The U.S. National Institute of Standards and Technology (NIST) published final versions of Special Publication 800-172 Revision 3 and SP 800-172A Revision 3, expanding cybersecurity requirements and assessment procedures designed to protect controlled unclassified information in nonfederal systems and organizations. Announced on May 13, the updated guidance introduces enhanced security requirements focused on cyber resiliency, including expanded controls for access management, network segmentation, asset management, and supply chain security practices. NIST said the revisions align with SP 800-171r3 and SP 800-53r5 to improve consistency across federal cybersecurity frameworks.
NIST said SP 800-172Ar3 provides updated assessment procedures linked to revised security requirements and derived from SP 800-53Ar5 assessment methodologies. The agency also added new mappings to SP 800-160 protection strategies and adversary effects to strengthen defenses against APTs (advanced persistent threats) and improve cyber resiliency objectives for critical programs and high-value assets.
In addition to the publications, NIST released the requirements and assessment…
