PlainAudit
Start assessment

NIST 800-171 Rev 2 vs Rev 3: What Changed and Why CMMC Still Uses Rev 2

cmmc level2 nist 800 171nist 800 171rev2 vs rev3

NIST published Revision 3 of SP 800-171 in May 2024 with 97 requirements, three new control families, and a structural change called Organization-Defined Parameters. A contractor reading that announcement reasonably asks: should we stop preparing for Rev 2 and pivot to Rev 3? The answer is no — and the reason is not opinion. The DoD has issued a class deviation that keeps CMMC Level 2 assessments on Rev 2 until a separate rulemaking formally incorporates Rev 3. This post walks the practical differences, why the deviation exists, and how to think about Rev 3 preparation without abandoning your Rev 2 work.

Quick read Rev 2 (110 requirements, 320 assessment objectives, 14 families) is the current enforceable CMMC standard. Rev 3 (97 requirements, 422 assessment objectives, 17 families, plus Organization-Defined Parameters) exists but is not yet authorized for CMMC scoring, SPRS reporting, or C3PAO assessments. Plan and assess against Rev 2. Track Rev 3 as a future-state mapping exercise, not an active compliance target.

Where Each Revision Stands Right Now

  • Rev 2. Published February 2020, with an Update 1 in January 2021 that corrected typographical errors and clarified language without changing requirements. Rev 2 is the current enforceable standard for CMMC. Every C3PAO assessment, every SPRS score submission, and every contracting officer’s flow-down clause in 2026 references Rev 2.
  • Rev 3. Published May 2024 by NIST. Rev 3 finalized after public comment and reflects updated security thinking. The DoD’s class deviation keeps CMMC compliance pegged to Rev 2 until rulemaking formally transitions the program, and the DoD published its specific ODP values for Rev 3 in an April 2025 memo — a signal that transition planning is underway but not a date for transition itself.

What Actually Changed

DimensionRev 2Rev 3
Total requirements11097 (consolidated, not reduced — some Rev 2 requirements merged)
Assessment objectives320422 (roughly 32% increase in granularity)
Control families1417 (3 new: Planning, System and Services Acquisition, Supply Chain Risk Management)
Organization-Defined Parameters (ODPs)NoneEmbedded throughout — organization must define specific values for many controls
CMMC authorization statusCurrent enforceable standard for Level 2Not yet authorized for CMMC scoring or C3PAO assessments
SPRS reportingRequired — scored against the 110 requirementsNot currently reportable

The headline “13 fewer requirements” is misleading. Rev 3 reorganized the catalog — some Rev 2 requirements were consolidated, some were moved into new families, and the underlying assessment work expanded rather than shrank. The 320 → 422 objective increase is the more useful number for predicting effort.

The Three New Families

Rev 3 introduces three control families that Rev 2 did not have as standalone categories:

  • Planning (PL): organizational planning controls covering rules of behavior, system security planning, and architecture decisions tied to security.
  • System and Services Acquisition (SA): acquisition controls covering the security review of acquired services, software, and external systems — including the security expectations placed on vendors and integrators.
  • Supply Chain Risk Management (SR): SCRM controls covering risk identification across the supplier base, with explicit requirements for monitoring third-party risk over the system lifecycle. Reflects the supply-chain attack pattern that has dominated federal cybersecurity guidance since SolarWinds.

Practitioners with an ISO 27001 ISMS will recognize most of this work; the underlying controls exist in Annex A and are familiar from NIST SP 800-161 (which Rev 3 explicitly draws from). For contractors with a Rev-2-only history, the SR family is the largest net-new domain.

Why CMMC Is Still on Rev 2: The Class Deviation

The DoD’s class deviation is the load-bearing piece of this entire question. CMMC is a regulatory program tied to specific contractual clauses — DFARS 252.204-7012 for safeguarding and DFARS 252.204-7021 for CMMC itself — that explicitly reference NIST 800-171 Rev 2. Updating the program to Rev 3 requires:

  1. The DoD to amend the DFARS clauses to reference Rev 3, which requires a rulemaking under the Federal Acquisition Regulation process.
  2. A revised CMMC Assessment Guide aligned to Rev 3’s organization and objectives.
  3. Revised SPRS scoring methodology — the current 1/3/5-point structure was calibrated against Rev 2’s 110 requirements.
  4. C3PAO retraining against the new methodology.

None of these steps are complete. Practitioner estimates for the rulemaking and program-update timeline land in the 2–3-year range from now (mid-2026), placing a likely Rev 3 transition in 2028 or later. In the interim, the class deviation directs contracting officers to continue using Rev 2 in all CMMC-related contract actions.

ODPs: The Structural Change That Will Hurt the Most

The most significant Rev 3 change is not the requirement count or the new families; it’s Organization-Defined Parameters. Under Rev 2, many controls have implicit parameters that the standard quietly fills in — password length, log review frequency, training cadence, scan intervals. Under Rev 3, those parameters become explicit ODPs that the organization (or, for federal CUI work, the DoD) must define and document.

In practice, this changes Rev 3 preparation in three ways:

  • Organizational decision overhead increases. Each ODP is a documented decision that must be defended at assessment time. A 422-objective standard with 100+ ODPs requires substantially more policy specificity than the 320-objective Rev 2.
  • The DoD has already published its ODP values. Per the April 2025 DoD ODP memo, contractors handling CUI under Rev 3 will not get to set their own values for the parameters DoD has specified. Your organization can be more strict than DoD’s parameter; you cannot be more permissive.
  • SSPs need restructuring. The current Rev 2 System Security Plan format describes “how we implement this requirement.” A Rev 3 SSP needs to describe “how we implement this requirement, what we set the parameter to, and why.” The narrative depth per control increases.

When and How to Start Rev 3 Preparation

Active Rev 3 preparation is premature for most contractors today. Practical Rev 3 work falls in three phases:

  1. Now – rulemaking signal. Stay Rev 2 compliant. Watch for DoD rulemaking notices on the transition; the formal Notice of Proposed Rulemaking is the trigger for active Rev 3 preparation.
  2. 12 months before transition. Begin Rev 2 → Rev 3 crosswalk. Map your existing controls against the new catalog, identify the consolidations (where two Rev 2 requirements became one Rev 3 requirement), and flag the three new families. Document candidate ODP values for the parameters DoD has not pre-set.
  3. 6 months before transition. Update SSP, implement net-new controls in the SR/SA/PL families, and run a mock assessment against Rev 3 if your RPO supports it. Existing Rev 2 evidence will mostly transfer; SR-family evidence will mostly be net-new.

The contractors who get this wrong start Rev 3 prep too early — they restructure their SSP for a Rev 3 transition that may be 2–3 years out, divert spend from Rev 2 evidence and remediation, and arrive at their actual C3PAO assessment with thin Rev 2 documentation and Rev 3 documents that don’t apply.

Verdict by Reader Type

If you are currently preparing for your first CMMC Level 2 assessment Plan and execute against Rev 2 exclusively. Do not mix Rev 2 and Rev 3 controls in your SSP, your gap assessment, or your evidence package. The DoD class deviation makes Rev 2 your contractual obligation; any Rev 3 work today is unverifiable and won’t survive an assessment. The 110 Rev 2 requirements are the right scope.
If you are currently Rev-2-certified and looking ahead Build a Rev 2 → Rev 3 crosswalk as a future-state planning document, but do not implement against Rev 3 yet. Specifically: identify which of your Rev 2 controls would change in Rev 3 (consolidated, moved, or parameter-required), and flag the three new families (PL, SA, SR) as planning items. Keep your operational program on Rev 2 until rulemaking moves.
If you hold ISO 27001 or NIST CSF certification You already have substantial coverage of the Rev 3 supply-chain and acquisition families. When the Rev 3 transition is announced, the migration cost is materially lower for you than for Rev-2-only organizations. Today, however, your CMMC obligation still flows through Rev 2.
If you are evaluating compliance tooling Ask vendors which revision their assessment logic uses. Tools that score against Rev 3 today produce inaccurate SPRS scores and confusing guidance, because CMMC SPRS scoring is Rev-2-specific. The right tool today scores against Rev 2 and may offer Rev 3 as a clearly-labeled informational preview.

Where to Start

For the program you actually need to deliver in 2026 and into 2027, the work is Rev 2. The CMMC readiness assessment walks all 14 Rev 2 control families and produces an estimated SPRS score against the 110 requirements — the score format DoD currently requires. For the broader timeline, Phase 2 enforcement begins November 2026 and accelerates the C3PAO assessment cadence regardless of which revision is active.

Disclaimer: This guide is an educational starting point, not legal, audit, or compliance advice. It is not a substitute for a formal CMMC readiness assessment by a C3PAO or Registered Practitioner Organization (RPO). Your SPRS score must be calculated and submitted by your organization — this guide does not submit SPRS scores. Consult an RPO for formal assessment readiness guidance and watch the DoD CIO CMMC page for class deviation and rulemaking updates.

Related tools

CMMC Readiness Quiz

Estimate your SPRS score and CMMC Level 2 readiness across all 14 NIST 800-171 control domains.

CMMC L2 Assessment Kit

The CMMC Level 2 documentation kit for small defense contractors who want to drive their own self-assessment. 14 NIST 800-171 policies, SSP, POA&M, SPRS worksheet, and mapping matrix. $249.

← More cmmc level 2 readiness guides