Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects

Protecting Controlled Unclassified Information CUI

Overview

Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective.

  • May 13, 2026: NIST issues SP 800-172r3Enhanced Security Requirements for Protecting Controlled Unclassified Information, and SP 800-172Ar3, Assessing Enhanced Security Requirements for Controlled Unclassified Information. In addition to the documents, both the enhanced security requirements and assessment procedures in the Cybersecurity and Privacy Reference Tool (CPRT) and in OSCAL data formats. A change analysis between SP 800-172 and SP 800-172r3, and an Enhanced Security Requirements for CUI Control Overlay is also available under supplemental materials.
  • August 18, 2025: NIST has released a small business primer to supplement SP 800-171 Revision 3, to help smaller, under-resourced organizations better protect Controlled Unclassified Information (CUI). This resource provides a foundational overview of SP 800-171r3, considerations for organizations as they begin implementing the security requirements, a list of frequently asked questions and their answers, key differences between SP 800-171 Revision 2 and Revision 3, tips to help those tasked with implementing SP 800-171 get started, additional resources that small businesses can put into action, and concepts and language that can be used when seeking support from internal or external cybersecurity teams.

CUI Image

 

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides a set of recommended security requirements for protecting the confidentiality of CUI.

NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the CUI security requirements in NIST SP 800-171.

NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, provides enhanced security requirements to help protect CUI associated with critical programs or high value assets in nonfederal systems and organizations from the advanced persistent threat (APT).

NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the enhanced security requirements in NIST SP 800-172.

;

Contacts

Send Protecting CUI Inquiries to: [email protected]

Victoria Pillitteri - NIST

Topics

Security and Privacy: risk management

Created June 13, 2019, Updated May 13, 2026