{"id":214488,"date":"2026-05-15T12:40:00","date_gmt":"2026-05-15T16:40:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/15\/contractors-should-prepare-as-nist-finalizes-enhanced-security-requirements-for-protecting-controlled-unclassified-information-wiley\/"},"modified":"2026-05-15T12:45:08","modified_gmt":"2026-05-15T16:45:08","slug":"contractors-should-prepare-as-nist-finalizes-enhanced-security-requirements-for-protecting-controlled-unclassified-information-wiley","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/15\/contractors-should-prepare-as-nist-finalizes-enhanced-security-requirements-for-protecting-controlled-unclassified-information-wiley\/","title":{"rendered":"Contractors Should Prepare as NIST Finalizes Enhanced Security Requirements for Protecting Controlled Unclassified Information: Wiley"},"content":{"rendered":"<p><a href=\"https:\/\/www.wiley.law\/alert-Contractors-Should-Prepare-as-NIST-Finalizes-Enhanced-Security-Requirements-for-Protecting-Controlled-Unclassified-Information\">Contractors Should Prepare as NIST Finalizes Enhanced Security Requirements for Protecting Controlled Unclassified Information: Wiley<\/a><\/p>\n<p><a href=\"https:\/\/www.wiley.law\/alert-Contractors-Should-Prepare-as-NIST-Finalizes-Enhanced-Security-Requirements-for-Protecting-Controlled-Unclassified-Information\">https:\/\/www.wiley.law\/alert-Contractors-Should-Prepare-as-NIST-Finalizes-Enhanced-Security-Requirements-for-Protecting-Controlled-Unclassified-Information<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-15 12:40:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.wiley.law\">www.wiley.law<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. On May 13, 2026, the National Institute of Standards and Technology (NIST) finalized a revision to Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), which provides a selection of recommended cybersecurity controls for protecting CUI resident on a nonfederal information system when associated with a \u201chigh value asset\u201d or \u201ccritical program.\u201d The revised publication highlights the importance of contractors being able to identify CUI and having plans to implement SP 800-172r3 controls even before the revisions are adopted into the Department of War (DOW) Cybersecurity Maturity Model Certification (CMMC) Program.<br \/>\nThe SP 800-172 controls are tailored to protect CUI and associated systems that may be the target of \u201cAdvanced Persistent Threats\u201d (APTs), which are cybersecurity threat actors generally associated with nation-states such as China, Russia, Iran, or North Korea that NIST assesses have the \u201cexpertise and resources\u201d to use cyber, physical and deception capabilities to achieve their objectives. SP 800-172 Revision 3 is intended to supplement controls featured in NIST\u2019s SP 800-171 Revision 3 and SP 800-53: Security and Privacy Controls for Information Systems and Organizations.<br \/>\nAlongside SP 800-172 Revision 3, NIST revised the companion assessment publication, SP 800-172Ar3: Assessing Enhanced Security Requirements for Controlled Unclassified Information, to reflect new controls added to SP 800-172r3. This publication provides assessment procedures for organizations to determine how effectively an organization is implementing the security controls outlined in SP 800-172r3. These publications do not immediately apply to contractors; however, agencies have required contractors to meet certain SP 800-172 requirements through terms of contracts, grants, or other agreements. For example, DOW selected certain controls from an earlier version (Revision 2) of SP 800-172 for its CMMC Level 3 requirement.<br \/>\nThe SP 800-172 Controls Are Comprehensive but Flexible<br \/>\nThe SP 800-172 controls are organized into 17 \u201cfamilies\u201d of controls that together implement a defense-in-depth strategy with three components: penetration-resistant architecture, damage-limiting operations, and cyber resiliency.<\/p>\n<p>For each control, NIST then describes the control, provides a discussion, maps the control to one of the three components of the defense-in-depth strategy, explains which adversary effects the control seeks to mitigate, and includes references to other NIST guidance if applicable. Some controls have \u201corganization-defined parameters\u201d (ODPs), through which federal agencies and nonfederal organizations who choose to implement these controls customize the implementation by selecting specific values (such as a tool, mechanism, or time period). The ODP concept provides flexibility in implementing these security controls.<br \/>\nAs we have noted in previous updates on this publication, much of the new material focuses on acquisition and supply chain risk management and security practices. NIST also added new material for access controls, network segmentation, asset management, and threat detection. In total, NIST added 80 new controls, withdrew 12 controls, and made significant changes to 12 others. These revisions remain consistent with shifts in other NIST guidance, such as the Cybersecurity Framework 2.0, to more fully address the software supply chain.<br \/>\nNew SP 800-172r3 Controls Raise Implementation Considerations for Contractors<br \/>\nContractors seeking CMMC Level 3 status must have attained Level 2 certification, and also must implement 24 of the controls from the February 2021 version of SP 800-172 (Revision 2) and then obtain a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification assessment. SP 800-172r3 and 800-172Ar3 will not be incorporated immediately into the CMMC Program \u2013 instead, DOW has indicated that it intends to engage in further rulemaking to update CMMC security requirements in the future.<br \/>\nNevertheless, now that the revised SP 800-172r3 controls have been finalized, federal agencies may choose to start implementing new controls into select contracts, grants, or other agreements involving particularly sensitive data related to high value assets or critical programs\u00a0\u2013 another reason contractors may want to be familiar with and have a plan to implement SP 800-172r3 controls even before revisions are adopted for the CMMC Program. Because the SP 800-172r3 controls assume that an adversary has the capability to target cybersecurity and physical security measures, planning should be cross-sectional and integrate personnel responsible for cybersecurity, physical security, and business continuity and resilience activities.<br \/>\nFurther, because the SP 800-172 controls are intended to protect CUI residing in a nonfederal system and organization, the revised publication underscores the importance of contractors having a capability and process to identify CUI. In our experience, while the government is responsible for identifying and marking CUI to its contractors, some agencies have been aggressive in their designations. In an effort to reduce potential risk of mishandling, contractors may seek clarification or revision from the agency regarding their data labeling. However, if the government agency is not willing to revise marking decisions, then the agencies will expect those responsible for the data to follow handling procedures that apply to the data as marked.<br \/>\n*********<br \/>\nWiley\u2019s cross-disciplinary Government Contracts, National Security, and Privacy, Cyber &#038; Data Governance teams have significant experience advising clients on all aspects of compliance with CUI handling and CMMC requirements. Please reach out to any of the authors with questions.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Contractors Should Prepare as NIST Finalizes Enhanced Security Requirements for Protecting Controlled Unclassified Information: Wiley&#8230;<\/p>\n","protected":false},"author":1,"featured_media":214490,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.wiley.law\/i-t1778862927\/logo-og.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-214488","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214488"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=214488"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214488\/revisions"}],"predecessor-version":[{"id":214492,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214488\/revisions\/214492"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/214490"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=214488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=214488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=214488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}