standards
NIST releases SP 800-172r3, tightening enhanced CUI controls
The third major revision in five years expands access control, network segmentation, asset management, and supply chain requirements, and no transition timeline for r2 contractors exists yet.
NIST published SP 800-172r3 and its companion assessment guide SP 800-172Ar3 on May 13, 2026, adding enhanced requirements across access control, network segmentation, asset management, and supply chain security for contractors handling controlled unclassified information (CUI) in nonfederal systems. Assessors must update evaluation procedures to match r3 or their assessments will be considered non-compliant. NIST has not announced a compliance deadline for contractors currently operating under r2, nor whether existing r2 assessments remain valid during any transition period.