The final draft of NIST SP 800-171 Revision 3 was released on May 14, 2024, marking the first major update since Rev 2 was released in 2020. The revision reduced the total control count from 110 to 97, added three new control families, and introduced Organization-Defined Parameters (ODPs).

But here’s the question on defense contractors’ minds: despite this major update, does this change anything for CMMC?

The answer: Not yet. But it will eventually.

NIST 800-171 and how it relates to CMMC

NIST 800-171 provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) in nonfederal systems and organizations. These requirements are based on a subset of NIST 800-53 requirements that are tailored specifically for nonfederal systems that handle CUI.

CUI can appear under several names in these systems, including:

• Personally Identifiable Information (PII)
• Proprietary Business Information (PBI)
• Confidential Business Information (CBI)
• Unclassified Controlled Technical Information (UCTI)
• Sensitive But Unclassified (SBU) Information
• Export Controlled Information (ECI)

The primary aim of NIST 800-171 is to ensure that sensitive data related to US national security remains secure when handled by contractors and subcontractors.

Who does NIST 800-171 Rev 2 vs Rev 3 apply to?

NIST 800-171 applies to any non-federal entity that processes, stores, or transmits CUI on behalf of a federal agency, including contractors, subcontractors, vendors, and service providers. 

While it's commonly required across all federal contracts, it is always required for Department of Defense (DoD) contracts through DFARS clause 252.204-7012 (which has been in effect since December 2017) and now makes up the core security standard for Level 2 of the CMMC program (in effect since November 2025).

What’s important to note is that DFARS 7012 and therefore CMMC Level 2 do not align with the latest revision of NIST 800-171. 

In May 2024, the DoD issued a DFARS Class Deviation requiring contractors subject to DFARS 252.204-7012 to continue to comply with NIST SP 800-171 Revision 2. The goal of this deviation was to give both the industry and the DoD time to align with Revision 3.

So while NIST 800-171 Rev 2 applies to defense contractors and other organizations in the Defense Industrial Base (at least for now), NIST 800-171 Rev 3 applies to other federal (non-defense) contractors that work with civilian agencies like the GSA, for example.

Let’s cover the differences between these revisions below.

NIST 800-171 Rev 2 vs Rev 3: At a glance

NIST 800-171 Rev 2 vs Rev 3: What Changed in Detail

The revision restructured the entire framework, updating security requirements and families to reflect the latest version of NIST SP 800-53, Revision 5, and the NIST SP 800-53B moderate control baseline in particular.

Key changes between Rev 2 and 3 as summarized from NIST’s official FAQ include:

• Number of control families: Rev 2 has 14 control families. Rev 3 has 17, with Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) introduced and adding nine new controls total.
• Number of controls: Rev 2 has 110 controls in total. Rev 3 has less—97 in total— despite the nine new controls added because many Rev 2 requirements were withdrawn and/or subsumed into others.
• Number of assessment objectives: There are 320 assessment objectives, or determination statements, in 800-171A Rev 2. This number increased to 422 in Rev 3.
• Wording of ~50 security requirements: 46 requirements have different wording in Rev 2 versus Rev 3, with the latest revision reflecting significant changes to remove ambiguity, improve implementation effectiveness, and clarify assessment scope. For instance, the word “periodically” was previously used across five requirements in Rev 2 and was removed in Rev 3 (and replaced with ODPs) to enhance clarity.
• Organization-defined parameters (ODPs): A major reason the language of the requirements in Rev 2 differs from Rev 3 is due to the introduction of ODPs in the latest revision. ODPs are essentially fill-in-the-blanks that are designed to increase flexibility and to help organizations better manage risk.
• Tailoring criteria: Rev 2 designates Non-Federal Organization (NFO) controls. These were either incorporated into the main body of NIST 800-171 requirements or scoped out as Not Directly Related to Protecting the Confidentiality of CUI (NCO) in Rev 3. New tailoring categories called Not Applicable (NA) and Other Related Controls (ORC) was also introduced in this newer revision to address the new control families and redundancy.
• Basic vs derived requirements: Rev 2 makes a distinction between basic and derived security requirements based on FIPS 200. This distinction is removed from Rev 3 since it uses SP 800-53 as its single authoritative source.

Don't be fooled by the lower control count of Rev 3. Many of the remaining 97 controls are broader than their Rev 2 equivalents. Meaning, the security bar isn’t lower and, in fact, it’s been raised in several areas.

NIST 800-171 Rev 2 vs 3 Control Families

NIST 800-181 Rev 2 consists of 14 control families of recommended security requirements.Rev 3 consists of these 14, plus three new control families that are detailed below.

1. Planning (PL)

Addresses system security plans and rules of behavior. Requirements include:

• Developing and maintaining a system security plan
• Defining rules of behavior for system users
• Keeping plans current as the environment changes

Why it was added: SSPs were implicitly expected in Rev 2 but never formally required as a control. Rev 3 makes this explicit.

2. System and Services Acquisition (SA)

Covers secure development practices and procurement considerations:

• Secure development lifecycle requirements
• Software engineering principles
• Developer security architecture documentation

Why it was added: Recognizes that security must be built into systems during acquisition, not bolted on after deployment.

3. Supply Chain Risk Management (SR)

The most significant addition. Three specific requirements:

• SR 3.17.1: Develop a supply chain risk management plan
• SR 3.17.2: Define acquisition strategies and tools for supply chain risk
• SR 3.17.3: Implement controls and processes to identify supply chain weaknesses

Why it was added: Reflects growing concerns about supply chain attacks (SolarWinds, Log4j) and their impact on the defense industrial base.

NIST 800-171 Rev 2 vs Rev 3 control family mapping

Organization-Defined Parameters (ODPs) in NIST 800-171 Rev 3

Rev 3 introduces 88 Organization-Defined Parameters (ODPs) across 49 of the 97 requirements that organizations must fill in based on their specific environment and risk profile.

What Are ODPs?

ODPs are effectively "fill in the blank" fields embedded in control requirements. They allow controls to be tailored to meet requirements that may have been overly prescriptive or vague in previous versions.

A concrete example: in NIST 800-171 Revision 2, requirement 3.11.2 simply read: "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified." This left organizations guessing how often is "periodically"? How quickly must new vulnerabilities be remediated? How frequently should the scan list be updated?

In Revision 3, the same requirement became three distinct sub-requirements, each with explicit ODPs:

1. Monitor and scan the system for vulnerabilities [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified.
2. Remediate system vulnerabilities within [Assignment: organization-defined response times].
3. Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified and reported.

Organizations can fill in those blanks based on their own risk tolerance and operational environment. This flexibility prevents NIST 800-171 from being a one-size-fits-all framework and allows it to address varying risk tolerances, operational needs, and external mandates.

Evolution of the ODP Count in NIST 800-171 Rev 3 drafts

• The initial public draft (May 2023) contained 100+ ODPs.
• Industry pushback reduced this to 34 in the November 2023 draft.
• The final release (May 2024) settled on 88 ODPs across 49 requirements, a significant increase from the draft but a reduction from the initial proposal.

The DoD's ODP Values

On April 10, 2025, the DoD published a memo with specific values for all 88 ODPs. These values define how the DoD expects contractors to fill in each parameter, effectively providing the answers so organizations don't have to guess.

The DoD ODP memo transforms Rev 3's flexible language into concrete, auditable requirements. Using the 3.1.8 example above, with DoD ODP values applied, the requirement becomes: enforce a limit of at most 5 consecutive unsuccessful log-on attempts during a period of 5 minutes, and either lock the account for at least 15 minutes or lock it until released by an administrator.

Using the 3.11.2 example above, with DoD ODP values applied, the three sub-requirements become:

1. Monitor and scan the system for vulnerabilities at least monthly, or when there are significant incidents or significant changes to risks.
2. Remediate system vulnerabilities within 30 days from date of discovery for high-risk vulnerabilities (including both critical and high); 90 days for moderate-risk vulnerabilities; and 180 days for low-risk vulnerabilities.
3. Update the vulnerability scan list no more than 24 hours prior to running the scans.

That's specific. That's testable. And for some organizations, that's also more demanding than current practice. For example, the DoD specifies the ODP in requirement 3.5.5 so organizations must prevent identifier reuse for at least 10 years, which is likely much longer than most contractors currently require.

When CMMC transitions to Rev 3, assessors will evaluate whether your ODP implementations align with these DoD-defined values.

What does this mean for CMMC?

The Cybersecurity Maturity Model Certification (CMMC) aligns to existing federal regulations and standards. 

For example, NIST 800-171 Rev 2 is the core of CMMC Level 2. These security requirements are not new to CMMC Level 2 contractors, which are estimated to make up more than a third (37%) of the DIB, since they have been required for the protection of CUI under DFARS 7012 for years. 

What is new under CMMC is the assessment requirement. 

Image source: CMMC Alignment to NIST Standards Breakout Session Presentation

While DFARS 7012 relied on self-attestation of compliance to NIST 800-171 Rev 2, CMMC adds a verification component: Most Level 2 organizations handling CUI must undergo a third-party assessment by a certified C3PAO. The DoD estimates that 93% of organizations handling CUI will need Level 2 (C3PAO) certification. Approximately 5% that handle non-critical CUI will qualify for Level 2 (Self) and 2% will need Level 3 (DIBCAC).

The current state: Rev 2 still governs CMMC 

Right now, nothing changes. CMMC currently maps to NIST 800-171 Rev 2, all 110 requirements and 320 assessment objectives.

The regulatory basis is clear:

• The CMMC Final Rule (32 CFR Part 170) references NIST 800-171 Rev 2
• A DoD class deviation issued in May 2024 provided an alternative clause in DFARS 252.204-7012 to align compliance to Rev 2 
• C3PAO assessors are not authorized to evaluate against Rev 3

This class deviation was necessary because DFARS 252.204-7012 technically requires contractors to implement the most current version of NIST 800-171, but the proposed CMMC rule was released in 2023 before the final Revision 3 and explicitly said organizations would be assessed against Revision 2. The May 2024 class deviation was therefore a quick fix to avoid forcing defense contractors to implement one version of NIST 800-171 while being assessed against another. 

While the class deviation is a short-term fix, it has no end date. Meaning, Rev 2 remains the standard until the deviation is rescinded.

However, the DoD ODP Memo signals future alignment with Rev 3

The DoD’s April 2025 memo was more than a technical guidance document. It was a signal. 

By defining values for Rev 3 ODPs before Rev 3 is formally required (or any rulemaking process has even begun), the DoD is clearly preparing the Defense Industrial Base for a transition.

An update to CMMC that reflects NIST 800-171 Rev 3 (what the industry is calling "CMMC 3.0," though this is not an official DoD term) is likely already in the works. The DoD's goal in publishing ODP values early is to give organizations time to prepare before any formal mandate takes effect.

What should CMMC contractors do now?

If you're currently pursuing CMMC, focus on Rev 2. This is your legal obligation. Every assessment, every SPRS submission, every C3PAO certification uses Rev 2 as the baseline. Do not divert resources to Rev 3 compliance at the expense of Rev 2.

However, be aware of Rev 3. You’ll want to familiarize yourself with the changes so you're not caught off guard when the transition eventually occurs. Here are steps we recommend:

1. Map your Rev 2 controls to Rev 3

Understand which controls carry over, which are new, and which were withdrawn. This gives you a head start when the transition happens.

2. Pay attention to the three new families

Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) were introduced in Rev 3 to align with the latest version of NIST 800-53. If you're building new processes anyway, consider incorporating these concepts now.

3. Review the DoD's ODP values

They signal how the DoD interprets each parameter. Aligning your practices with these values now will ease the future transition.

4. Don't delay NIST 800-171 compliance until Rev 3 transition

The DoD will formally transition to Rev 3 through future rulemaking, but this will likely take years. Meanwhile, CMMC Phase 2, which rolls out Level 2 (C3PAO) requirements aligned to Rev 2, in most DoD contracts involving CUI is months away (starts November 10, 2026). Prioritize readiness efforts accordingly.

5. Monitor DoD announcements

The class deviation rescission and any CMMC rulemaking updates will signal when the transition is imminent.

Image source: CMMC Alignment to NIST Standards Breakout Session Presentation

How the transition will likely work

While no official process has been announced, based on how the DoD has handled previous transitions:

1. DoD announces transition timeline: Likely 12-24 months advance notice
2. Updated CMMC Assessment Guides: CMMC assessment criteria, assessor training, C3PAO evaluation procedures, and other resources mapping to Rev 3 requirements published
3. SPRS updated: Will accept Rev 3-based scoring for self- and third-party assessments
4. Dual-path period: Both Rev 2 and Rev 3 assessments accepted during transition
5. Rev 2 sunset: Eventually, only Rev 3 assessments accepted

Expected timeline: The industry consensus is that the transition won't begin before 2027 at the earliest, with full adoption starting in 2028, the last year of the CMMC rollout. In other words, do not plan your compliance strategy around Rev 3 timing.

How Secureframe can help you stay compliant with NIST 800-171 Rev 2 vs 3

Stay ahead of the Rev 2 to Rev 3 transition. Secureframe maps your controls to NIST 800-171 Rev 2 (CMMC Level 2) and Rev 3, so when the DoD transitions, you'll already know where you stand.

See how Secureframe simplifies NIST 800-171 Rev 3 compliance and CMMC Level 2 certification.