public comment period will be open from September 29 through November 14, 2025. Reviewers should submit comments on all or parts of the drafts to 800-171comments@list.nist.gov. All comments submitted during the public comment period will be posted to the NIST Protecting CUI Project page with contact information redacted.

Learn More about Protecting CUI Project: https://csrc.nist.gov/projects/protecting-CUI

SP 800-172r3SP 800-172Ar3