Standards & Regulation NIST 800-171 // 10 MIN READ

NIST SP 800-171 Rev. 2 vs Rev. 3 for CMMC: What Contractors Should Use Right Now

Current Obligation First. Future Direction Second.

NIST published SP 800-171 Revision 3 in May 2024. Since then, contractors have been asking whether they should build their CMMC program against Rev. 2 or Rev. 3 — and advisors, MSPs, and vendors are giving contradictory answers. Here is the clear answer: your assessment is against Rev. 2. Everything else is context.

Why This Question Keeps Surfacing

The confusion is understandable. NIST published Revision 3 of SP 800-171, which reorganizes the control structure, adds new requirements, removes some existing ones, and aligns more closely with the parent framework SP 800-53 Rev. 5. Contractors read that a new version exists and reasonably assume they should build against the latest standard. Vendors see the update as a selling opportunity and position their products against Rev. 3 requirements. Advisors hedge by saying "build for Rev. 3 to future-proof your program." And the contractor ends up unsure which version to document, which controls to implement, and whether their current work will be wasted.

The answer is unambiguous: CMMC Level 2 assessments are conducted against NIST SP 800-171 Revision 2. This is codified in 32 CFR Part 170 and in the DFARS clause 252.204-7012, which references NIST SP 800-171 without specifying Rev. 3. Until the DoD completes a rulemaking process that explicitly updates the CMMC framework to reference Rev. 3, your assessment — and therefore your compliance program — is governed by Rev. 2.

This does not mean Rev. 3 is irrelevant. It means the question of when to act on it has a specific answer: not yet. The rest of this article explains why, and what to monitor so you know when that answer changes.

What Currently Governs CMMC Assessments

The regulatory chain that governs CMMC Level 2 assessments references specific versions of specific documents. Each link in the chain points to Rev. 2 — not Rev. 3.

Authority DFARS 252.204-7012
Requires contractors to implement NIST SP 800-171 to protect Covered Defense Information. The clause references NIST SP 800-171 broadly — and the version in effect for CMMC purposes is Rev. 2, as specified by the CMMC program rule.
Authority 32 CFR Part 170
The CMMC program rule, finalized in October 2024. It defines CMMC Level 2 as requiring implementation of the 110 security requirements in NIST SP 800-171 Revision 2. The rule does not reference Rev. 3. Until the rule is amended, Rev. 2 is the governing standard.
Authority 48 CFR (DFARS Rule)
The acquisition rule that implements CMMC in DoD contracts. The clause at 252.204-7021 specifies CMMC level requirements and ties them to 32 CFR Part 170 — which references Rev. 2. Contract language follows the rule, and the rule follows Rev. 2.
Authority NIST SP 800-171A
The assessment methodology used by C3PAOs. The current version — 800-171A for Rev. 2 — defines the 320 assessment objectives across the 110 practices. NIST has published a corresponding assessment methodology for Rev. 3, but C3PAOs are not using it for CMMC assessments. The assessment tool references Rev. 2 objectives exclusively.
Every regulatory artifact in the CMMC chain — the DFARS clause, the program rule, the acquisition rule, and the assessment methodology — references Rev. 2. The transition to Rev. 3 will require a formal rulemaking process that amends 32 CFR Part 170. That process has not begun. Until it concludes, Rev. 2 governs.

Why Reading Rev. 3 Can Still Be Useful Operationally

The fact that Rev. 2 governs the assessment does not mean Rev. 3 has no practical value. Rev. 3 represents NIST's current thinking on what constitutes adequate protection for CUI — and in several areas, that thinking has evolved meaningfully. Contractors who read Rev. 3 gain insight into where the standard is heading, which can inform operational security decisions that go beyond the compliance floor.

Useful

Supply Chain Risk Management

Rev. 3 introduces a new Supply Chain Risk Management (SR) family that does not exist in Rev. 2. While not assessable under current CMMC, contractors that depend on complex supply chains may benefit from adopting SR practices voluntarily — especially if their primes are already asking about supply chain security posture.

Useful

Stronger Authentication Guidance

Rev. 3 expands authentication requirements with more explicit language around phishing-resistant MFA and token-based authentication. Contractors already planning their MFA architecture can align with Rev. 3 guidance without conflicting with Rev. 2 — since Rev. 3 is more prescriptive, not contradictory.

Useful

Organization-Defined Parameters

Rev. 3 introduces Organization-Defined Parameters (ODPs) — values that the contractor must specify for certain controls (e.g., log retention period, patch remediation timeline). Rev. 2 implicitly requires these decisions but does not formalize them. Contractors who start defining ODPs now will have less work when the transition happens.

Useful

Alignment with 800-53 Rev. 5

Rev. 3 aligns 800-171 more closely with NIST SP 800-53 Rev. 5 — the parent control catalog used by federal agencies. Contractors working toward FedRAMP authorization or supporting federal agency partners may find that Rev. 3 alignment simplifies cross-framework mapping, even if CMMC still assesses Rev. 2.

The operative principle: Reading Rev. 3 to strengthen your security posture is smart. Rewriting your SSP, policies, and evidence infrastructure against Rev. 3 when the assessment is against Rev. 2 is premature. Use Rev. 3 for insight. Use Rev. 2 for compliance.

Where Contractors Get Confused Between Future Direction and Current Obligation

The confusion between Rev. 2 and Rev. 3 creates specific, observable mistakes in compliance programs. These mistakes cost money, delay assessments, and produce documentation that does not match what the assessor expects to see.

01

Writing the SSP Against Rev. 3 Control Numbers

Rev. 3 reorganizes the control structure — renumbering, splitting, and merging controls. A contractor whose SSP references Rev. 3 control identifiers is submitting an SSP that does not align with the C3PAO's assessment tool, which uses Rev. 2 identifiers and the 320 assessment objectives from 800-171A Rev. 2. The assessor will either reject the SSP format or require a time-consuming crosswalk before the assessment can proceed.

02

Implementing Rev. 3 Controls That Do Not Exist in Rev. 2

Rev. 3 adds new control families and new requirements that have no counterpart in Rev. 2. A contractor who invests in implementing Supply Chain Risk Management controls or new privacy-specific requirements is doing useful security work — but none of it will be evaluated during the CMMC Level 2 assessment. The budget and effort spent on Rev. 3-only controls could have been directed at closing Rev. 2 gaps.

03

Skipping Rev. 2 Controls Removed in Rev. 3

Rev. 3 removes or consolidates some Rev. 2 requirements. A contractor who reads Rev. 3 and concludes that a Rev. 2 control is "no longer required" will fail the assessment. The assessor evaluates all 110 Rev. 2 practices — including any that Rev. 3 later removed. Until the CMMC rule changes, every Rev. 2 control is assessable.

04

Advisor or MSP Building to the Wrong Version

Some advisors and MSPs — particularly those who also serve FedRAMP or federal agency clients — default to the latest NIST publication. If your advisor built your policy suite against Rev. 3 without telling you, your policies reference controls the assessor is not evaluating and omit language the assessor expects. Verify which version your advisor is using before the engagement begins.

The practical test: Open your SSP. Does it reference 110 security requirements? Does it use the control identifiers from Rev. 2 (e.g., AC.L2-3.1.1, AU.L2-3.3.1)? Does it map to the 320 assessment objectives in 800-171A? If yes, you are on the right standard. If it references 97 requirements, uses different control IDs, or mentions Organization-Defined Parameters as a formal element — it may have been built against Rev. 3.

How to Avoid Rewriting Your Program Prematurely

The most expensive version of the Rev. 2/Rev. 3 confusion is a contractor who rewrites their entire compliance program — SSP, policies, procedures, evidence structure — against Rev. 3, only to face an assessment against Rev. 2 and need a second rewrite to align. This wastes six to twelve months of effort and tens of thousands of dollars in advisory fees.

The strategy that avoids this waste:

  • Build your compliance program against Rev. 2. The SSP, all 110 control implementation descriptions, all policies, all procedures, and all evidence artifacts should reference and align with NIST SP 800-171 Rev. 2 and the assessment objectives in 800-171A.
  • Document your Organization-Defined Parameters now. Rev. 3 formalizes ODPs, but Rev. 2 implicitly requires the same decisions — retention periods, patch timelines, scan frequency, session timeout values. Documenting these in a centralized table today means less rework when the transition happens.
  • Structure your SSP for portability. Write control implementation descriptions that focus on what you do, not just the control number. When Rev. 3 arrives, the descriptions will need remapping to new control IDs — but if the descriptions are substantive, the content will carry over. Generic descriptions like "implemented per policy" will need to be rewritten either way.
  • Track the Rev. 2 → Rev. 3 crosswalk. NIST published a mapping table showing how Rev. 2 controls correspond to Rev. 3 controls. Download it. Keep it on file. When the transition is announced, this table will be the foundation of your remapping effort. Do not start the remapping until the transition timeline is confirmed.
  • Invest in security improvements that are version-agnostic. MFA, endpoint management, centralized logging, vulnerability scanning, patch management, encryption, and incident response are foundational capabilities that satisfy both Rev. 2 and Rev. 3. Every dollar spent on these capabilities is money well spent regardless of which revision governs your next assessment.
The guiding principle: Build for the assessment you will face — which is Rev. 2. Invest in security capabilities that will serve you under any revision. Do not restructure your documentation until the rulemaking tells you to.

What to Monitor for Future Changes

The transition from Rev. 2 to Rev. 3 will not happen overnight. It will follow a regulatory process with defined milestones. Here is what to watch — and where to watch it.

Signal 01 Proposed Rulemaking
The DoD will publish a Notice of Proposed Rulemaking (NPRM) to amend 32 CFR Part 170. This is the first official signal that the CMMC program will transition to Rev. 3. The NPRM will include a public comment period, typically 60 days. Monitor the Federal Register and the DoD CIO CMMC website for the announcement.
Signal 02 Final Rule Publication
After the comment period, the DoD publishes a final rule. This rule will specify the effective date and any transition timeline — likely including a phase-in period where both Rev. 2 and Rev. 3 assessments may coexist. The final rule is the definitive authority on when Rev. 3 becomes the assessment standard.
Signal 03 Updated CMMC Assessment Guide
The Cyber AB and the CMMC PMO will publish an updated assessment guide aligned with Rev. 3 assessment objectives. C3PAOs will need to retrain assessors on the new objectives. This guide is the operational document that determines what the assessor actually evaluates — and it will not change until the rule does.
Signal 04 DFARS Clause Update
The DFARS clause 252.204-7012 and the acquisition clause 252.204-7021 may be updated to reference Rev. 3 explicitly. Until these clauses are updated, contract language will continue to reference the current standard — and contractors will be assessed against whatever the contract specifies.
The most credible estimates suggest the Rev. 3 transition will not affect CMMC assessments before 2027 at the earliest — and possibly later, depending on the rulemaking timeline. Contractors pursuing CMMC Level 2 certification in 2025 or 2026 should build exclusively against Rev. 2. Contractors whose first assessment will occur in 2028 or later should monitor the rulemaking closely and plan for the possibility of building against Rev. 3 — but should not act on that possibility until the proposed rule is published.

How to Explain the Distinction to Leadership and Customers

Leadership and customers — particularly prime contractors — ask about Rev. 3 because they have heard it exists and want to know if it affects their compliance posture or their supply chain requirements. The explanation needs to be precise without being technical, and it needs to convey confidence without overpromising.

For Leadership

"We are building to the standard we will be assessed against."

CMMC assessments are conducted against NIST SP 800-171 Revision 2. That is the standard in the contract clause, the program rule, and the assessor's evaluation criteria. We are aware that NIST published Revision 3, and we are monitoring the rulemaking process for any changes. Until a new rule is finalized, our program, our documentation, and our budget are aligned to Rev. 2. The security investments we are making — MFA, monitoring, patching, encryption — serve both versions.

For Primes / Customers

"Our CMMC program is aligned with the current assessment standard."

Our SSP, policies, and evidence are built against NIST SP 800-171 Rev. 2, which is the basis for CMMC Level 2 assessments under 32 CFR Part 170. We are tracking the Rev. 3 rulemaking and will adjust our program when the assessment standard is formally updated. Our current controls satisfy the 110 requirements that will be evaluated during our C3PAO assessment.

Avoid two extremes: do not dismiss Rev. 3 as irrelevant (it will eventually matter), and do not present it as imminent (it is not). The correct framing is: "We know it exists. We know when it will matter. We are acting on the current obligation while monitoring the future one." That is the answer that satisfies leadership, reassures customers, and avoids premature spending.

The Bottom Line

CMMC Level 2 is assessed against NIST SP 800-171 Revision 2. Every policy, every SSP, every evidence artifact, and every control implementation should be built to satisfy the 110 Rev. 2 requirements and the 320 assessment objectives in 800-171A. Revision 3 is published, it reflects NIST's updated thinking, and it will eventually become the assessment standard — but the rulemaking process to make that change has not begun, and the transition is unlikely to affect assessments before 2027 at the earliest.

The contractors who navigate this correctly are the ones who build against the standard they will be assessed against, invest in security capabilities that transcend any single revision, and avoid rewriting their programs based on a future obligation that does not yet have a compliance date.

Build for Rev. 2. Read Rev. 3 for insight. Monitor the rulemaking for timing. And when someone asks which version you are using, the answer is simple: the one that governs your assessment. Everything else is preparation for a transition that will come — but has not arrived.

Related Articles

CMMC Level 2 Assessment Scope ExplainedCMMC Scoring: Met vs Not Met and Assessment ObjectivesHow to Write a CMMC System Security Plan (SSP)Adequate vs Sufficient Evidence in CMMCThe CMMC Assessment Process (CAP): Phases and Outputs