Home Resources Rev 2 → Rev 3 Transition
Reference · 9-minute read · Forward-looking

NIST SP 800-171 Rev 2 → Rev 3 Transition

NIST released SP 800-171 Revision 3 in May 2024 with substantial differences from Rev 2 — different control structure, different language, additional content, and removed content. CMMC 2.0 currently runs on Rev 2, but a transition to Rev 3 is anticipated. This guide explains what changed and how to begin preparing for the transition.

Current State

NIST SP 800-171 has been the foundation of DoD cybersecurity contractor requirements since 2016. The current operational version is Revision 2, published in February 2020, which contains 110 security requirements organized into 14 control families.

NIST published both SP 800-171 Revision 3 and the companion SP 800-171A Rev 3 (assessment procedures) on May 14, 2024. Rev 3 introduces substantial changes from Rev 2. However:

  • CMMC 2.0 is built on Rev 2. The 32 CFR Part 170 Final Rule that established CMMC explicitly references SP 800-171 Rev 2 as the controlling standard.
  • DoD has not yet announced a transition timeline to Rev 3 within CMMC. The relationship between DoD's CMMC framework and the underlying NIST standard is governed by regulation, not by NIST publication dates.
  • For active CMMC compliance work, Rev 2 remains the operative standard. Build your SSP, your evidence package, and your assessment readiness against Rev 2.
  • Rev 3 is anticipated to influence future CMMC versions. Eventually — likely as part of a CMMC framework update — the underlying NIST standard will move to Rev 3, possibly with DoD-specific overlays.

Do not implement Rev 3 in lieu of Rev 2 for current CMMC work. An SSP written against Rev 3 will not pass a Rev 2-based assessment cleanly. Stay on Rev 2 for active certification; track Rev 3 for forward planning.

What Changed Between Rev 2 and Rev 3

NIST SP 800-171 Rev 2NIST SP 800-171 Rev 3
Total requirements 110 97 base + organization-defined parameters that effectively expand the count
Control families 14 17 (added Planning, System and Services Acquisition, and Supply Chain Risk Management)
Source standard Derived primarily from NIST SP 800-53 Rev 4 (Moderate baseline) Derived from NIST SP 800-53 Rev 5 (Moderate baseline) — significant updates to the underlying control catalog
Organization-defined parameters (ODPs) None — requirements are uniform across all contractors Many requirements include ODPs — values to be set by the implementing organization (or by the agency in the contract)
Withdrawn requirements Multiple Rev 2 requirements were withdrawn (consolidated into others or removed as redundant)
New requirements New requirements added for supply chain risk management, system services acquisition, planning, and other topics not previously covered
Format Single requirement statement per control Restructured with clearer mappings to assessment objectives (similar to 800-53 format)
Companion document NIST SP 800-171A (assessment procedures) Updated NIST SP 800-171A Rev 3 (assessment procedures aligned to Rev 3 controls)

The most consequential changes are the addition of organization-defined parameters, the new control families, and the alignment to 800-53 Rev 5. Each represents a meaningful departure from how Rev 2 operates.

New Requirements in Rev 3

Rev 3 adds requirement areas that did not exist in Rev 2. The most notable additions:

New family · Planning

Planning (PL)

  • Formal requirement for a documented information security planning process
  • Rules for plan review, update, and dissemination
  • Aligns to the 800-53 PL family
New family · Supply Chain Risk Management

Supply Chain Risk Management (SR)

  • Formal requirements for supply chain risk management program
  • Vendor and supplier risk assessment
  • Component authenticity (anti-counterfeit) requirements
  • Alignment to NIST SP 800-161 (cyber supply chain risk management)
  • Significant new burden for organizations without a mature SCRM program
New family · System and Services Acquisition

System and Services Acquisition (SA)

  • Security requirements that must be addressed during acquisition of systems and services
  • Documentation requirements for acquired systems
  • Developer-related security controls (where applicable)
New requirements · existing families

Notable new requirements within existing families

  • Stronger emphasis on cryptographic key management lifecycle
  • Explicit requirements for software bill of materials (SBOM) and component inventory
  • Strengthened identity and authentication requirements aligned to NIST SP 800-63 current guidance
  • More explicit incident response phases and requirements
  • Updated audit log requirements reflecting modern logging practice
  • Enhanced configuration management requirements covering automation and continuous monitoring

Removed or Consolidated Requirements

Rev 3 also withdraws or consolidates several Rev 2 requirements:

  • Several requirements consolidated into broader controls. Where Rev 2 had multiple narrow requirements addressing related topics, Rev 3 sometimes combines them into a single more general requirement.
  • Some requirements moved to the assessment objectives layer. Detail that lived in requirement text in Rev 2 may now live in 800-171A Rev 3 as assessment objectives, changing how the requirement is written but not what is assessed.
  • A small number of requirements were removed entirely. Where the underlying need is addressed adequately by other controls or by current practice, NIST removed the redundant requirement.

The net effect on count is approximately the same — the published count of 97 base requirements may be misleading because of the ODP expansion and the new families. Total implementation burden is likely greater under Rev 3 than under Rev 2 for most contractors.

Organization-Defined Parameters

The single most significant structural change in Rev 3 is the introduction of organization-defined parameters (ODPs). Rather than uniform values across all contractors (Rev 2's approach), many Rev 3 requirements include parameters that the implementing organization (or the contracting agency) sets within a defined range or with defined criteria.

For example, an audit log retention requirement under Rev 2 might say "the contractor shall retain audit logs for at least one year." The same requirement under Rev 3 might say "the contractor shall retain audit logs for [Assignment: organization-defined time period]" — with the organization (or contracting agency) defining the actual value.

The implications are twofold:

  • Implementation flexibility. Contractors can tune parameters to their environment and risk profile rather than meeting a uniform requirement that may not fit their context.
  • Assessment complexity. Assessors must verify that the chosen parameters are appropriate, not just that they were met. The range of acceptable answers is wider, but the assessment burden of demonstrating appropriateness is greater.

For DoD contracts, the contracting agency may set the ODPs in the contract or DD-254. Contractors will need to read contracts more carefully to extract the parameter values that govern their implementation.

Structural Changes

Beyond the content changes, Rev 3 restructures how requirements are presented:

  • Format aligned to 800-53. Requirements follow a structure closer to NIST SP 800-53 Rev 5, including the use of selection statements and assignment statements (the source of ODPs).
  • Stronger separation between requirement and discussion. The requirement text is more concise; explanatory discussion is moved to a separate "Discussion" section, similar to 800-53.
  • Updated control mapping documentation. NIST publishes mapping tables showing the correspondence between Rev 2 and Rev 3 requirements, useful for transition planning.
  • Refreshed companion documents. SP 800-171A Rev 3 provides updated assessment procedures aligned to the new requirement structure.

When CMMC Will Adopt Rev 3

The CMMC framework is governed by 32 CFR Part 170, which currently references SP 800-171 Rev 2. A transition to Rev 3 within CMMC requires DoD rulemaking — a multi-step process that includes proposed rule, public comment period, response to comments, and final rule.

As of 2026, DoD has not published a proposed rule transitioning CMMC to Rev 3. Several scenarios are plausible:

  • DoD adopts Rev 3 directly. A future CMMC version (CMMC 3.0?) would reference Rev 3 as the underlying standard. Implementation would require contractors to update SSPs, evidence packages, and assessment readiness against the new requirements.
  • DoD adopts Rev 3 with overlays. The base requirement set is Rev 3, but DoD adds program-specific overlays to address defense-specific concerns. Similar to how DoD has historically added DFARS-specific safeguarding rules on top of the NIST baseline.
  • DoD remains on Rev 2 indefinitely. Less likely but possible — DoD could decide that Rev 2 adequately serves contractor cybersecurity and that the transition burden is not justified by the benefits of Rev 3.
  • A long transition period applies. Even after a CMMC transition is announced, contractors are likely to receive a multi-year window to migrate. Existing certifications would likely run their three-year terms under the framework they were issued under.

The most useful posture for contractors: continue to build for Rev 2 today, but architect compliance programs that can absorb a transition without complete rework.

How to Prepare Now

Without a published CMMC transition timeline, premature implementation of Rev 3 is wasteful. But several preparatory steps cost little and reduce future transition risk:

  • Read Rev 3. Familiarity with the new requirements helps you spot opportunities where current Rev 2 implementation already exceeds Rev 2 minimums and aligns with Rev 3 expectations. The discussion sections in Rev 3 are also useful general security guidance.
  • Begin building supply chain risk management capability. The new SR family in Rev 3 is the area where most contractors have the largest gap. A basic SCRM program — vendor risk assessment, supplier inventory, anti-counterfeit posture — is worth building regardless of CMMC timing.
  • Document your current organizational parameters. Many of the ODPs in Rev 3 correspond to choices you've already made under Rev 2 (audit log retention duration, account lockout thresholds, password length). Document these choices as deliberate parameter values rather than assumed defaults — your Rev 3 SSP will look much like a documented version of those choices.
  • Strengthen your continuous monitoring. Rev 3 places greater emphasis on continuous, automated monitoring than Rev 2. Investments in SIEM, vulnerability management automation, and configuration drift monitoring serve both Rev 2 and Rev 3.
  • Build a flexible policy structure. Policies written with explicit parameter values (rather than narrative descriptions) translate more easily into the Rev 3 ODP format. See the policy library guide for the structural recommendations.
  • Engage with industry associations. NDIA, AIA, and similar associations are tracking the CMMC-Rev 3 question and engaging with DoD on transition planning. Participate in industry comment periods when proposed rules are published.
  • Track DoD PMO communications. The CMMC PMO will be the authoritative source for transition timing announcements. Follow PMO communications, public events, and rule-making notices.

The transition is coming, but probably not soon. Contractors who maintain a strong Rev 2 program and stay informed about Rev 3 will be well-positioned when the transition is announced — likely with a multi-year window to migrate.

Authoritative References

NIST SP 800-171 Rev 2
The currently operative standard underlying CMMC Level 2 — what to implement today
NIST SP 800-171 Rev 3
The May 2024 update — the future standard, not yet referenced by CMMC
NIST SP 800-171A Rev 2
Assessment procedures for Rev 2 — what assessors use today
NIST SP 800-171A Rev 3
Updated assessment procedures aligned to Rev 3 — useful for transition planning
NIST CUI Project
NIST's project page for the SP 800-171 series — includes mapping documents and supporting publications
DoD CIO CMMC Program Office
Authoritative source for any future announcements about the CMMC framework's adoption of Rev 3

Related resources: See the CMMC phase tracker for the broader rollout timeline, and the maintenance guide for how regulatory changes can affect existing certifications.