NIST tightens contractor security rules

NIST on May 13 released final Revision 3 of Special Publication 800-172 and SP 800-172A Revision 3, updating the federal government’s enhanced security requirements and assessment procedures for protecting controlled unclassified information, or CUI, in nonfederal systems. The publication is aimed at CUI tied to critical programs and high-value assets, according to NIST. The update matters to contractors and vendors that handle sensitive federal data through software, cloud services, connected equipment or support systems. It also lands as the Defense Department continues rolling out its Cybersecurity Maturity Model Certification, or CMMC, program. ### What exactly did NIST finalize on May 13? NIST said SP 800-172 Revision 3 provides enhanced security requirements that support cyber resiliency objectives and are consistent with source controls in SP 800-53 Revision 5. The agency released the final document and the companion assessment guide, SP 800-172A Revision 3, on May 13. The NIST publication applies to controlled unclassified information in nonfederal systems and organizations. NIST said the requirements are intended for CUI “associated with critical programs and high value assets,” a narrower and more sensitive category than general federal data handling. ### Who is this aimed at beyond traditional defense contractors? (nist.gov) The rule set reaches beyond prime defense companies because CUI often moves through subcontractors, software vendors, managed service providers, research partners and instrument suppliers. NIST’s document covers nonfederal systems and organizations, which can include companies supporting universities, public-health labs and government-funded research programs when those systems store, process or transmit CUI. (nist.gov) A Wiley Rein analysis published on JDSupra said suppliers should prepare for tougher cybersecurity expectations around procurement and vendor reviews as agencies and regulated contractors update questionnaires and onboarding demands. That analysis framed the change as a practical compliance issue for companies that touch controlled data through connected products or service platforms. (csrc.nist.gov) ### How does this connect to the Pentagon’s CMMC rollout? The Defense Department says CMMC Level 3 is built on top of Level 2 and requires contractors to implement 24 identified requirements from NIST SP 800-172. DoD says Level 3 companies must undergo an assessment every three years by the Defense Industrial Base Cybersecurity Assessment Center and provide an annual affirmation of compliance. DoD also says phased implementation of CMMC requirements began on Nov. 10, 2025, with Phase 1 focused primarily on Level 1 and Level 2 self-assessments through Nov. 9, 2026. (nist.gov) That means many contractors may not face Level 3 contract requirements immediately, but the federal framework that underpins them is already being updated. ### Does Revision 3 automatically change every contractor’s obligations now? (dodcio.defense.gov) NIST’s SP 800-172 is a recommended federal publication, not a contract clause by itself. Contractors’ binding obligations typically come through procurement rules, agency requirements and Defense Department clauses such as those used in CMMC and DFARS contracting. The practical effect is that contractors will need to watch how agencies and prime contractors incorporate the revised publication into solicitations, assessments and supplier flow-downs. (dodcio.defense.gov) DoD’s public CMMC materials currently describe Level 3 around 24 requirements from SP 800-172, while other implementation materials still reference earlier NIST revisions, indicating a transition period in federal guidance. (acq.osd.mil) ### What should vendors expect next in procurement? The immediate next step is not a single governmentwide deadline but a series of procurement and assessment updates. NIST has already published the final SP 800-172 Revision 3 text and the assessment procedures in SP 800-172A Revision 3, giving agencies and contractors the source documents they will use in reviews. (dodcio.defense.gov) DoD’s CMMC implementation page says Phase 1 runs through Nov. 9, 2026, and contractors can monitor that site for updated assessment guides and implementation documents. For vendors selling into defense, research and other government-linked environments, the next concrete signals will come in contract language, supplier questionnaires and assessment requests tied to CUI handling. (dodcio.defense.gov) (nist.gov)