Table of Contents
- NIST SP 800-171 Revision 3: What Changed and Why It Matters
- What Actually Changed in Rev 3
- What Hasn't Changed: Rev 2 Is Still the Compliance Standard
- How to Think About Rev 3 in Your Planning
- Frequently Asked Questions
- 1. If CMMC Level 2 still uses Rev 2, should we bother documenting our compliance against Rev 3 at all right now?
- 2. How long does the DoD Class Deviation typically stay in effect before it's updated or replaced?
- 3. With the three new control families in Rev 3, which one tends to create the most remediation work for organizations that are already Rev 2 compliant?
- 4. Does moving to Rev 3's alignment with NIST SP 800-53 Rev 5 make it easier for organizations that are also pursuing FedRAMP or managing federal civilian contracts?
- 5. Will existing SPRS scores need to be recalculated once the DoD officially transitions to Rev 3?
- 6. If we're a subcontractor and our prime hasn't said anything about Rev 3, what's our actual obligation right now?
NIST SP 800-171 Revision 3: What Changed and Why It Matters
NIST published the final version of SP 800-171 Revision 3 on May 14, 2024. For defense contractors, the immediate practical question is: does this change what you need to do right now for CMMC?
The short answer is no — not yet. Two weeks before Rev 3 was published, the DoD issued a Class Deviation (May 2, 2024) that explicitly requires contractors subject to DFARS 252.204-7012 to continue complying with Revision 2. CMMC Level 2 assessments still use Rev 2. SPRS scores are still calculated against Rev 2. C3PAO assessors are not authorized to evaluate against Rev 3. That deviation remains in effect with no defined expiration date.
What Rev 3 represents is where requirements are heading. Understanding what changed — and why — matters for organizations planning their compliance programs over the next two to three years.
What Actually Changed in Rev 3
The control count dropped from 110 to 97, but the workload didn't shrink. NIST consolidated related requirements rather than eliminating them. Controls that were previously spread across multiple discrete requirements are now combined into single, multi-part requirements. The underlying security obligations are largely the same; the structure is reorganized to align with NIST SP 800-53 Rev 5, which is now the single authoritative source for all Rev 3 controls. For organizations already working toward Rev 2 compliance, the technical implementations required don't change dramatically — but the documentation and evidence structure does.
Three new control families were added. These are the most significant structural change:
- Planning (PL): Requires documented, systematic approaches to security planning — not ad hoc decisions, but written plans that connect security controls to organizational objectives and risk tolerance.
- System and Services Acquisition (SA): Addresses security requirements for technology procurement and vendor relationships. Organizations must evaluate the security posture of systems and services before acquisition, not just after deployment.
- Supply Chain Risk Management (SR): Requires active assessment and management of risks from suppliers and third-party components throughout the technology supply chain. This is a direct response to supply chain compromise incidents like SolarWinds, where a trusted software update mechanism became the attack vector.
These three families don't have equivalents in Rev 2, so they represent genuine new work for most organizations — new documentation, new vendor assessment processes, and in some cases new contractual clauses flowing security requirements down to suppliers.
"Periodically" was removed from all requirements. Rev 2 used the word "periodically" throughout — "periodically update your SSP," "periodically review access permissions" — without defining what periodically means. Assessors and contractors interpreted it differently, and it created legitimate ambiguity. Rev 3 replaces every instance with specific timeframes or defined triggers. This makes requirements more precise but also means organizations can't rely on vague interval language anymore.
Organization-Defined Parameters (ODPs) were introduced. Rev 3 includes 49 parameters where organizations — or the federal agencies they contract with — can specify values appropriate to their environment. The DoD published its own ODP values in April 2024, defining what those parameters mean for defense contractors. ODPs allow a small engineering firm to implement different monitoring frequencies than a large prime contractor while both satisfying the same underlying requirement. Once an ODP value is defined, it's binding and subject to assessment.
What Hasn't Changed: Rev 2 Is Still the Compliance Standard
The DoD Class Deviation means that for CMMC and DFARS purposes, Rev 2 is what matters today. SPRS scores are calculated against Rev 2's 110 controls. CMMC Level 2 assessments follow Rev 2. The CMMC 2.0 final rule was built around Rev 2, and the DoD has indicated it will incorporate Rev 3 through future rulemaking — no timeline has been formally announced.
Non-defense federal contractors working with civilian agencies like GSA may already face Rev 3 requirements depending on their contract language, since those agencies aren't bound by the DoD's class deviation. Organizations working across both DoD and civilian agency contracts may need to satisfy both Rev 2 and Rev 3 simultaneously — a real compliance complexity that deserves attention.
How to Think About Rev 3 in Your Planning
The three new control families — Planning, System and Services Acquisition, and Supply Chain Risk Management — are where most organizations will need new work regardless of when the DoD formally adopts Rev 3. Building an SSP-backed security planning process, establishing vendor assessment practices, and documenting supply chain risk management procedures are sound practices independent of compliance timing. Starting that work now avoids a compressed remediation window when the DoD does issue updated guidance.
The ODP framework is also worth engaging with now. The DoD published its ODP values in April 2024, which means the specific parameter values for defense contractors are already defined. Reviewing those values against your current implementation identifies gaps before they become assessment findings.
Organizations that are still working toward Rev 2 compliance — the majority, based on average SPRS scores in the defense industrial base — should stay focused on that. Rev 3 readiness is a secondary priority until the DoD formally updates its requirements. What you build for Rev 2 is not wasted work; Rev 3 is substantially built on the same foundation.
Reach out to Stratify IT to discuss where your organization stands against Rev 2 requirements and how to position for the Rev 3 transition — we work with defense contractors on gap assessments, SSP development, and CMMC readiness planning.
Learn more about our CMMC compliance services to see the full range of what we offer.
Stratify IT — compliance built around your business, not a template.
Until Rev 3 applies to CMMC, contractors should focus on their SPRS scoring and CMMC readiness against Rev 2 — that score is what contracting officers see today, and an inaccurate score carries legal exposure. Understanding how C3PAO assessments are conducted under the current framework is covered in the CMMC ecosystem and C3PAO roles.
For more on CMMC readiness and DFARS compliance, explore our CMMC compliance services.
Frequently Asked Questions
Probably not as your primary focus. Your SPRS score, your C3PAO assessment, and any contract obligations all run against Rev 2 — so that's where your documentation effort needs to be airtight. That said, if you're building new policies or updating your SSP, writing them with Rev 3's structure in mind isn't wasted work. Just don't let forward-looking prep create gaps in your current compliance posture.
There's no standard timeline — deviations can persist for months or several years depending on how quickly the DoD reconciles them with a final rule. The May 2024 deviation has no expiration date written into it. The practical expectation in the industry is that Rev 3 alignment will come through a future CMMC rulemaking update, which historically takes 18 to 36 months after NIST finalizes a publication. Watch for DFARS rule changes, not just NIST announcements.
Supply chain risk management (SCRM) is typically where the heaviest lift shows up. Most organizations doing Rev 2 work have some supplier controls in place, but Rev 3 expects a more formalized, documented SCRM program — not just questionnaires sent to vendors. If you're working with cloud service providers, SaaS tools, or hardware from international suppliers, expect to build out more explicit risk documentation than what Rev 2 required.
It does simplify things considerably if you're operating across both DoD and civilian federal environments. SP 800-53 Rev 5 is already the baseline for FedRAMP and most FISMA-related assessments, so teams that have mapped their controls to 800-53 won't need to maintain two separate control frameworks. The alignment also makes inherited controls from FedRAMP-authorized cloud services easier to document and cross-reference in your SSP.
Almost certainly yes. The SPRS scoring methodology is tied to the specific control structure of the applicable revision, and a structural shift from 110 controls to 97 reorganized ones will likely require a new self-assessment and updated score submission. Organizations shouldn't assume their current SPRS score carries forward automatically. When the DoD issues updated DFARS language referencing Rev 3, treat that as the trigger to rerun your assessment — not a grace period.
Your obligation flows from your contract, not from NIST's publication schedule. If your subcontract references DFARS 252.204-7012, you're bound to Rev 2 compliance — full stop. Primes are generally not ahead of the DoD deviation on this, and most aren't pushing Rev 3 requirements down the supply chain yet. That said, if your prime starts updating their supplier security requirements or flow-down clauses, that's your early signal to start gap-assessing against the new structure.