For those of us in the DIB, NIST SP 800-171 Revision 3 has been hanging over us for a while now. We all know it’s coming, but no one knows exactly when.
Released in 2024, Rev. 3 is the biggest update to the framework in years. It restructures control families, introduces new concepts like organization-defined parameters (ODPs), and adds more specificity around how organizations protect CUI (Controlled Unclassified Information).
But… CMMC Level 2 assessments are still based on NIST SP 800-171 Rev. 2, and there’s no sign of when that will change.
That leaves us stuck in the middle. We can’t ignore Rev. 3, because it’s clearly the future direction of CMMC and federal cybersecurity requirements. But we also can’t afford to lose focus on the Rev. 2 requirements that currently govern CMMC compliance. The result is a whole lot of companies with no clear plan for the eventual transition to Rev. 3.
This post offers some first steps to understand what’s actually changing with Rev. 3 and what you should realistically be doing today to prepare.
First of all, what does this have to do with CMMC?
Quite a bit.
For Level 2 contractors, CMMC is built directly on NIST SP 800-171. The 110 controls that organizations currently implement for CMMC compliance are the controls from NIST SP 800-171 Revision 2; C3PAOs are assessing organizations directly against 800-171.
The bigger picture is that both NIST and the Department of Defense are working toward the same goal: strengthening how organizations protect Controlled Unclassified Information (CUI). As cyber threats continue to evolve, the government is always looking for more consistent, more measurable, and more effective security practices to safeguard CUI. Rev. 3 is the current answer.
Okay, so what’s actually changing?
Rev. 3 streamlines some requirements from Rev. 2, but it also introduces greater specificity in areas that have historically been difficult to assess or implement consistently. It was designed to make expectations clearer and improve the overall security of organizations handling CUI.
It also represents more than just a typical framework update. Historically, cybersecurity frameworks have focused heavily on whether organizations have the right controls in place. Rev. 3 shifts the conversation toward whether organizations can maintain secure operations over time as systems, technologies, threats, and business environments evolve.
In other words, the government is no longer gauging cybersecurity maturity just by the controls you have implemented. It’s judging your organization’s ability to sustain those controls, adapt to change, manage risk continuously, and demonstrate that security is embedded in your day-to-day operations.
- ODPs: Rev. 3 introduces 88 Organization-Defined Parameters (ODPs), which require organizations to define certain values, thresholds, frequencies, and timeframes themselves – but only if the federal agency mandating compliance hasn’t defined the values themselves. In the case of CMMC compliance, the DoD is the relevant federal agency, and it has already chosen many ODPs. For the ones that remain, contractors will have to document, justify, and consistently implement their own decisions.
- NFOs: One of the most significant changes in Rev. 3 is including Non-Federal Organization (NFO) controls in the updated standard instead of the tailoring criteria appendix. Rev. 2 included 61 basic security requirements that NIST largely assumed organizations would already have in place, but Rev. 3 makes some of those NFO controls explicit by bringing them into the standard itself.
- New and Restructured Control Families: With Rev. 3, NIST 800-171 has been reorganized and expanded to include three new control families: Planning (PL), Systems and Services Acquisition (SA), and Supply Chain Risk Management (SR). These additions reflect a broader view of cybersecurity as more than just technical controls, extending to include governance, procurement decisions, and third-party risk management.
- Fewer Controls, More Precision: The total number of security requirements has dropped from 110 in Rev. 2 to 97 in Rev. 3, but that doesn’t mean compliance has become easier. Many requirements have been consolidated or streamlined, while definitions and supporting guidance have become more specific to reduce ambiguity and improve consistency.
- Closer Alignment with NIST SP 800-53 Rev. 5: Rev. 3 aligns much more closely with NIST SP 800-53 Rev. 5, the federal government’s broader security control catalog. NIST also introduced a new CUI Overlay that helps organizations tailor the SP 800-53 moderate control baseline to protect CUI.
- Increased Focus on Vendors: Several areas receive substantially more attention in Rev. 3, particularly supply chain security, configuration management, and incident response. The update reflects the reality that modern cyberattacks often exploit vendors, third-party services, and misconfigured systems, and it calls for continuous oversight and strong operational discipline in response.
- Application Allow-Listing: One major but easily missed update is the new requirement for allow-listing in Control 3.04.08: Authorized Software. It mandates that organizations handling CUI implement a deny-all, allow-by-exception policy for all authorized software programs, a significant change from Rev. 2’s blocklisting policy.
Well? We’re waiting
At the end of the day, everyone wants to know the same thing: When will we actually have to comply with Rev. 3?
The honest answer is that nobody knows for sure. As of today, CMMC Level 2 assessments are still based on NIST SP 800-171 Rev. 2, and there has been no formal announcement establishing a transition date to Rev. 3. Based on how federal cybersecurity requirements have historically evolved, a transition before the end of 2026 looks unlikely. A shift sometime in the next 12–18 months, however, is entirely possible.
The good news is that we’ll have some advance warning, since framework changes like this one will involve a public review process, more supplementary materials, implementation examples, and a transition period that gives industry time to adapt.
If you’re looking for early warning signs, pay close attention to updates from NIST, the CMMC Program Management Office (PMO), and the DoD. Draft assessment guidance, proposed rule changes, and increasing references to Rev. 3 in official CMMC materials will signal that the change is getting closer.
So what do I do now?
If you’re still in the fact-finding phase, here are some resources to explore:
- To dig into the “why” of the changes, read NIST’s Rev 3 FAQs.
- To understand what you need to update in your control environment to meet Rev 3 requirements, download the Change Analysis/Transition Mapping Tables from NIST’s list of supplemental materials
- To read a NIST primer designed for small businesses, try their Rev 3 Quick Start Guide.
- Plus, if you’re a policy fiend like us, you can download the whole Rev 3 publication.
If you’re done reading and you want to roll up your sleeves and dive in, here’s what we’d recommend next:
- Continue complying with NIST 800-171 Rev. 2 and maintain your current CMMC certification. (Not CMMC certified? We’ve got you.)
- Look closely at the new Rev. 3 control families and understand what net-new requirements they introduce. (Spoiler: It’s a lot of new governance functionality.)
- Review the DoD’s proposed Rev. 3 ODP values here.
- Run a detailed gap analysis exercise to understand the specific actions you’ll need to take to fully adopt Rev. 3.
Finally, if you’re swamped and don’t know where to start, reach out to us here. We’re here to help you make sense of where you are today, what’s changing with Rev. 3, and how to move forward without losing focus on current CMMC requirements.
