NIST SP 800-172 Revision 3 Final: What CMMC Level 3 and DoD Contractors Need to Know

Posted: May 20, 2026 to Cybersecurity.

On May 2026, the National Institute of Standards and Technology released NIST Special Publication 800-172, Revision 3, the final version of the Enhanced Security Requirements for Protecting Controlled Unclassified Information. It supersedes the 2021 edition and now sits as the most current authoritative baseline for protecting CUI associated with critical programs and high value assets in nonfederal systems.

For Department of Defense primes and subcontractors - and for any organization aiming at CMMC Level 3 - Revision 3 matters in three concrete ways. It tightens the wording of the enhanced requirements so assessors can apply them more consistently. It expands the security objective from confidentiality alone to the full confidentiality, integrity, and availability triad. And it introduces organization-defined parameters, which give federal agencies a structured way to customize each requirement to mission risk rather than treat one number as a universal answer.

What NIST SP 800-172 Revision 3 Is - and What It Isn't

SP 800-172 is the enhanced half of the CUI protection picture. The foundational half is NIST SP 800-171, which carries the security requirements every nonfederal organization handling CUI is expected to satisfy as a starting point. SP 800-172 sits on top of that floor for the smaller subset of systems that process, store, or transmit CUI tied to a critical program or a high value asset (HVA) - the kind of information the advanced persistent threat (APT) is most likely to target.

NIST is explicit about scope in the publication itself: "There is no expectation that all of the enhanced security requirements will be selected by federal agencies." Selection is driven by the contracting agency's mission and ongoing risk assessment, and the requirements are passed down to the nonfederal organization through a contract, grant, or other agreement. In other words, 800-172 is a curated menu the customer chooses from - not a blanket checklist every defense contractor must implement in full.

Three things to internalize before you read the requirements list:

• 800-172 supplements 800-171; it does not replace it. Foundational 800-171 controls are still in effect. Enhanced requirements are layered on top for high-risk CUI scope.
• Selection is risk-based. A federal agency chooses which enhanced requirements apply per contract. You do not implement all of them by default.
• The APT is the modeled threat. Enhanced requirements are designed to defeat adversaries who pursue objectives over extended periods, adapt to defenses, and use multiple attack vectors. They are not a generic hardening guide.

What Changed From the 2021 Edition

The official change log in Appendix F of the publication is the cleanest place to see the deltas. Pulling from that change log, the substantive shifts in Revision 3 are:

• Security objective expanded from confidentiality to the full CIA triad. The 2021 edition focused on confidentiality. Revision 3 adds new enhanced requirements that address integrity and availability, because real APT campaigns now routinely combine data theft with sabotage and disruption.
• New requirements drawn from real attack data. NIST added enhanced requirements informed by the latest threat intelligence and empirical data from recent cyber-attacks - not just abstract control theory.
• Outdated and redundant requirements removed. Where the 2021 set had overlap or had been overtaken by changes in 800-53 or 800-171, the requirements were dropped to reduce noise.
• Requirements now have titles. Every enhanced requirement gets a human-readable title (for example, 03.13.08E Decoys) instead of bare control numbers. Easier to discuss with non-technical stakeholders, easier to map to your control evidence.
• Wording tightened and grouped. NIST increased the specificity of the requirements to remove ambiguity, improve assessment scoping, and group related requirements where it helped clarity.
• Discussion sections rewritten for consistency with SP 800-53 language, since that is the control catalog the enhanced requirements are derived from.
• New Appendix C summarizing all enhanced requirements. A single-table reference makes it easier to brief leadership and design assessment scope.
• New Appendix E of Organization-Defined Parameters (ODPs). Many enhanced requirements now contain assignment or selection slots a federal agency or the nonfederal organization must fill in (e.g., "audit every organization-defined frequency"). This formalizes risk-based customization rather than guessing.
• Mapping table appendix removed. The cross-reference from each enhanced requirement to its source SP 800-53 control now lives in the requirement itself instead of an appendix.
• Revision number bumped to r3 for one-time consistency with SP 800-171r3, so the two now travel as a matched pair.

If you implemented 800-172 in 2022 or 2023 based on the original 2021 publication, the practical upshot is that your control mapping needs a refresh, your evidence library needs to absorb the new integrity and availability requirements, and your contracting language needs to reflect the new ODPs your agency customer is now allowed to specify.

The 17 Enhanced Security Requirement Families

The enhanced requirements are organized into the same 17 families as 800-171, which keeps your control mapping consistent across the foundational and enhanced layers. Pulled from Table 1 of the publication, the families are:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment and Monitoring
13. System and Communications Protection
14. System and Information Integrity
15. Planning
16. System and Services Acquisition
17. Supply Chain Risk Management

Each enhanced requirement number ends in the letter E - for example, 03.13.08E in the System and Communications Protection family, titled Decoys, which calls for honeypots, honeynets, or deception nets to detect and divert attackers. NIST is clear that the numbering does not match foundational 800-171: enhanced requirement 03.01.01E is not necessarily an upgrade of foundational 03.01.01. Treat the catalogs as related but independent.

Family-by-Family: How Petronella Maps Vetted Solutions to Each Requirement Family

Reading the catalog is one thing; finding the right tools, processes, and evidence to satisfy each enhanced requirement is where most defense contractors get stuck. Below is how Petronella Technology Group, Inc. maps its own vetted technology stack and professional services to each of the 17 enhanced requirement families. Every solution here is one we operate in-house, deliver to clients, and stand behind with our CMMC Registered Practitioner Organization #1449 credentials.

• Access Control (3.1): Petronella encrypted data and email system with zero trust access policies, plus Petronella Extended Detection and Response (XDR) for privileged-action telemetry and behavioral baselining.
• Awareness and Training (3.2): Petronella security awareness training with role-based modules for CUI handlers, plus workforce cybersecurity training courses aligned to the enhanced requirement set.
• Audit and Accountability (3.3): Petronella XDR for centralized audit log collection, long-horizon retention, and the real-time alerting the enhanced ODPs require.
• Configuration Management (3.4): Petronella managed IT with authoritative configuration sources, comply-to-connect enforcement, and dual-authorization workflows for sensitive changes.
• Identification and Authentication (3.5): Petronella encrypted data and email system with hardware-backed key handling and strong multi-factor authentication for CUI access.
• Incident Response (3.6): Petronella incident response services with a 24x7 retainer model, plus Petronella XDR as the detection and forensic-evidence backbone.
• Maintenance (3.7): Petronella managed IT with controlled remote maintenance, session isolation, and supervised non-local maintenance procedures.
• Media Protection (3.8): Petronella encrypted data and email system for end-to-end encryption of CUI in motion and at rest, plus controlled backup workflows.
• Personnel Security (3.9): Personnel-screening workflows and access-revocation playbooks delivered as part of our Petronella vCISO retainer.
• Physical Protection (3.10): Site-survey scoping and physical control selection bundled into our CMMC readiness engagements.
• Risk Assessment (3.11): Petronella risk assessment services with threat-modeling against the APT, supported by ComplianceArmor® for documentation continuity.
• Security Assessment and Monitoring (3.12): Petronella penetration testing and continuous control monitoring through Petronella XDR.
• System and Communications Protection (3.13): Petronella encrypted data and email system with software-defined perimeters and micro-segmentation, integrated with Petronella XDR for flow telemetry.
• System and Information Integrity (3.14): Petronella XDR for malware defense, integrity monitoring, and tamper-evident logging.
• Planning (3.15): Petronella vCISO retainer for the security plan lifecycle, paired with ComplianceArmor® for SSP and POA&M generation.
• System and Services Acquisition (3.16): Petronella vCISO for procurement review, secure SDLC guardrails, and supplier-attestation workflows.
• Supply Chain Risk Management (3.17): Petronella vCISO for supplier-risk programs and flow-down clause review, supported by ComplianceArmor® for evidence packaging.

If you would rather walk through this mapping against your specific contract scope before you commit to anything, contact our CMMC team for a no-cost scoping conversation.

The Three Pillars Behind the Requirements

NIST organizes the enhanced requirements around a three-element multidimensional protection strategy for the APT:

• Penetration-Resistant Architecture (PRA) - architecture, engineering, and procedures that limit the opportunities an adversary has to compromise a system or to establish a persistent foothold. Zero trust network architectures, software-defined perimeters, micro-segmentation, and information flow control mechanisms are listed as canonical examples in the document. Our Petronella encrypted data and email system and vCISO architecture reviews are how we operationalize this pillar for clients.
• Damage-Limiting Operations (DLO) - procedural and operational measures that maximize the defender's ability to detect successful compromises and to limit the effects of those compromises, whether they are detected or not. Advanced security operations center analytics, dual authorization for sensitive operations, and isolation of persistent storage to dedicated enclaves all fall in this bucket. Petronella Extended Detection and Response (XDR) and incident response retainer are the day-in, day-out vehicles.
• Cyber Resiliency (CRS) - the ability to anticipate, withstand, recover from, and adapt to attacks. Deception, comply-to-connect, periodic refresh of systems to a known-good state, and dynamic threat-intelligence-informed defenses are examples NIST calls out explicitly. We blend Petronella XDR, managed IT hardening, and red-team validation to keep this pillar honest.

Every enhanced requirement in Section 3 is tagged with which of these three strategy elements it serves. That tagging is what lets you justify your selection to an auditor with a story instead of a checklist: here is the APT behavior we are trying to defeat, here is the strategy element, here is the enhanced requirement we selected, here is the control evidence.

Organization-Defined Parameters: The Underrated Change

If you only have time to absorb one structural shift, make it this one. Many enhanced requirements in Revision 3 now contain explicit slots - organization-defined parameters (ODPs) - where the contracting federal agency, or in the absence of a stated value the nonfederal organization itself, must supply a specific value before the requirement is complete.

Typical ODP shapes (drawn from Appendix E, Table 4 of the publication) include:

• Assignment: "organization-defined frequency" for actions like audit log review or vulnerability scanning
• Assignment: "organization-defined personnel or roles" for who receives alerts or performs reviews
• Selection: "Block; Strip; Modify; Quarantine" for how to handle blocked information flows
• Assignment: "organization-defined automated mechanisms" for what tooling implements the safeguard

This matters for two reasons. First, it means an SSP that says "we monitor regularly" no longer satisfies the requirement on its face - the agency or the organization must commit to a frequency, a role, a mechanism, or a selection. Second, it formalizes the negotiation that already happens informally between contractors and their DoD or civilian agency customers: which knobs they set, which knobs they delegate, and which knobs are left to you to defend with risk analysis.

Practically, this means your ComplianceArmor® SSP or equivalent documentation now needs a column tracking the ODP value used for each enhanced requirement, who set it (agency vs. organization), and the dated source of that value.

How NIST SP 800-172 r3 Connects to CMMC Level 3

The Cybersecurity Maturity Model Certification (CMMC) program built by the Department of Defense uses NIST publications as its underlying control set. At a high level:

• CMMC Level 1 covers Federal Contract Information (FCI) using a subset of FAR 52.204-21 controls.
• CMMC Level 2 implements the full set of NIST SP 800-171 security requirements for CUI.
• CMMC Level 3 layers selected enhanced security requirements from NIST SP 800-172 on top of the Level 2 baseline, for the highest-risk CUI contracts.

The CMMC program rule is published in 32 CFR Part 170, and the corresponding DFARS contract clause is being phased in under DoD CIO's CMMC implementation. Today, CMMC L3 references the 2021 edition of 800-172, which means the DoD will need to publish guidance to align the L3 control set with Revision 3 before assessments can be conducted against the new wording. We expect DoD to publish that guidance during the rollout phases, and we are tracking it closely on behalf of clients pursuing L3.

The practical takeaway: if your contract today is CMMC L2, nothing immediately changes - keep working your 800-171 implementation. If you are scoping for L3, plan your control library against Revision 3 now, so you do not implement to the older 2021 wording and then have to refactor evidence later.

Where to start, in one line: Book a free CMMC scoping call with our RPO #1449 team, and we will map your contract obligations to the right control layer - Level 1, Level 2, or enhanced Level 3 - before you spend on tools or training.

How the Enhanced Requirements Are Selected, in Practice

NIST is clear that the selection conversation is owned by the federal agency. In a typical DoD or civilian contract for CUI tied to a critical program or HVA, the agency:

1. Identifies which information being shared is CUI and which categories of CUI it falls under, per the National Archives CUI Registry.
2. Decides whether the CUI is associated with a critical program or HVA - the trigger for enhanced requirements at all.
3. Selects the enhanced requirements that address its specific mission risk, informed by its own ongoing risk assessment.
4. Fills in the ODPs (or, where it leaves a parameter open, requires the contractor to assign it and document the rationale).
5. Conveys the selection through a contract, grant, or other agreement - including how the requirements flow down to subcontractors.

For nonfederal organizations the implication is that you cannot, on your own, decide whether 800-172 applies to a given contract. You need to read the clause and the SOW carefully, ask the contracting officer for clarification when ODPs are open, and document the dated source of every parameter value you implement against. This is precisely the kind of work a CMMC Registered Practitioner Organization is structured to do - and PTG is RPO #1449, with four CMMC-RPs on staff: Craig Petronella, Blake Rea, Justin Summers, and Jonathan Wood.

A Practical 90-Day Plan for Defense Supply Chain SMBs

If you are a small or mid-sized defense contractor with a CUI scope and a CMMC obligation on the horizon, here is the concrete sequence we use with clients to absorb Revision 3 without disrupting day-to-day operations:

Days 1–14: Confirm scope and refresh your control mapping

• Inventory every contract or subcontract that imposes a CUI handling clause - DFARS 252.204-7012, CMMC L2 or L3 references, or sector equivalents.
• For each contract, confirm whether the agency has invoked SP 800-172 explicitly, and which enhanced requirements (and ODPs) are in scope.
• Open your existing 800-172 control mapping (if any) and mark every requirement that was renumbered, retitled, or substantively changed in Revision 3 using the publication's change log as the diff.
• Decide whether any CUI is associated with a critical program or HVA. If not, you may not need 800-172 at all - and that decision deserves to be documented.

Days 15–45: Close the CIA expansion gap

• For every newly added integrity and availability enhanced requirement, identify the existing safeguard that covers it or the new safeguard you need to design. Our Petronella Extended Detection and Response (XDR) stack is typically the fastest way to close monitoring and integrity gaps.
• Update your incident response plan, monitoring playbooks, and backup-and-recovery procedures to reflect the cyber-resiliency posture Revision 3 expects.
• Update your awareness and training program so that personnel handling critical-program CUI understand the new requirements that apply to their role.

Days 46–75: Lock in ODPs and refresh documentation

• For every enhanced requirement in scope, document the ODP value, the source (agency-assigned vs. organization-assigned), and the dated reference.
• Regenerate your System Security Plan (SSP), Plan of Action and Milestones (POA&M), and supporting policies to reflect the new wording and ODP commitments. Our ComplianceArmor® platform produces a fully cross-referenced compliance package keyed to the current publication.
• Review supply-chain risk management (family 17) clauses with each upstream and downstream partner - Revision 3 strengthens this area considerably.

Days 76–90: Validate and brief leadership

• Run an internal mock assessment against your refreshed mapping. Look for evidence gaps in the integrity and availability requirements specifically, since those are the newest additions and the most likely to be under-evidenced.
• Brief executive leadership on what changed, the residual risks, the cost of full coverage versus the agency's stated risk tolerance, and the timeline to an external assessment.
• Schedule the external CMMC assessment or readiness review with your RPO partner, keeping in mind that CMMC assessor availability tightens significantly as DoD enforcement waves expand.

How Petronella Technology Group Helps You Get Audit-Ready

Petronella Technology Group, Inc. is CMMC Registered Practitioner Organization #1449, with four CMMC Registered Practitioners on staff. We have been protecting CUI scopes for defense supply chain and regulated SMBs since 2002, and we operate the ComplianceArmor® documentation platform that produces NIST-aligned SSPs, POA&Ms, and supporting policy packages mapped to the current SP 800-171r3 and SP 800-172r3 control sets.

Where clients typically engage us on a Revision 3 transition:

• CMMC readiness assessments against the current control set with a written gap report and a phased remediation plan.
• Petronella vCISO retainer led by Blake Rea, our CMMC-RP, for ongoing strategy, documentation maintenance, and executive briefings.
• Petronella Extended Detection and Response (XDR) for the security operations center analytics, telemetry retention, and incident-response evidence the enhanced requirements call for.
• Petronella encrypted data and email system for end-to-end protection of CUI in motion and at rest, with key handling that satisfies the enhanced confidentiality and integrity requirements.
• Incident response services with a 24x7 retainer model for the response-time ODPs many agencies now set on critical-program CUI.
• Risk assessment and penetration testing services to evidence the Security Assessment and Monitoring family on a recurring cadence.
• Security awareness training and broader workforce cybersecurity training mapped to the awareness and training family for personnel in CUI scope.
• Petronella managed IT as the configuration management and maintenance backbone keeping systems in a known-good state and remote maintenance controlled.

You can browse the rest of our defense industrial base offerings on our services page, or meet the full team on the PTG team page.

FAQ

When was NIST SP 800-172 Revision 3 published?

NIST SP 800-172r3 was approved by the NIST Editorial Review Board on April 27, 2026 and published in May 2026. It supersedes the original SP 800-172 dated February 2, 2021. The authoritative source is the NIST CSRC page at csrc.nist.gov/pubs/sp/800/172/r3/final.

Does Revision 3 replace SP 800-171?

No. SP 800-172 is a supplement to SP 800-171, not a replacement. SP 800-171 remains the foundational control set every nonfederal organization handling CUI is expected to implement. SP 800-172 layers on enhanced requirements for the subset of CUI tied to critical programs or high value assets, and only when a federal agency invokes them in a contract.

Do all enhanced requirements apply to every contract?

No. NIST states explicitly in the publication that there is no expectation that all of the enhanced security requirements will be selected by federal agencies. The contracting agency selects the specific enhanced requirements that match its mission risk and conveys them through the contract or agreement.

What is the biggest substantive change from the 2021 edition?

The security objective expanded from confidentiality alone to the full confidentiality, integrity, and availability triad, and new requirements were added based on the latest threat intelligence and empirical attack data. The introduction of organization-defined parameters in Appendix E is the most consequential structural change for documentation and assessment workflow.

How does this affect CMMC Level 3?

CMMC Level 3 references NIST SP 800-172 for its enhanced control set. Today the CMMC program text points to the 2021 publication; DoD will need to update its program guidance to align with Revision 3. Organizations scoping for L3 should plan their control library against Revision 3 now so they do not implement against the older wording and have to refactor evidence later.

What are organization-defined parameters (ODPs)?

ODPs are explicit assignment or selection slots within enhanced requirements that the contracting federal agency, or in some cases the nonfederal organization, must fill in with a specific value. Examples include the frequency of an audit, the personnel or roles who receive alerts, or the mechanism that performs an automated check. Appendix E of the publication lists every ODP in Revision 3.

How long does a Revision 3 readiness review take?

For most small and mid-sized defense contractors with an existing 800-171 implementation, a focused readiness review against Revision 3 takes four to six weeks. Organizations starting from scratch on a CUI program should plan for a 90-day initial readiness cycle followed by remediation. Our team scopes each engagement against the specific contracts in play.

Get Your CMMC Level 3 Roadmap Started

NIST SP 800-172 Revision 3 is the new authoritative baseline for the highest-risk CUI in the defense supply chain. The wording is tighter, the security objective is broader, and the ODP structure means an SSP that hand-waves the details no longer passes a serious read. The contractors who move first will set the ODP defaults and the evidence patterns that the rest of their cohort spends 2027 trying to catch up to.

Petronella Technology Group, Inc. has been guiding defense supply chain SMBs through CUI and CMMC since 2002, and we are CMMC Registered Practitioner Organization #1449 with four CMMC-RPs on staff. We can scope your contract obligations, refresh your SP 800-172 mapping against Revision 3, regenerate your SSP and POA&M through ComplianceArmor®, and run a mock assessment before your external auditor walks in.

Schedule a free 30-minute CMMC scoping call and we will tell you exactly which controls apply to your contract, where your evidence sits today, and how long it will take to be audit-ready against the new Revision 3 baseline.