Projects

Protecting Controlled Unclassified Information CUI

Overview

Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective.

  • January 27, 2025: Public comments received on initial public draft (ipd) of SP 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) are posted. Comments received after the extended deadline will be adjudicated with the planned final public draft, as applicable. 
  • January 8, 2025: The public comment period on SP 800-172r3 ipd is extended until January 17, 2025. For more information, see the SP 800-172 publication details page
  • November 13, 2024: NIST invites comments on the SP 800-172r3, Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) ipd.  The draft is available for comment until January 17 10, 2025. For more information, including access to the SP 800-182r3 (ipd) and the suggested comment template, see the SP 800-172 publication details page

CUI Image

 

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides a set of recommended security requirements for protecting the confidentiality of CUI.

NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the CUI security requirements in NIST SP 800-171.

NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, provides enhanced security requirements to help protect CUI associated with critical programs or high value assets in nonfederal systems and organizations from the advanced persistent threat (APT).

NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the enhanced security requirements in NIST SP 800-172.

Contacts

Ron Ross

Victoria Yan Pillitteri
victoria.yan@nist.gov

Topics

Security and Privacy: risk management

Created June 13, 2019, Updated January 27, 2025