NIST 800-171 Rev 3: What Changed and What It Means for CMMC (2026)
If you’re a defense contractor trying to figure out what NIST SP 800-171 Revision 3 means for your CMMC compliance, here’s the short version: it matters, but not yet.
NIST published the final version of SP 800-171 Rev 3 on May 14, 2024. It replaced the Rev 2 framework that defense contractors have been working against since 2020. But the DoD hasn’t adopted Rev 3 for CMMC assessments, SPRS scoring, or DFARS 7012 compliance yet. You’re still being assessed against Rev 2.
That said, Rev 3 is coming. The DoD released its Organization-Defined Parameters for Rev 3 in April 2025 — a clear signal that the transition is being actively prepared. Understanding what changed now gives you a head start, and some of the changes are significant enough that you’ll want the extra lead time.
What Is NIST 800-171?
For anyone catching up: NIST SP 800-171 is the federal standard that defines how nonfederal organizations must protect Controlled Unclassified Information (CUI). If you’re a defense contractor handling CUI — which is most contractors pursuing CMMC Level 2 — this is the baseline your entire security posture is built on.
CMMC Level 2 maps directly to NIST 800-171. When NIST updates 800-171, CMMC eventually follows.
Rev 3 at a Glance
Before getting into specifics, here’s the quick comparison.
| Rev 2 | Rev 3 | |
|---|---|---|
| Total security requirements | 110 | 97 |
| Control families | 14 | 17 |
| Assessment objectives (determination statements) | 320 | 422 |
| Organization-Defined Parameters (ODPs) | None | 88 |
| Total verification items | 320 | 510 |
| Source alignment | FIPS 200 + NIST 800-53 | NIST 800-53 Rev 5 only |
| Basic vs Derived distinction | Yes | Eliminated |
| NFO (assumed) controls | Yes | Eliminated |
The headline number — 110 controls down to 97 — is misleading. Those 97 requirements map to 156 distinct security controls from NIST 800-53 Rev 5’s moderate baseline. The controls didn’t shrink. They got consolidated and, in many cases, expanded.
Key Changes from Rev 2 to Rev 3
Three New Control Families
Rev 3 adds three control families that didn’t exist in Rev 2:
| Family | Controls | What It Covers |
|---|---|---|
| Planning (PL) | 3.15.1, 3.15.3 | Documented security policies and rules of behavior |
| System and Services Acquisition (SA) | 3.16.2, 3.16.3 | Unsupported system components and external service providers |
| Supply Chain Risk Management (SR) | 3.17.1, 3.17.2, 3.17.3 | Supply chain risk plans, acquisition strategies, and weakness identification |
The Planning and System Acquisition families formalize things most compliant organizations were already doing informally. Supply Chain Risk Management is the genuinely new requirement. If you haven’t been thinking about your supply chain security posture — vetting vendors, managing third-party risk, documenting acquisition strategies — you’ll need to start.
33 Controls Withdrawn (But Not Really Gone)
NIST withdrew 33 controls from Rev 2. Before you celebrate, understand what “withdrawn” actually means here: almost all of these controls were merged into other, broader requirements. NIST calls it consolidation. The obligations didn’t disappear — they got redistributed.
For example, several access control requirements that were separate items in Rev 2 are now rolled into a single, more comprehensive Account Management requirement (03.01.01) in Rev 3.
The practical effect is fewer line items but more substance per line item.
19 Brand New Controls
Rev 3 introduces 19 security requirements that have no direct equivalent in Rev 2. These pull from NIST 800-53 Rev 5’s moderate baseline and cover areas that Rev 2 didn’t explicitly address, including supply chain risk management, system component inventory, and security engineering principles.
The “Basic” vs “Derived” Distinction Is Gone
Rev 2 split requirements into “basic” (from FIPS 200) and “derived” (from 800-53). Rev 3 eliminates this split entirely. Every requirement now traces directly to NIST SP 800-53 Rev 5 as the single authoritative source.
This is mostly a structural cleanup, but it matters for documentation. If your System Security Plan references “basic” and “derived” requirements, it’ll need updating when Rev 3 takes effect.
NFO Controls Are Now Explicit Requirements
Rev 2 included a category of controls tagged as “NFO” — requirements that NIST assumed nonfederal organizations routinely satisfied without needing to specify them. Things like having documented security policies and procedures.
Rev 3 removes the NFO assumption entirely. Policies and procedures are no longer something NIST assumes you have. They’re explicit, assessable requirements with their own determination statements.
If you’ve been treating policy documentation as a checkbox exercise, this change forces you to take it seriously. Assessors will be evaluating whether your policies are documented, implemented, and maintained — not just whether they exist on paper.
Organization-Defined Parameters (ODPs)
This is the biggest structural change in Rev 3, and it’s the one most contractors haven’t internalized yet.
Rev 3 introduces 88 Organization-Defined Parameters — variables embedded in control requirements that organizations must define with specific values. Instead of saying “review audit logs periodically,” Rev 3 says “review audit logs [organization-defined frequency].”
You fill in the bracket. Your assessor evaluates whether you’re meeting your own defined parameter.
Examples of ODPs you’ll need to define:
- How often you review audit logs
- How quickly you must respond to detected threats
- Maximum time allowed to apply security patches
- Password complexity and rotation requirements
- Account inactivity thresholds
In April 2025, the DoD released a memo defining recommended values for all 88 ODPs. These aren’t optional suggestions — when Rev 3 becomes the CMMC standard, these DoD-defined values will likely become the assessment baseline. If you define an ODP value that’s weaker than the DoD’s recommendation, expect your assessor to ask why.
32% More Assessment Objectives
Here’s the number that should get your attention: Rev 3’s assessment guide (SP 800-171A Rev 3) contains 422 determination statements, up from 320 in Rev 2. Combined with the 88 ODPs, that’s 510 verification items an assessor needs to evaluate.
More determination statements means more evidence to collect, more documentation to maintain, and more places to lose points during an assessment. Even if the control count went down, the assessment complexity went up.
How Rev 3 Affects CMMC Compliance
Right Now: Nothing Changes
CMMC Level 2 assessments — both self-assessments and C3PAO assessments — evaluate against NIST 800-171 Rev 2. The DoD issued Class Deviation 2024-O0013 in May 2024 explicitly stating that contractors must continue using Rev 2 for DFARS 252.204-7012 compliance, even though NIST published Rev 3.
Your SPRS score, your SSP, your POA&Ms, your assessment — all Rev 2.
When the Transition Happens
Before Rev 3 becomes the CMMC standard, the DoD must:
- Update DFARS 252.204-7012 to reference Rev 3 (requires rulemaking)
- Update 32 CFR Part 170 (the CMMC Program Rule) to align assessment requirements
- Publish updated CMMC assessment guides based on Rev 3
- Provide a transition period for contractors to adapt
Based on where the rulemaking stands, the most realistic timeline puts Rev 3 adoption for CMMC somewhere in late 2026 to mid-2027. The DoD’s release of ODPs in April 2025 is the strongest signal yet that they’re actively working on this transition.
What About Contractors Already Certified?
If you get CMMC Level 2 certified under Rev 2, your certification is valid for three years. You won’t be forced to recertify against Rev 3 until your certification expires, at which point the assessment standard in effect at the time of your recertification applies.
Timeline: When Do You Need to Comply?
| Date | What Happens |
|---|---|
| May 2024 | NIST publishes SP 800-171 Rev 3 (final) |
| May 2024 | DoD issues Class Deviation keeping Rev 2 in force |
| April 2025 | DoD releases ODPs for Rev 3 (88 defined parameters) |
| October 2026 | All new DoD contracts require CMMC certification (against Rev 2) |
| Late 2026 – Mid 2027 | Estimated earliest date for Rev 3 CMMC adoption (requires rulemaking) |
| After adoption | Transition period before Rev 3 assessments begin |
The bottom line: if you haven’t achieved CMMC Level 2 yet, focus on Rev 2. That’s what you’ll be assessed against for the foreseeable future. Start familiarizing yourself with Rev 3 changes in parallel, but don’t let Rev 3 planning distract you from getting Rev 2 done.
What to Do Now
If You Haven’t Started CMMC Compliance
Focus entirely on NIST 800-171 Rev 2 and the CMMC compliance checklist. Rev 3 is not your problem yet. Getting distracted by Rev 3 while you haven’t implemented Rev 2 is a common mistake — one that delays your compliance timeline without making the eventual Rev 3 transition any easier.
If You’re Currently Working Toward CMMC Level 2
Keep working against Rev 2. Use the CMMC assessment guide to understand what assessors look for. When you build your SSP and supporting documentation, be thorough — the documentation discipline Rev 2 requires will directly transfer to Rev 3.
One smart move: start implementing supply chain risk management practices now, even though Rev 2 doesn’t explicitly require them. This is entirely new in Rev 3, and it takes time to build out vendor assessment processes, acquisition strategies, and supply chain risk documentation.
If You’re Already CMMC Certified or Close
Read the DoD’s ODP definitions. Map them against your current controls. Identify gaps between what you’re doing today and what Rev 3 will require. Key areas to watch:
- Policy documentation — Rev 3 makes policies explicit requirements, not assumptions. Audit your policy library.
- Supply chain risk management — Build your SCRM plan, vendor assessment criteria, and procurement security requirements.
- Assessment evidence — With 422 determination statements (up from 320), you’ll need more granular evidence. Start building collection processes now.
- ODP definitions — Review the DoD’s 88 ODP values and evaluate whether your current practices meet them.
Rev 2 vs Rev 3 Comparison by Control Family
| Control Family | Rev 2 Controls | Rev 3 Controls | Change |
|---|---|---|---|
| Access Control (AC) | 22 | 20 | -2 (consolidated) |
| Awareness and Training (AT) | 3 | 3 | No change |
| Audit and Accountability (AU) | 9 | 9 | Revised language |
| Configuration Management (CM) | 9 | 8 | -1 (consolidated) |
| Identification and Authentication (IA) | 11 | 10 | -1 (consolidated) |
| Incident Response (IR) | 3 | 5 | +2 (expanded) |
| Maintenance (MA) | 6 | 4 | -2 (consolidated) |
| Media Protection (MP) | 9 | 5 | -4 (consolidated) |
| Personnel Security (PS) | 2 | 3 | +1 |
| Physical Protection (PE) | 6 | 6 | No change |
| Risk Assessment (RA) | 3 | 3 | Revised language |
| Security Assessment (CA) | 4 | 4 | Revised language |
| System and Communications Protection (SC) | 16 | 9 | -7 (major consolidation) |
| System and Information Integrity (SI) | 7 | 5 | -2 (consolidated) |
| Planning (PL) | — | 2 | New family |
| System and Services Acquisition (SA) | — | 2 | New family |
| Supply Chain Risk Management (SR) | — | 3 | New family |
| Total | 110 | 97 | -13 net |
Note: “consolidated” means the obligations still exist — they’re folded into broader requirements within the same or related families. Don’t read a reduction as a removal.
FAQ
What is NIST 800-171?
NIST SP 800-171 is the federal standard for protecting Controlled Unclassified Information (CUI) in nonfederal systems. It’s the security baseline that CMMC Level 2 is built on. If you’re a defense contractor handling CUI, this is the framework that defines what your cybersecurity posture must look like. See our CMMC compliance checklist for how it maps to practical implementation.
Do I need to comply with NIST 800-171 Rev 3 right now?
No. The DoD issued a class deviation in May 2024 that keeps Rev 2 as the compliance standard for DFARS 7012 and CMMC assessments. Until the DoD completes rulemaking to adopt Rev 3 — expected late 2026 to mid-2027 — you assess, score, and certify against Rev 2.
How is NIST 800-171 Rev 3 different from Rev 2?
Rev 3 reduces the total requirement count from 110 to 97 but increases assessment complexity by 32% (422 determination statements vs 320). It adds three new control families (Planning, System and Services Acquisition, Supply Chain Risk Management), introduces 88 Organization-Defined Parameters, eliminates the basic/derived distinction, and makes policy documentation an explicit requirement instead of an assumption.
What are Organization-Defined Parameters (ODPs)?
ODPs are variables within Rev 3 controls that organizations must fill in with specific values — things like how often you review audit logs, how quickly you patch vulnerabilities, and what your password requirements are. The DoD published recommended values for all 88 ODPs in April 2025. These values will likely become the assessment baseline when Rev 3 takes effect for CMMC.
Will my Rev 2 CMMC certification still be valid when Rev 3 is adopted?
Yes. CMMC certifications are valid for three years from the date of assessment. If you certify under Rev 2, you remain certified until your three-year renewal, at which point you’d assess against whatever revision is current.
Should I start implementing Rev 3 controls now?
Focus on Rev 2 for your CMMC assessment. But if you want to get ahead, the highest-value preparation is building supply chain risk management practices (entirely new in Rev 3) and reviewing the DoD’s ODP definitions to identify gaps in your current controls. Don’t let Rev 3 planning delay your Rev 2 compliance — understand the real costs involved and get your current certification done first.
The Rev 2 to Rev 3 transition is coming, but it’s not the fire drill some vendors are making it out to be. Get your Rev 2 compliance done. Get your CMMC certification. Then use the transition period to close Rev 3 gaps methodically. If you need help understanding where you stand with either revision, or building the documentation and controls that satisfy both, that’s what we do. We help defense contractors work through the full compliance process without wasting time or money on things that don’t matter yet.