Topic · nist-800-172

NIST SP 800-172

RSS feed ↗

standards
NIST opens comment period on SP 800-52 Rev. 2 TLS guidelines
The real question isn't TLS 1.3 alignment, it's whether NIST will demote TLS 1.2 from required to optional, which sets the pace of cryptography deprecation across CMMC-tied frameworks.
NIST's Crypto Publication Review Board opened a public comment period through July 10, 2026 on SP 800-52 Rev. 2 (2019), its TLS implementation guidance. The revision targets alignment with IETF TLS 1.3 drafts, but the consequential question is whether NIST will downgrade server-side TLS 1.2 support from "should" to "may." Contractors, primes, MSPs, and C3PAOs with federal TLS configurations should comment now, the outcome will shape compatibility windows across 800-172 and CMMC controls.
YESTERDAY
standards
NIST releases SP 800-172r3, tightening enhanced CUI controls
The third major revision in five years expands access control, network segmentation, asset management, and supply chain requirements, and no transition timeline for r2 contractors exists yet.
NIST published SP 800-172r3 and its companion assessment guide SP 800-172Ar3 on May 13, 2026, adding enhanced requirements across access control, network segmentation, asset management, and supply chain security for contractors handling controlled unclassified information (CUI) in nonfederal systems. Assessors must update evaluation procedures to match r3 or their assessments will be considered non-compliant. NIST has not announced a compliance deadline for contractors currently operating under r2, nor whether existing r2 assessments remain valid during any transition period.
YESTERDAY
trade-press
NIST targets summer 2025 debut for AI cybersecurity framework overlays
Control overlays for predictive, agentic, and generative AI arrive before finalization in 2027, giving contractors 18-24 months to treat ad-hoc AI risk management as a compliance gap.
NIST's Security Engineering and Risk Management Group plans to release a draft cybersecurity framework profile for AI, plus tailored control overlays, beginning this summer: predictive-AI overlay first, agentic-systems overlay by late summer or early fall, with finalization targeted for 2027. Primes, subs, and managed service providers in the defense supply chain should treat the sequenced drafts as early signals of what will land in contract vehicles. The critical unanswered question is whether these overlays will be mandatory references in federal procurement or advisory supplements to NIST SP 800-171/172.
THU
trade-press
Draft EO sets 2030-2031 federal PQC migration deadlines for agencies and contractors
For the first time, post-quantum cryptography gets binding deadlines with teeth, closing the three-year gap since NSA told agencies to migrate without requiring them to.
A White House draft executive order would require federal agencies to migrate key establishment systems to post-quantum cryptography (PQC) by Dec. 31, 2030, and digital signatures on high-impact systems by Dec. 31, 2031. "Covered contractors" face the same 2030 key establishment deadline under NIST PQC standards. The order tasks OMB with issuing implementation guidance. Critical open questions remain: whether "covered contractors" sweeps in all subcontractors or only primes above a threshold, and what enforcement mechanism OMB will specify, the same gap that made NSA's 2022 quantum-resistant guidance effectively optional for four years.
THU

NIST SP 800-172

NIST opens comment period on SP 800-52 Rev. 2 TLS guidelines

NIST releases SP 800-172r3, tightening enhanced CUI controls

NIST targets summer 2025 debut for AI cybersecurity framework overlays

Draft EO sets 2030-2031 federal PQC migration deadlines for agencies and contractors