Enhanced Security Requirements for Protecting Controlled Unclassified Information (ESR-CUI) is a set of cybersecurity requirements that apply to certain organizations that handle controlled unclassified information (CUI). The ESR-CUI requirements are more stringent than the standard CUI requirements and are intended to provide an additional layer of protection for CUI that is considered especially sensitive.

The ESR-CUI requirements are specified in NIST Special Publication (SP) 800-171B, "Enhanced Security Requirements for Protecting Controlled Unclassified Information." This publication provides guidance on how to implement the ESR-CUI requirements, which cover a wide range of areas including access control, incident response, system and communication protection, and media protection.

Organizations that handle CUI may be required to comply with the ESR-CUI requirements as a condition of doing business with the federal government. These organizations are required to demonstrate compliance with the ESR-CUI requirements through an assessment by a third-party assessment organization (C3PAO). Non-compliance with the ESR-CUI requirements may result in the loss of the organization's ability to do business with the federal government.