NIST published Revision 3 of SP 800-171 in May 2024. It consolidates requirements, adds new control families, and introduces organizationally defined parameters. Contractors hear about it and reasonably ask: should we be implementing Rev 3?
The answer today is no. CMMC Level 2 assessments reference Revision 2. The DoD issued Class Deviation 2024-O0013 mandating that contractors continue using Rev 2 for all DFARS 252.204-7012 compliance. Shifting prematurely to Rev 3 can leave gaps against the controls assessors actually evaluate.
But Rev 3 is the future direction. Understanding what changed and why helps you prepare without jumping the gun.
The Current State
Rev 2 is the contractual requirement. All CMMC Level 2 assessments, whether self-assessment or C3PAO certification, evaluate the 110 security requirements and 320 assessment objectives from NIST SP 800-171 Rev 2 and its companion document SP 800-171A Rev 2.
Rev 3 is published but not yet adopted for CMMC. The DoD must go through a formal rulemaking process to update the CMMC program reference from Rev 2 to Rev 3. That process has not started. Industry consensus suggests the transition is 2 to 3 years away, though no official timeline has been published.
The right posture: Maintain full Rev 2 compliance. Begin mapping Rev 3 changes so you understand what’s new, what consolidated, and what shifted. Do not reorganize your compliance program around Rev 3 until the DoD formally requires it.
What Changed in Rev 3
Requirements Consolidated from 110 to 97
Rev 3 reduced the requirement count from 110 to 97. This sounds like fewer things to do. It’s not. NIST merged, restructured, and in some cases expanded existing requirements. Several Rev 2 requirements were combined into single, broader Rev 3 requirements. The underlying security expectations didn’t shrink.
Three New Control Families Added
Rev 2 has 14 control families. Rev 3 adds three:
- Planning (PL): Addresses security planning, rules of behavior, and system security plan content
- System and Services Acquisition (SA): Covers security engineering, supply chain risk, and acquisition-related controls
- Supply Chain Risk Management (SR): Focuses on supply chain protections, component authenticity, and acquisition security
These families didn’t appear from nowhere. Many of the underlying concepts existed in other Rev 2 families or were implicit expectations. Rev 3 makes them explicit and gives them dedicated structure.
Organizationally Defined Parameters (ODPs) Introduced
Rev 3 introduces 88 organizationally defined parameters. ODPs allow organizations to tailor certain control values to their specific environment rather than using fixed, universal requirements.
For example, instead of a fixed password length requirement, an ODP lets the organization define the minimum password length appropriate to their risk environment. The organization selects the value. The assessor evaluates whether the selected value is reasonable and whether implementation matches.
The DoD has defined ODP values for CMMC Level 3 requirements in the 32 CFR Part 170 rule. When Rev 3 is adopted for Level 2, the DoD is expected to similarly define approved ODP values, which will constrain the tailoring flexibility for CMMC purposes. Contractors won’t have unlimited freedom to set ODPs. They’ll need to use the DoD-defined values.
Assessment Objectives Increased from 320 to 422
Despite having fewer requirements, Rev 3 has more assessment objectives. Rev 2 has 320 objectives across 110 requirements. Rev 3 has 422 objectives across 97 requirements. That’s a 32% increase in the granularity of what assessors evaluate.
This is the number that matters most for assessment preparation. More objectives means more evidence, more documentation, and more points of evaluation. The requirement count went down. The assessment workload went up.
Closer Alignment with NIST 800-53
Rev 3 aligns more tightly with NIST SP 800-53, the comprehensive security control catalog used by federal agencies. This makes mapping between the nonfederal (800-171) and federal (800-53) frameworks more consistent. For contractors who also operate in FedRAMP or other 800-53-aligned environments, the alignment reduces translation effort. For contractors who only work with 800-171, the practical impact is moderate.
What Didn’t Change
The purpose. Both revisions protect CUI in nonfederal systems. The mission is the same.
The foundational controls. Access control, audit logging, encryption, MFA, incident response, configuration management, and the other core security practices remain. If you’ve implemented Rev 2 properly, the bulk of your security program carries forward.
The assessment methodology. Assessors still examine, interview, and test. The structure of how compliance is evaluated didn’t change between revisions.
Key Differences at a Glance
| Dimension | Rev 2 | Rev 3 |
|---|---|---|
| Requirements | 110 | 97 |
| Control families | 14 | 17 (3 new) |
| Assessment objectives | 320 | 422 |
| ODPs | None | 88 |
| Supply chain controls | Implicit | Explicit (new SR family) |
| 800-53 alignment | Moderate | Tight |
| CMMC adoption | Current (active) | Future (not yet adopted) |
What This Means for Your Compliance Program
Don’t reorganize around Rev 3 yet. Your CMMC assessment evaluates Rev 2. Your SSP should describe Rev 2 controls. Your evidence should map to Rev 2 assessment objectives. Shifting to Rev 3 structure before the DoD requires it creates confusion during assessment and risks gaps against the active standard.
Do understand the differences. When the transition happens, you’ll need to map your existing Rev 2 compliance to Rev 3’s new structure. Knowing which requirements merged, which split, and which are net-new helps you plan the transition without starting from scratch.
Watch the ODP values. The DoD’s published ODP memo will define the specific parameter values that contractors must use. Review those values now so you understand where your current implementation aligns and where it may need adjustment when Rev 3 takes effect.
Prepare for more assessment objectives. The jump from 320 to 422 assessment objectives means your evidence portfolio will need to expand. Start thinking about how you’d produce evidence for the additional objectives. If your current evidence collection is manual and painful at 320 objectives, it will be worse at 422.
New control families require new documentation. Planning, System and Services Acquisition, and Supply Chain Risk Management will need policies, procedures, and evidence when Rev 3 is adopted. You don’t need to write these policies now, but you should be aware they’re coming.
The Transition Timeline
The DoD has not published an official timeline for adopting Rev 3 for CMMC. The transition requires rulemaking, which includes public comment periods and implementation timelines. Based on historical rulemaking pace and the current enforcement focus on Rev 2, most practitioners estimate 2 to 3 years before Rev 3 becomes the active CMMC standard.
When the transition does happen, there will likely be an overlap period where both revisions are referenced in different contracts. Contractors with long-duration contracts may need to maintain documentation for both revisions during the transition.
For a deeper look at how NIST 800-171 and CMMC relate, read our guide: CMMC vs NIST 800-171: Key Differences Defense Contractors Must Understand.
What to Do Now
1. Stay Rev 2 compliant. This is the standard that determines your CMMC certification status today. Don’t deprioritize it.
2. Map the delta. Without a clear mapping between your current 110 controls and Rev 3’s restructured requirements, the transition will feel like starting over. Understand which controls carry forward, identify the net-new requirements from the three added families, and flag the ODPs that will apply to your environment.
3. Build a system that adapts. If your evidence collection is already manual at 320 objectives, scaling to 422 under Rev 3 will break your process entirely. A compliance program built on static documents means the Rev 2 to Rev 3 transition requires rewriting everything. One built on a system that manages controls, evidence, and documentation dynamically turns that transition into a remapping exercise rather than a rebuild.
Deep Fathom is designed for this kind of evolution. When the CMMC program adopts Rev 3, the platform remaps your existing controls and evidence to the new structure. What you’ve already built carries forward. The transition becomes an update, not a restart.
Check your readiness or talk to our team.
Related reading: