NIST expands CUI controls in 800-172r3, aligns with 800-171r3
No compliance deadline or transition plan accompanies the final publications.
TL;DR
NIST published SP 800-172r3 and its assessment companion, SP 800-172Ar3, on May 13. Expanded requirements cover access controls, network segmentation, asset management, and supply chain security, with new mappings to SP 800-53r5 and alignment with SP 800-171r3 control families. Affected: contractors handling CUI for critical programs and high-value assets, and the assessors evaluating them. NIST provided no compliance deadline and did not say whether existing r2 certifications remain valid during a transition. It is not yet clear whether the changes impose new requirements or restructure existing ones for consistency with 800-171r3.
The two publications implement a one-time revision number jump to r3 for consistency with SP 800-171r3 and SP 800-171Ar3, both released earlier. The prior revision was SP 800-172r2, published in 2021. Both documents are available in the Cybersecurity and Privacy Reference Tool (CPRT) and in OSCAL data formats. A companion release provides the updated assessment procedures in SP 800-172Ar3, derived from SP 800-53Ar5, the assessment companion to SP 800-53r5.
Published ·Updated ·Deep Fathom