NIST Publishes Assessment Procedures for Enhanced Security Controls Used to Protect CUI

Client Alert | 1 min read | 03.18.22

The National Institute of Standards and Technology (NIST) recently published final assessment procedures for the enhanced security controls used to protect particularly sensitive forms of controlled unclassified information (CUI) from sophisticated adversaries. NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, articulates procedures and methods to assess contractor implementation of the 35 enhanced security controls found in NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The publication can be used to conduct first, second, and third-party assessments with varying degrees of rigor based on the assessor’s desired level of assurance.

The enhanced controls and corresponding assessment procedures are expected to impact contractors handling CUI associated with critical programs and high value assets. The Department of Defense (DoD) also plans to incorporate the requirements from NIST SP 800-172 into Level 3 of the Cybersecurity Maturity Model Certification (CMMC) The assessment procedures and methods in NIST SP 800-172A are expected to inform the government-led assessments needed for DoD contractors to achieve certification at CMMC Level 3.

Contacts

Nkechi Kanu
Partner
- Washington, D.C.
  - D | +1 202.624.2872
bmthbnVAY3Jvd2VsbC5jb20=
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 2 min read | 05.14.26

Proposed DFARS Rule Could Require Disclosures and Mitigation Related to Foreign Ownership, Control, and Influence (FOCI) on Certain Unclassified Contracts

On May 7, 2026, the Department of War issued the long-awaited Proposed Rule to implement Section 847 of the FY 2020 National Defense Authorization Act (NDAA) regarding Foreign Ownership, Control or Influence (FOCI) requirements for contractors. The proposed rule would expand the applicability of FOCI reviews, requiring contractors and subcontractors on unclassified “covered contracts” — defense contracts and subcontracts valued in excess of $5 million that are not for commercial products and services — to submit FOCI disclosures to the Defense Counterintelligence and Security Agency (DCSA) for FOCI risk assessment (and as applicable, mitigation) as part of contract award. This would effectively require DCSA assessment and adjudication of FOCI considerations prior to contract award. Thus, both cleared and uncleared defense contractors would be subject to the rigorous DCSA disclosure requirements, scrutiny, and FOCI mitigation. Crowell discussed the Section 847 requirements in a prior alert....

Client Alert | 4 min read | 05.14.26
Supply Chain Disruption – Again
Client Alert | 6 min read | 05.12.26
EU Pharma Package: Advertising Compromise Proposal
Client Alert | 5 min read | 05.12.26
NYDFS Ramps Up Health Care Cybersecurity Enforcement With $2.25 Million Settlement

View All Insights