NIST Releases Final Version of SP 800-172r3, Adding 80 New Controls for Protecting High-Value CUI

Executive Summary

The U.S. National Institute of Standards and Technology (NIST) has published the final version of Special Publication (SP) 800-172r3, "Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI)." This document provides a supplemental set of advanced security controls for nonfederal organizations that handle CUI in systems deemed to be part of a "high value asset" or "critical program." The revision represents a significant expansion of security expectations, introducing 80 new controls while modifying or withdrawing others. A key theme of the update is a heightened focus on acquisition and supply chain risk management, aligning with broader U.S. government efforts to secure its technology ecosystem. Organizations in the Defense Industrial Base (DIB) and other sectors handling CUI must now analyze these new requirements and plan for their implementation.

Regulatory Details

• Publication: NIST Special Publication (SP) 800-172r3
• Title: Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI)
• Purpose: To provide enhanced, or more stringent, security controls that supplement the baseline requirements found in NIST SP 800-171. These enhanced controls are intended for CUI that is associated with critical programs or high-value assets, where the loss or compromise of the information would have a severe adverse effect.
• Key Changes in Revision 3:
  • Addition of 80 new controls.
  • Withdrawal of 12 previous controls.
  • Significant modification of 12 other controls.

Affected Organizations

This guidance primarily affects nonfederal organizations, including:

• U.S. Government Contractors: Especially those within the Defense Industrial Base (DIB).
• Universities and Research Institutions: Those receiving federal grants and handling CUI.
• Any organization that is contractually obligated to protect CUI and is informed by a federal agency that the information is part of a critical program or high-value asset.

Compliance Requirements

SP 800-172r3 significantly raises the bar for cybersecurity. While SP 800-171 provides the baseline, this publication adds advanced controls in several key areas:

• Supply Chain Risk Management (SCRM): This is the most heavily emphasized new area. The controls are designed to address threats from hardware, software, and services acquired by the organization. This aligns with the principles of the NIST Cybersecurity Framework 2.0, which introduced a dedicated "Govern" function with a focus on SCRM.
• Access Control: New controls are added to further restrict and monitor access to systems handling CUI.
• Network Segmentation: Enhanced requirements for isolating CUI systems from the rest of the network.
• Asset Management: More rigorous controls for identifying, tracking, and managing all hardware and software assets.
• Threat Detection: Advanced capabilities for detecting and responding to threats in real-time.

The publication continues to use the concept of Organization-Defined Parameters (ODP), which allows organizations some flexibility in how they implement the controls, but the core requirements are prescriptive.

Implementation Timeline

The publication was finalized on May 13, 2026. While the document itself does not set a compliance deadline, it will be incorporated into federal contracts and regulations. Organizations should anticipate that new government contracts will begin referencing this updated standard, requiring them to demonstrate compliance as a condition of the award.

Impact Assessment

For affected organizations, implementing these new controls will be a significant undertaking.

• Resource Intensive: Compliance will require substantial investment in technology, personnel, and process development.
• Technical Complexity: The enhanced controls, particularly in areas like threat detection and network segmentation, require advanced technical capabilities.
• Gap Analysis Required: Organizations must immediately conduct a gap analysis of their current security posture against the 80 new controls to understand the scope of the required effort.
• Contractual Risk: Failure to meet these requirements could result in the loss of existing government contracts or the inability to win new ones.

Compliance Guidance

1. Identify CUI: The first step is to accurately identify and inventory all CUI within the organization and determine which systems process, store, or transmit it.
2. Conduct a Gap Analysis: Compare your existing controls against the full set of requirements in SP 800-171 and the new enhanced controls in SP 800-172r3.
3. Develop a Plan of Action & Milestones (POA&M): For any identified gaps, create a detailed project plan that outlines the steps, resources, and timeline required to implement the necessary controls.
4. Prioritize Supply Chain: Given the focus of the update, organizations should immediately begin evaluating their supply chain security practices, including vetting suppliers and implementing controls for acquired software and hardware.
5. Engage with Stakeholders: Compliance is not just an IT or security issue. It requires buy-in and participation from legal, procurement, and executive leadership.