1. Home
  2. |Insights
  3. |NIST Publishes Assessment Procedures for Enhanced Security Controls Used to Protect CUI

NIST Publishes Assessment Procedures for Enhanced Security Controls Used to Protect CUI

Client Alert | 1 min read | 03.18.22

The National Institute of Standards and Technology (NIST) recently published final assessment procedures for the enhanced security controls used to protect particularly sensitive forms of controlled unclassified information (CUI) from sophisticated adversaries.  NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, articulates procedures and methods to assess contractor implementation of the 35 enhanced security controls found in NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.  The publication can be used to conduct first, second, and third-party assessments with varying degrees of rigor based on the assessor’s desired level of assurance.

The enhanced controls and corresponding assessment procedures are expected to impact contractors handling CUI associated with critical programs and high value assets.  The Department of Defense (DoD) also plans to incorporate the requirements from NIST SP 800-172 into Level 3 of the Cybersecurity Maturity Model Certification (CMMC)  The assessment procedures and methods in NIST SP 800-172A are expected to inform the government-led assessments needed for DoD contractors to achieve certification at CMMC Level 3. 

Contacts

Insights

Client Alert | 2 min read | 07.15.26

CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations

As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights....