NIST releases SP 800-172r3, tightening enhanced CUI controls
The third major revision in five years expands access control, network segmentation, asset management, and supply chain requirements, and no transition timeline for r2 contractors exists yet.
TL;DR
NIST published SP 800-172r3 and its companion assessment guide SP 800-172Ar3 on May 13, 2026, adding enhanced requirements across access control, network segmentation, asset management, and supply chain security for contractors handling controlled unclassified information (CUI) in nonfederal systems. Assessors must update evaluation procedures to match r3 or their assessments will be considered non-compliant. NIST has not announced a compliance deadline for contractors currently operating under r2, nor whether existing r2 assessments remain valid during any transition period.
SP 800-172 is the high-water mark for CUI protection requirements. Where SP 800-171 covers baseline CUI handling for the broad contractor population, 800-172 applies to contractors supporting critical programs and high-value assets, the tier that adversaries target most aggressively. Revision 3 lands as the third major update in roughly five years, a cadence that reflects deliberate baseline tightening rather than periodic housekeeping.
What changed in r3
The substantive additions in SP 800-172r3 hit four control families: access controls, network segmentation, asset management, and supply chain security. NIST also restructured the document for consistency with SP 800-171r3 (published in 2024) and added new mappings to SP 800-160 protection strategies and adversary-effects analysis, which is a cyber-resiliency framing borrowed from the systems-engineering side of the SP 800 family. The source controls remain anchored to SP 800-53r5. Both publications are simultaneously available in the Cybersecurity and Privacy Reference Tool (CPRT) and in Open Security Controls Assessment Language (OSCAL) formats.
SP 800-172Ar3, the companion assessment procedures document, is updated in parallel. Assessors using r2 procedures against r3 requirements will produce results NIST would consider misaligned, a practical non-compliance risk for any third-party assessor or internal audit team that doesn't update its methodology before conducting an evaluation.
The open question practitioners need answered
NIST's release notice is silent on two operationally critical points: when contractors currently operating under 800-172r2 must transition to r3 controls, and whether assessments completed under r2 procedures remain valid during any interim period. Those questions are not academic. A contractor mid-assessment against r2 requirements today has no published guidance on whether to pause, continue, or restart against r3. DoD contracting officers implementing CMMC Level 3, which references 800-172 enhanced requirements, will also need to clarify whether Level 3 assessments now require r3 alignment and on what timeline.
Until NIST or DoD issues transition guidance, contractors supporting critical programs should treat the r3 control set as the target state and document any gap analysis against it now. Waiting for a formal deadline is a reasonable legal position; it is a poor operational one given the revision's supply chain and access control scope.
What assessors do Monday
Pull both SP 800-172r3 and SP 800-172Ar3 from the NIST CPRT or the publication detail pages. Map your current assessment procedures against the revised requirement families to identify where r3 diverges from r2. The structural realignment with SP 800-171r3 means the section numbering will be familiar; the new supply chain and segmentation requirements are where the substantive gaps will surface. For contractors already operating against 800-171r3 controls, the 800-172r3 structure should integrate without major reorganization. For those still working from older baselines, r3 is another prompt to consolidate.
Published ·Updated ·Deep Fathom