CMMC Fundamentals & NIST 800-171
NIST 800-171 Rev 2 vs Rev 3: Which Revision Applies to CMMC in 2026?
NIST 800-171 Rev 2 vs Rev 3 comes down to one distinction. Revision 3 is NIST’s current publication, but Revision 2 remains the CMMC Level 2 baselineand the Department’s current Level 2 assessment standard in 2026. Keep your Level 2 evidence, System Security Plan, and Supplier Performance Risk System score mapped to Revision 2. You can implement Revision 3 in parallel — just don’t leave Revision 2 gaps behind while you do it.
The condition that changes this answer:your solicitation, contract, modification, or prime flow-down controls when it expressly names a revision or incorporates a specific clause version. NIST’s publication status, on its own, does not tell you what your agreement incorporated.
There’s a second question forming underneath this one, and almost nobody is tracking it yet. On June 23, 2026, the Federal Acquisition Regulatory Council proposed a governmentwiderule that would require Revision 3 on covered contracts involving Controlled Unclassified Information — including covered Department contracts — while current CMMC and DFARS deviation authorities still point to Revision 2. How those two would be harmonized is unresolved. We map who’s exposed, and what that means for your next move, in the multi-agency section below.
Answers on the first screen
| Question | Direct answer |
|---|---|
| Which revision is current at NIST? | Revision 3 (published May 14, 2024) |
| Which revision governs CMMC Level 2 today? | Revision 2 — 110 requirements, 14 families |
| What does CMMC Level 1 use? | The 15 basic safeguarding requirements in FAR 52.204-21(b)(1) — not NIST 800-171 |
| Did NIST’s withdrawal of Rev 2 automatically change your contract? | No |
| Can a Department contractor implement Rev 3 now? | Yes, in parallel — while still closing Revision 2 gaps |
| Should you rewrite your SSP to Rev 3 identifiers? | No |
| Does Rev 3 apply governmentwide today? | No. A specific agency or contract may already name it. FAR Case 2026-001 would create a uniform governmentwide requirement if finalized |
| Is the November 10, 2026 Phase II transition still on? | No. Suspended July 13, 2026 |
Who this page is for — and who should go somewhere better
| This page is for you if… | Start somewhere else if… |
|---|---|
| You’re deciding which revision should govern your SSP, evidence index, self-assessment, or SPRS score right now | You want the full walkthrough of all 110 Rev 2 requirements → NIST 800-171 requirements checklist |
| A prime, consultant, auditor, or software vendor just told you something that contradicts what you built | You need assessment-objective-level evidence depth → NIST 800-171A assessment objectives |
| You want to prepare for Revision 3 without breaking Revision 2 traceability | You haven’t confirmed whether you handle FCI or CUI yet → CMMC scoping guide |
| You hold or are pursuing work across multiple federal agencies | You’re still working out which level applies at all → CMMC Level 1 vs Level 2 vs Level 3 |
Does CMMC use NIST 800-171 Rev 2 or Rev 3 in 2026?
CMMC Level 2 uses NIST SP 800-171 Revision 2. Section 170.14 of the CMMC Program Rule incorporates Revision 2 by reference and states that the Level 2 security requirements are identical to it. NIST’s publication of Revision 3 in May 2024 did not automatically rewrite that incorporated baseline; changing it requires rulemaking by the Department.
We understand why this feels unstable. Four separate instruments have to agree before you can trust an answer like that, and most articles cite one of them and move on. So we read all four and put them in a single table.
The Revision Authority Map
| Authority | Points to | What it says | When it applies to you | Source · verified July 18, 2026 |
|---|---|---|---|---|
| NIST (the publisher) | Rev 3 | Revision 2 is marked withdrawn and superseded by Revision 3 as of May 14, 2024 | Always relevant as context — never, by itself, as an obligation | NIST CSRC — SP 800-171 Rev. 2 |
| 32 CFR § 170.14 — CMMC Program Rule | Rev 2 | The CMMC Model incorporates NIST SP 800-171 R2 by reference; Level 2 requirements are identical to Revision 2 | Whenever a CMMC Level 2 requirement applies to your contract | eCFR § 170.14 |
| DFARS 252.204-7012 as codified | Depends on solicitation date | Requires the version of NIST SP 800-171 “in effect at the time the solicitation is issued, or as authorized by the Contracting Officer” | When your award contains the unmodified codified clause | Acquisition.gov — 252.204-7012 |
| DFARS 252.204-7012 under Class Deviation 2024-O0013 | Rev 2 | Directs contracting officers to use an alternate clause requiring Revision 2 instead of the version in effect at solicitation; “remains in effect until rescinded” | When your award incorporates the deviation clause — check the text | Class Deviation 2024-O0013 |
| CMMC Phase II suspension memo, Attachment 1 | Rev 2 (Level 2) | Level 1 self-assessments continue against the FAR basic safeguards; CMMC Level 2 is aligned with NIST SP 800-171 Revision 2 | Any Department procurement request or contract action during the suspension | Implementing Suspension of CMMC Phase II |
| Department ODP memorandum, April 2025 | Rev 3 (preparatory) | Establishes Department-defined values for Revision 3 organization-defined parameters, in preparation for possible implementation | Only if you choose to implement Revision 3 in parallel today | DoD ODPs for NIST SP 800-171 Rev. 3 |
| Proposed governmentwide FAR CUI rule | Rev 3 | Would require contractor systems handling CUI to meet NIST SP 800-171 Revision 3 under a new clause at FAR 52.240-7 | Not yet — proposed only. Comments closed July 23, 2026 | FAR Case 2026-001, 91 FR 37550 |
The one-line takeaway: a NIST publication becomes your obligation only when a rule or a clause points at it. Today, the CMMC rule and the 7012 deviation point at Revision 2. The FAR Council has proposed pointing at Revision 3 across the government.
The four layers most pages collapse into one
This is the frame that makes the whole thing click. Four separate questions hide inside “which revision applies,” and mixing them up is what produces expensive mistakes.
| Layer | The question | Current answer | Who decides |
|---|---|---|---|
| Publication | What does NIST currently publish? | Revision 3 | NIST |
| Contract | What did this instrument incorporate? | Read the clause | Your contracting chain |
| Program | What does CMMC Level 2 assess against? | Revision 2 | 32 CFR Part 170 |
| Modernization | What should we prepare for next? | Revision 3 | You, informed by Department ODP guidance |
Vendors tend to sell you layer one. Assessors test layer three. Your legal exposure lives in layer two. Keep them separate and this stops being confusing.
What the July 13, 2026 suspension did — and didn’t — change
The implementing procedures are specific, and the details matter more than the headline:
- The original phased schedule ran Phase 1 from November 10, 2025 through November 9, 2026, with Phase 2 set to begin November 10, 2026. The Department suspended the Phase II transition on July 13, 2026. Phase I self-assessment requirements continue until further official action.
- During the suspension, program managers and requiring activities may only include CMMC Level 1 (Self) or Level 2 (Self) in procurement requests. They may not designate Level 2 (C3PAO) or Level 3 (DIBCAC).
- Level 1 is a self-assessment against the basic safeguarding requirements for Federal Contract Information in FAR 52.204-21. Level 2 is aligned with NIST SP 800-171 Revision 2.
- The cybersecurity requirements in DFARS 252.204-7012 remain in effect.
- Where an existing solicitation or contract already contains a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, contracting officers are directed to remove it — by solicitation amendment “as soon as practicable,” or by contract modification before the next option exercise or during the next scheduled administrative modification.
- No waivers will be granted during the review.
- Further guidance follows the conclusion of a 60-day review.
Read that list again and notice what isn’t in it: anything about Revision 3. The suspension changed who assesses you and when. It did not change what you’re assessed against.
Is NIST 800-171 Rev 2 obsolete because NIST withdrew it?
No. NIST marks Revision 2 as withdrawn and superseded in its own publication catalog, but that is a publishing status, not a contractual one. The CMMC Program Rule incorporates a specific dated edition of Revision 2 by reference, which fixes that text into the regulation until the agency amends the rule through formal rulemaking. A publisher retiring a document does not amend a federal regulation.
If you take one concept from this page, make it this one. It’s the piece that stops the panic — and the piece that keeps you from spending money you don’t need to spend.
Incorporation by reference, in plain language
When a federal rule “incorporates by reference,” it pulls a specific, dated edition of an outside document into the regulation and gives it the force of the rule. That edition is pinned. It does not float forward when the publisher issues a new version.
That’s why 32 CFR § 170.14 doesn’t say “the current version of NIST SP 800-171.” It says NIST SP 800-171 R2, with the incorporation mechanics handled at § 170.2. For CMMC to move to Revision 3, the Department has to amend the rule — publish a proposal, take comments, issue a final rule. There is no back door where a NIST website update changes your obligations for you.
The DFARS 7012 version puzzle — and the deviation that resolves it
Here’s where readers who actually open their contract clause get ambushed.
As codified, DFARS 252.204-7012— the Safeguarding Covered Defense Information and Cyber Incident Reporting clause that has carried NIST 800-171 into defense contracts since 2017 — requires the version of NIST SP 800-171 in effect at the time the solicitation is issued, or as authorized by the contracting officer. For a solicitation issued after May 14, 2024 using the unmodified codified clause, that language can point to Revision 3. Which would put your DFARS clause and your CMMC assessment on two different standards.
The Department saw that coming. Twelve days before Revision 3 published, it issued Class Deviation 2024-O0013 (May 2, 2024), directing contracting officers to use an alternate 7012 clause requiring Revision 2in lieu of the codified version language. A Revision 1 of the deviation followed to update the links to NIST SP 800-171 Revision 2 and the FedRAMP Moderate baseline. The deviation carries no expiration — it remains in effect until rescinded.
So where your award includes the deviation clause, it reconciles the codified floating-version language with the Revision 2 CMMC baseline. Where it doesn’t, verify what text was actually incorporated. Asking your contracting officer which version of 7012 is in your award is a fair, professional question, and the written answer belongs in your file.
One argument you’ll hear that doesn’t hold up
You’ll find guidance asserting that federal policy expectations around adopting new NIST publications made Revision 2 “deprecated” in 2025, and that Revision 3 is therefore the standard for new contracts.
Be careful with that reasoning. Government-wide policy about how federal agencies manage their own information resources is not a term of your contract. It does not amend an incorporation by reference in 32 CFR Part 170, and it does not rewrite the clause in your award. Your obligation is what your instrument says it is. Where a commentator’s conclusion and the controlling rule text disagree, follow the rule text.
When each revision actually controls
Revision 2 controls when:
- A CMMC Level 2 requirement applies under the current Program Rule
- Your contract, subcontract, or flow-down expressly names Revision 2
- Your award includes the 7012 clause under Class Deviation 2024-O0013
- You’re completing a current CMMC Level 2 self-assessment
Revision 3 may control when:
- A contract or agreement expressly names Revision 3
- A specific agency has independently imposed it
- A modification changes the incorporated version
- You’ve chosen it voluntarily for internal modernization — clearly labeled as such
And when your contract just says “NIST SP 800-171” with no revision? Don’t guess, and don’t overwrite your current package. Request written clarification from the contracting chain, log the answer, and confirm your interpretation with an RP/RPO or federal-contracts counsel. There’s a ready-to-send request further down this page.
Can we implement Rev 3 now without damaging our CMMC work?
Yes — in parallel, not as a replacement. Current Department CMMC guidance contemplates contractors implementing Revision 3 using Department-defined organization-defined parameter values while continuing to address gaps against Revision 2, because CMMC assessments remain tied to Revision 2. The operating rule is simple: add Revision 3 as a secondary mapping and never let it overwrite the Revision 2 evidence chain that is actually being assessed.
This is the question behind the question for most readers. Leadership wants to future-proof. You want to avoid doing the work twice. Both instincts are reasonable, and they can coexist.
Three valid approaches — pick honestly
| Approach | Right when | Main risk | Who it fits |
|---|---|---|---|
| Rev 2 only | You have a near-term self-assessment, a live bid, or constrained resources | Mapping work remains later | Small suppliers working a deadline |
| Rev 2 primary + Rev 3 crosswalk | Most of the DIB, most of the time | Requires disciplined dual traceability | Contractors with 12+ months of runway |
| Rev 3 primary + Rev 2 overlay | A customer expressly requires Revision 3 and you hold a separate Revision 2 obligation | Hidden Revision 2 evidence gaps | Contractors with mixed federal customers |
What “in parallel” should mean operationally
- Many technical safeguards will be reusable across both. Your existing multifactor authentication implementation and its evidence may well carry — but check it against the applicable Revision 3 requirement text, its ODPs, and the corresponding determination statements rather than assuming equivalence.
- Your primary evidence index stays keyed to Revision 2 identifiers wherever Revision 2 is the controlling obligation.
- Revision 3 requirement IDs and ODP decisions go in as secondary fields, not replacements.
- Keep a formal delta register of what Revision 3 would add.
- Never record voluntary modernization as a completed contractual determination.
And four things not to do
- Don’t delete Revision 2 identifiers from your SSP. Those are the ones an assessor traces.
- Don’t replace Revision 2 assessment objectives with Revision 3 determination statements. Different documents, different structures, different counts.
- Don’t submit a Revision 3-based score as your current SPRS result. The Department’s Level 2 scoring methodology is built on the 110 Revision 2 requirements.
- Don’t substitute one representation for another. You can implement both revisions. What you cannot do is represent Revision 3 implementation as satisfying a Revision 2 contract, SPRS, or CMMC requirement unless the applicable authority accepts that mapping. See our coverage of CMMC enforcement and non-compliance exposure.
What actually changed between NIST 800-171 Rev 2 and Rev 3?
Revision 3 is a structural rewrite, not a renumbering. It realigns the requirements to the NIST SP 800-53 Revision 5 catalog and the SP 800-53B moderate baseline, eliminates the basic-versus-derived distinction, retires the NFO tailoring category, introduces organization-defined parameters, adds three security requirement families, and changes both how requirements are written and how they are assessed.
Here’s the side-by-side, then the part that takes actual work: NIST’s own change counts.
| Revision 2 | Revision 3 | |
|---|---|---|
| Published | February 2020; updated January 2021 | May 14, 2024 |
| NIST status today | Withdrawn / superseded | Current |
| Top-level security requirements | 110 | 97 |
| Requirement families | 14 | 17 |
| New families | — | Planning (PL), System and Services Acquisition (SA), Supply Chain Risk Management (SR) |
| Renamed family | Security Assessment | Security Assessment and Monitoring (CA) |
| Requirement structure | Basic + derived | Basic/derived distinction eliminated |
| Identifier format | 3.1.1 | 03.01.01 (leading zeros for tooling consistency) |
| Tailoring categories | CUI, NFO, NCO, FED | NFO eliminated; ORC and NA added |
| Organization-defined parameters | None | 49 requirements contain one or more |
| Source catalog | SP 800-53 Rev. 4 lineage | SP 800-53 Rev. 5 / SP 800-53B moderate baseline |
| Companion assessment guide | SP 800-171A | SP 800-171A Rev. 3 |
| Governs CMMC Level 2 today | Yes | No |
What NIST’s own transition workbook shows
NIST published a change-analysis workbook alongside Revision 3 — sp800-171r2-to-r3-analysis.xlsx, available under Supplemental Material on the Revision 3 publication page. The flag counts:
| NIST workbook flag | Count |
|---|---|
| No significant change | 18 |
| Significant change | 46 |
| Minor change | 15 |
| New requirement | 19 |
| Withdrawn requirement | 33 |
| Requirements containing one or more new ODPs | 49 |
| Total Revision 3 requirements | 97 |
Two honest readings of that table:
- The workbook flags 46 rows as significantly changed and 18 as having no significant change. Because the flags overlap, those totals shouldn’t be treated as a clean measure of how much of the standard “carried over” — but they do make one thing clear: “it’s basically the same controls with new numbers” is not what NIST’s own analysis shows.
- 33 withdrawn does not mean 33 protections disappeared. NIST’s FAQ explains that requirements were withdrawn and folded into other requirements where a direct relationship existed, producing multi-part requirements without adding to the total.
Why did 110 requirements become 97 — and does that mean less work?
Revision 3 lists 97 top-level requirements against Revision 2’s 110. That lower count reflects consolidation, restructuring, withdrawals, and additions — not the disappearance of 13 protection outcomes. NIST’s FAQ states that grouping requirements does not add to the total number of requirements, and the companion assessment guide’s determination statements increased substantially under Revision 3.
If a vendor leads with “Revision 3 is 13 fewer controls,” they’ve selected the one number that makes Revision 3 sound smaller.
The count reconciliation table
Several different numbers circulate for this standard, and published pages contradict each other constantly. Here’s what each one counts — and which one your score depends on.
| Number | What it actually counts | Affects your SPRS score? |
|---|---|---|
| 110 | Revision 2 security requirements | Yes — this is the one |
| 14 | Revision 2 requirement families | Structure only |
| 97 | Revision 3 active top-level requirements | No |
| 17 | Revision 3 requirement families | No |
| 130 / 33 | Rows in NIST’s transition workbook / of those, marked withdrawn — leaving 97 active | No |
| 49 | Revision 3 requirements containing one or more new ODPs | No |
| 88 | ODP determination statements in SP 800-171A Rev. 3 | No |
| 422 | Non-ODP determination statements in SP 800-171A Rev. 3 | No |
| 510 | Total Revision 3 determination statements (422 + 88) | No |
| 320 | Assessment objectives used to evaluate the 110 current Level 2 requirements | The reported score comes from the weighted 110-requirement methodology, not from the objective count |
Count hygiene: never publish a number without its unit
This is the discipline that separates a usable comparison from noise. Before you repeat any figure from this standard — in a board deck, a vendor evaluation, or a proposal — say what it counts:
Both “49” and “88” are in circulation for ODPs, and they’re usable only with their units attached: 49 Revision 3 requirements contain one or more ODPs, while SP 800-171A Revision 3 contains 88 ODP determination statements. “Revision 3 has 49 ODPs” uses the wrong unit. Get it backwards in a project plan and you will materially undercount the determination statements your team has to work through.
How the counts were produced, so you can check them
Revision 3 assessment counts come from the final May 2024 SP 800-171A Rev. 3 publication — not a draft. The method: start at the first assessment identifier, extract every unique identifier, classify those containing .ODP[ as ODP determinations, and strip each to its requirement base to confirm 97 unique requirements. Result: 97 requirement bases, 422 non-ODP determinations, 88 ODP determinations, 510 total.
For Revision 2, the current CMMC Level 2 Assessment Guide contains 320 assessment objectives across 110 requirements. NIST’s supplemental spreadsheet represents these as 297 separately lettered objective rows plus 23 single-objective requirements where the determination sits on the requirement row rather than a separate [a] row. 297 + 23 = 320. Count only the lettered rows and you land 23 short — a common and consequential slip.
How many ODPs are in Revision 3, and who sets the values?
Organization-defined parameters are the variable values inside a Revision 3 requirement — lockout thresholds, review frequencies, retention periods. Revision 2 has no ODP construct. NIST’s transition workbook identifies 49 Revision 3 requirements containing one or more new ODPs, and SP 800-171A Revision 3 expresses them as 88 separate ODP determination statements. A federal agency may set the values; where none does, NIST states the nonfederal organization must assign them.
That last sentence is the operational one. Under Revision 2, you pick your lockout threshold and defend it. Under Revision 3, somebody may hand it to you — and then it’s assessable as part of the requirement.
What the Department’s ODP memorandum does
The Department published Revision 3 ODP values in an April 2025 memorandum, with the values in Attachment A. Two details worth knowing:
- The memorandum states the values were developed with input from Department offices, other government agencies, and subject matter experts from University-Affiliated Research Centers and Federally Funded Research and Development Centers, with industry input included where appropriate.
- In four instances, the memorandum expresses the ODP as guidance rather than a fixed value. So “every blank is filled in” isn’t quite right.
What the memorandum is: a published set of Department expectations, issued in preparation for possible Revision 3 implementation. What it is not: an amendment to the CMMC Program Rule. It does not make Revision 3 your current baseline. (DCR inference: publishing parameter values is a planning signal that the Department has prepared for a possible transition. It is not a commitment to a date or a final transition method.)
What the proposed FAR rule would do differently
Under the June 23, 2026 proposed rule, the mechanism changes again. The new Standard Form that agencies would complete for each covered CUI contract was updated to identify the applicable organization-defined parameters for NIST 800-171 Revision 3. Translation: the contract paperwork would carry your parameters.
What do the three new Revision 3 families actually require?
Revision 3 adds Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) to stay consistent with the SP 800-53B moderate baseline. It also eliminates the NFO tailoring category and adds Other Related Control (ORC) and Not Applicable (NA). Supply Chain Risk Management is a genuinely new family with no Revision 2 predecessor.
Planning (PL)
Policies and procedures, the System Security Plan, and rules of behavior — formalized as explicit requirements.
System and Services Acquisition (SA)
Security engineering principles, unsupported system components, external system services, and the responsibility split between you and your providers. If you use a managed service provider or a cloud service for CUI, this family formalizes conversations you should already be having about who does what.
Supply Chain Risk Management (SR)
A supply chain risk management plan, acquisition strategies and tools, and controls to identify supply chain weaknesses. DCR editorial judgment:for most small contractors this is the heaviest genuinely new lift, because it’s a process with evidence — vendor assessments, documented decisions, a maintained plan — rather than a control you can configure or a license you can buy.
NFO removal, and what ORC and NA mean
Revision 2 tagged a set of source controls as NFO— expected to be routinely satisfied by nonfederal organizations without being called out individually. NIST’s own FAQ explains why that changed: feedback indicated that certain NFO controls, including foundational ones such as the policy-and-procedures control in each family, were not being implemented or assessed in nonfederal organizations.
Revision 3 eliminates the NFO category. Be precise about where those controls went: NIST’s FAQ states the elimination produced an increase in the NCO, FED, and CUI categories— not a wholesale conversion of every NFO control into a CUI requirement. You will see the “all 61 NFO controls became CUI requirements” claim in circulation. NIST’s own language doesn’t support it.
ORC (Other Related Control) flags a control whose protection capability is already provided by another control. NA (Not Applicable)was added for completeness in the tailoring analysis, covering the Program Management and PII Processing and Transparency families, which aren’t allocated to any SP 800-53B baseline.
One caution: these are NIST’s tailoring decisions about source controls. They are not permission for a contractor to unilaterally declare a top-level requirement inapplicable.
How do Revision 2 requirements map to Revision 3?
Requirements do not move one-to-one. NIST’s transition workbook shows five distinct relationships: direct carryover, carryover with expanded detail, consolidation into another requirement, division across several requirements, and new requirements with no Revision 2 predecessor. A technical crosswalk tells you where a safeguard went; it cannot tell you which revision your contract incorporated.
The five mapping patterns, with worked examples
Use this to recognize what you’re looking at when you open NIST’s workbook. Row-level requirement identifiers should always be taken from the official workbook rather than from any secondary source, including this one.
| Pattern | What happens | Worked example | What it does to your evidence |
|---|---|---|---|
| Direct carryover | Same outcome, refreshed wording | Most access control and identification requirements | Evidence usually holds; identifier changes format |
| Carryover with expanded detail | Same topic, more specificity, often a new ODP | Requirements now carrying a parameter value | Evidence needs a second look against the ODP |
| Consolidated | Several Revision 2 requirements absorbed into one multi-part Revision 3 requirement | NIST withdrew 33 requirements, many folded into related ones | One new identifier now traces to several old ones |
| Split or relocated | One requirement’s content distributed or moved to a different family | SSP moves from Security Assessment (3.12.4) into the new Planning family | This is where evidence indexes break |
| New | No Revision 2 predecessor | The entire Supply Chain Risk Management family — Revision 2 has no SR family | New artifacts required; nothing to map from |
Two structural changes affect every row: the identifier format shifts from 3.1.1 to 03.01.01, and the basic/derived distinction disappears. Neither changes a security outcome. Both break string matching in documentation and tooling, which is exactly why a bulk find-and-replace across your SSP is a bad idea.
What a usable crosswalk has to include
A two-column old-ID/new-ID table is not a plan. A crosswalk you can actually work from carries:
Build it from NIST’s official change-analysis workbook, not from a vendor’s reconstruction. The workbook is free, authoritative, and already has the mapping columns.
Why a crosswalk can never answer the contract question
This boundary gets crossed constantly, usually by well-meaning people:
- Technical equivalence is not incorporation. A safeguard can map perfectly while the identifier in your evidence index is still wrong for the assessment you’re facing.
- A mapping document has no contractual authority. Only the instrument does.
- Control mapping and contract interpretation are different jobs, and usually different people.
What if we hold work across multiple federal agencies?
Then you have a second variable to track. On June 23, 2026, the FAR Council published a proposed rule at 91 FR 37550 (FAR Case 2026-001) that would establish a governmentwide FAR mechanism requiring contractor systems handling CUI to meet NIST SP 800-171 Revision 3, through a new clause at FAR 52.240-7 and a contract-specific Standard Form. The proposal is governmentwide, including covered Department contracts. Comments closed July 23, 2026.
What it would do, per the Federal Register text:
- Create a uniform governmentwide FAR mechanism for safeguarding CUI in contractor information systems, including civilian-agency acquisitions, and reaching many commercial-item contracts
- Require NIST SP 800-171 Revision 3 for contractor information systems that handle CUI
- Require reporting of CUI incidents within 72 hours of discovery, with Department reporting routed through DIBNet and non-Department reporting through CISA
- Identify the CUI involved in each contract on a new Standard Form, which also carries the applicable Revision 3 ODP values
- Require flow-down of security and incident-notification requirements to subcontractors receiving CUI
- Not create a CMMC-style third-party certification requirement — the proposal states that normal contract-administration procedures are sufficient to validate compliance
It carries forward and revises the CUI work previously proposed in FAR Case 2017-016 (90 FR 4278, January 2025) after consideration of comments on that proposal. If your team analyzed the earlier proposal, that analysis needs a refresh.
The unresolved part, stated plainly:
Current Department CMMC and deviation authorities point to Revision 2. This proposed FAR clause would point to Revision 3 and would reach covered Department contracts. How those authorities get harmonized — if the rule is finalized — has not been resolved publicly. That is not a reason to change anything today. It is a reason to know where your instruments sit.
Who could be affected, and what to do now
| Your situation | Baseline today | If the rule is finalized as proposed | Where this leaves you |
|---|---|---|---|
| Department only, FCI only | FAR 52.204-21 — the 15 basic safeguards | The CUI clause turns on CUI, not FCI | No transition action; hold your Level 1 baseline |
| Department only, CUI | Revision 2 under current CMMC and deviation authorities | Recheck the interaction with any final FAR 52.240-7 text and the Department deviation | No transition action today; preserve the Revision 2 evidence baseline and watch the docket |
| Civilian agency, CUI | Whatever your agency has independently imposed | Revision 3 under the new FAR clause | Read the rule; consider commenting |
| Multiple agencies, CUI | Revision 2 for CMMC Level 2 work; agency-specific elsewhere | Potential overlapping baselines pending harmonization | Model the delta; comment |
| Subcontractor receiving CUI | Whatever flows down in writing | Flow-down of Revision 3 security and reporting terms | Get the flow-down in writing |
| Prime questionnaire says Rev 3, flow-down says Rev 2 | Revision 2 — the incorporated requirement governs | Depends on the finalized rule | Answer the questionnaire separately; label that evidence separately |
What should a defense contractor implement right now?
For current CMMC Level 2 work, implement and evidence Revision 2 — that is what gets assessed and scored. In parallel, do the Revision 3 work that also strengthens a Revision 2 assessment: real policies and procedures, documented parameter values, supply chain risk documentation, and a tighter system boundary narrative. Do not renumber your SSP, do not rescore against 97 requirements, and do not buy a Revision 3 engagement sold as a current requirement.
The table below separates what the rules actually require from what we recommend. That distinction matters more than any single recommendation.
| Action | Required now by current authority | Permitted now for future-readiness | DCR recommendation |
|---|---|---|---|
| Implement and evidence all 110 Revision 2 requirements (Level 2 scope) | Yes | — | Do it first, finish it, freeze it |
| Maintain a current SSP | Yes (Rev 2 § 3.12.4; § 170.24) | — | Non-negotiable |
| Write real policies and procedures for every family | Expected within your Revision 2 program | Aligns with Revision 3’s Planning family | Do it now — it improves both baselines |
| Document every parameter value, with owner and approval date | Not as an ODP construct | Yes — the basis of Revision 3 ODP governance | Do it now; low cost, high carryover |
| Build vendor and supply chain risk documentation | No | Yes | Start now if you have runway |
| Implement Revision 3 requirements using Department ODP values | No | Yes, alongside Revision 2 | Optional; sequence it after Revision 2 is stable |
| Renumber your SSP to 03.01.01 identifiers | No | Not advisable | Don’t — your assessment and SPRS record key to Revision 2 IDs |
| Score yourself against 97 requirements | No | Not advisable | Don’t — Level 2 scoring is built on the 110 |
| Delete documentation because “NFO is gone in Rev 3” | No | Not advisable | Don’t — those expectations live in your Revision 2 assessment |
| Purchase a “Revision 3 migration” | No | Only as clearly scoped future-readiness | Never buy it on the claim that Revision 3 is currently required for CMMC |
If leadership wants to future-proof, do it in this order
- Finish the Revision 2 evidence baseline.
- Freeze stable identifiers and version the package.
- Import NIST’s official mapping workbook.
- Apply Department ODP values where relevant.
- Record Revision 3 deltas in a separate register.
- Prioritize changes that improve both baselines.
- Keep modernization status visibly separate from contract-compliance status.
The one thing we’ll admit is genuinely annoying about our own advice
Dual traceability is a hassle.Keeping Revision 2 identifiers as your primary index while carrying Revision 3 mappings alongside means duplicate fields, two registers, and a discipline your team actually has to maintain. Nobody enjoys it. There is no clean single-migration moment available right now, and we’re not going to pretend otherwise.
Here’s why we’d still make the same call with our own money: the duplication is dramatically cheaper than the alternative.Rebuilding an evidence package around Revision 3, then discovering that your assessment, your SPRS score, your solicitation, or your prime’s flow-down still expects Revision 2 identifiers, is a full re-do — the SSP, the evidence index, the POA&M mapping, and the assessor walkthrough. The dual-track approach costs you spreadsheet columns. The clean-migration approach can cost you an assessment cycle.
How should you update your SSP, POA&M, policies, and evidence library?
Keep Revision 2 identifiers as the primary index in your System Security Plan, Plan of Action and Milestones, assessment record, and evidence library, then add Revision 3 cross-reference and ODP fields alongside them. Do not delete Revision 2 artifacts or convert the primary package to Revision 3 identifiers while Revision 2 remains the governing CMMC Level 2 baseline.
The Keep / Map / Add / Monitor framework
Run every artifact you own through four statuses. It turns an abstract “transition” into a finite list of tasks your team can actually close.
| Status | Meaning | Typical example |
|---|---|---|
| Keep | Existing Revision 2 evidence remains directly useful | MFA configuration records, audit log samples |
| Map | The safeguard exists; identifiers or references need cross-mapping | Policy documents citing 3.x.x identifiers |
| Add | Revision 3 introduces a new or materially broader obligation | Supply chain risk management plan |
| Monitor | No obligation to change today, but a rule or contract event could alter it | Anything driven by the FAR CUI rule outcome |
System Security Plan
Add these fields rather than rewriting the document: governing revision · secondary mapped revision · applicability source (the clause or instrument) · Revision 2 requirement · Revision 3 requirement · ODP values · revision history · change trigger.
POA&M
Keep each open deficiency tied to the currently applicablerequirement, and add future-state mapping as a secondary field. Two traps: don’t close a Revision 2 gap merely because the wording softened in Revision 3, and don’t assume Revision 3 POA&M eligibility rules will match today’s. Under 32 CFR § 170.21, the current rules are specific about which requirements can be deferred at all — and a future rule may draw those lines differently.
Policies and procedures
Stop hard-coding a single identifier into policy prose. Move control references into an appendix table you can reversion without touching the policy body. Add ODP governance: who owns each value, its source, who approved it, effective date, and change history.
Evidence library
Index along this path so a version change doesn’t orphan your proof:
GRC platform configuration — ask these before your next vendor call
If you use a governance, risk, and compliance (GRC) platform, settle these before anyone touches a framework setting:
- Can the platform hold two framework versions simultaneously, with one evidence artifact mapped to both?
- Will an automatic framework update overwrite your current baseline mappings?
- Can you export a versioned snapshot before any mapping change?
- Are custom ODP fields supported, or will you end up tracking them in a spreadsheet anyway?
A GRC platform manages evidence. It does not, by itself, satisfy CMMC. Any vendor who tells you otherwise is selling, not advising.
What happens to SPRS scores and CMMC assessments during the suspension?
Department baseline compliance continues through CMMC Level 1 self-assessments against the 15 basic safeguards in FAR 52.204-21 and CMMC Level 2 self-assessments aligned to NIST SP 800-171 Revision 2, plus select government-led assessments. Level 1 results and affirmations are entered in the Supplier Performance Risk System as a compliance result; Level 2 uses the 110-requirement weighted scoring methodology and reports an overall score in SPRS. DFARS 252.204-7012 remains in effect throughout.
Did the suspension remove the safeguarding requirements? No. The implementing memorandum states that the DFARS 252.204-7012 cybersecurity requirements remain in effect and that Level 1 and Level 2 self-assessments continue. During the suspension, Level 1 (Self) and Level 2 (Self) are the only contractor assessment designations permitted in new procurement requests, while select government-led assessments may continue. DCR editorial conclusion: with third-party assessment designations paused, the accuracy of what you self-report carries more consequence, not less. This is not the moment to let implementation drift.
Did the suspension make Revision 3 the scoring baseline? No. The same memorandum describes CMMC Level 2 as aligned with NIST SP 800-171 Revision 2. Nothing in the suspension substituted a new standard.
What about our existing contract with Level 2 (C3PAO) language?Read your instrument, not the press release. The memorandum directs contracting officers to remove those requirements by amendment or modification — but a directive to a contracting officer is not the same as a modification in your file. Get the paper. Until you have it, your contract says what it says.
What happens after the 60-day review?Unknown, and we won’t guess. Neither the announcement nor the memorandum sets an automatic resumption date. Anyone publishing a countdown to a restart is inventing it. We’ll update this page when an official memorandum, rulemaking action, deviation, FAQ revision, or solicitation instruction appears. For scoring mechanics, see our SPRS score guide. For assessment mechanics, see our CMMC Level 2 assessment guide.
How do you verify which revision your contract actually requires?
Start with the solicitation, contract, modifications, applicable clauses, and prime flow-down — not the NIST publication page. Where the language is unclear or omits a revision, request written clarification from the contracting chain and confirm your interpretation with a CMMC Registered Practitioner or a qualified federal-contracts attorney before replacing your primary evidence baseline.
The seven-step applicability review
- Identify the agency or prime customer for each instrument.
- Identify the contract, task order, delivery order, or subcontract.
- Locate every CUI, safeguarding, SPRS, and CMMC clause in it.
- Record the revision expressly named — or note that none is.
- Check modifications, deviations, and amendments. Effective February 1, 2026, Class Deviation 2026-O0025 directs Department contracting officers to use revised FAR Part 40 and DFARS Part 240 text in lieu of codified text for covered new or modified instruments. Under that deviation, the assessment clause appears at DFARS 252.240-7997 rather than codified 252.204-7020, and basic safeguarding appears at FAR 52.240-93 rather than 52.204-21, while 252.204-7012 and 252.204-7021 keep their numbers. The codified regulations still carry the original numbers, so both sets are circulating. Verify what your instrument actually incorporates. (DoD FAR/DFARS overhaul class deviations)
- Compare the prime’s flow-down language against the prime contract requirement.
- Get written clarification wherever terms conflict or omit the revision.
Copy this. Send it today.
Subject: Clarification requested — NIST SP 800-171 revision applicable to [instrument number]
We are confirming the cybersecurity baseline incorporated into [solicitation / contract / subcontract identifier]. The instrument references NIST SP 800-171 but [does not identify a revision / conflicts with another referenced document]. Please confirm in writing which revision of NIST SP 800-171 and which associated assessment methodology apply to the information systems used in performance of this work, and whether DFARS 252.204-7012 is included under Class Deviation 2024-O0013.
We are not transmitting CUI or sensitive system documentation with this request.
That last line matters. Keep clarification requests clean of anything sensitive.
What to log in your contract applicability ledger
When to involve counsel
Conflicting flow-downs. Ambiguous “latest revision” language. Any eligibility or certification representation. A material bid decision. A dispute over a modification. Any situation where a written representation about your cybersecurity compliance could later be examined.
When will CMMC move to NIST 800-171 Rev 3?
No date has been announced. Moving CMMC to Revision 3 would require amending 32 CFR Part 170, rescinding or replacing Class Deviation 2024-O0013, and publishing assessment and scoring materials aligned to the new baseline. The July 13, 2026 Phase II suspension and the accompanying program review put the structure of the program itself in question before the revision question gets answered.
What would have to happen first
| Step | Why it’s required |
|---|---|
| Amend 32 CFR Part 170 | Revision 2 is incorporated by reference; only rulemaking changes it |
| Rescind or replace Class Deviation 2024-O0013 | It ties DFARS 252.204-7012 to Revision 2 until rescinded |
| Publish or designate the applicable scoring methodology | Today’s Level 2 scoring is built on the 110 Revision 2 requirements |
| Publish or designate assessment procedures for the new baseline | Assessors need Revision 3 objectives and ODP treatment |
| Publish effective dates and transition instructions | Contractors and assessors both need lead time |
The signals pointing toward a transition
The Department published Revision 3 ODP values in April 2025. NIST finalized SP 800-172 Revision 3 in May 2026. And the FAR Council has proposed Revision 3 governmentwide.
The signal cutting the other way
A comprehensive program review is underway with no announced outcome. Until it concludes and produces guidance, the honest answer is that nobody outside the Department knows the sequence.
What to watch, in order of authority: the Federal Register, the Department CIO CMMC page, the DoD class deviations listing, and NIST CSRC.
Which provider category helps with a Rev 2 to Rev 3 transition?
Most contractors researching this comparison need contract clarity, readiness work, or evidence mapping — not a formal assessment. Depending on the gap, the right category is typically an RPO/RP, a CMMC-focused MSP or MSSP, a GRC platform, or a CUI enclave specialist. A C3PAO belongs in the formal assessment lane, with independence preserved between readiness work and certification.
We’re not naming providers on this page. This is a version-comparison question, and inserting vendor names here would serve us, not you. What we can do is tell you which categorysolves which problem — and what each one can’t do.
| Your unresolved problem | Category to investigate first | What that category can’t do | Verify before you hire |
|---|---|---|---|
| Determining what your contract incorporated | Your contracting chain, and a qualified federal-contracts attorney where terms conflict | A consultant can’t override the instrument | Relevant DIB and cybersecurity clause experience |
| Readiness, scoping, and requirement mapping once the revision is identified | RPO / RP (Registered Provider Organization / Registered Practitioner) | Cannot certify you | Current Cyber AB status, scoping method, deliverables, independence boundaries |
| Technical implementation, monitoring, identity, logging, incident response | CMMC-focused MSP or MSSP (Managed Security Service Provider) | Cannot assume your compliance accountability | CUI handling experience, the evidence they produce, responsibility matrix, subcontractor use |
| Evidence mapping and workflow across two revisions | GRC platform | Cannot prove controls are actually implemented | Dual-version support, ODP fields, versioned exports, assessor-ready output |
| Shrinking scope by containing CUI | CUI enclave specialist | Cannot erase scope you haven’t actually moved | Real data flows, external service responsibilities, inheritance, operational fit |
| Formal Level 2 certification assessment | C3PAO (Certified Third-Party Assessment Organization) | Cannot remediate the environment it assesses | Current authorization in the Cyber AB Marketplace, scope, availability, conflict checks |
The CMMC Path Frameworkmaps a contractor’s required level, FCI/CUI handling, assessment type, IT and cloud environment, and contract timeline to a provider category. It routes to a category, not a named provider. It is not a score, a ranking, a compliance determination, or a substitute for legal advice.
For side-by-side category detail, see our CMMC provider categories comparison. For what this work typically costs by level and company size, see our CMMC Level 2 cost guide.
Which Rev 2 to Rev 3 mistakes create the most rework?
The costliest mistakes in this transition are sequence and unit errors: treating Revision 3 as the current CMMC baseline, assuming 97 requirements means less work, confusing ODP counting units, deleting Revision 2 traceability, and using a technical crosswalk as contract interpretation. Each one can leave an organization with a genuinely stronger security posture and the wrong assessment package.
| Mistake | Why it happens | What it costs | The correction | Grounded in |
|---|---|---|---|---|
| Replacing Revision 2 with Revision 3 for CMMC | NIST labels Revision 3 current | Missing Revision 2 evidence and objectives at assessment | Keep Revision 2 primary; map Revision 3 separately | 32 CFR § 170.14 |
| Assuming 97 is easier than 110 | The top-level count looks smaller | Underbudgeted implementation | Compare determination statements and evidence, not requirement counts | NIST FAQ; SP 800-171A Rev. 3 |
| Saying “Rev 3 has 49 ODPs” without a unit | Confuses requirements with determinations | Undercounted governance work | 49 ODP-bearing requirements; 88 ODP determinations | NIST workbook; SP 800-171A Rev. 3 |
| Calling 422 the total Revision 3 assessment count | Omits the 88 ODP determinations | Incomplete work estimate | 510 total | SP 800-171A Rev. 3 |
| Treating Level 1 as a Revision 2 obligation | “CMMC” gets used as one thing | Wrong scope, wrong evidence, wasted spend | Level 1 is the 15 FAR 52.204-21 safeguards | 32 CFR § 170.14(a)(1) |
| Deleting old SSP references | Migration treated as replacement | Broken assessment traceability | Version and preserve | 32 CFR § 170.24 |
| Treating a crosswalk as a legal answer | A technical map looks authoritative | Wrong contractual representation | Verify the incorporated clause language | DFARS 252.204-7012 |
| Reading only the suspension headline | “CMMC is paused” is easier to remember | Stalled implementation, stale SPRS score | Read the implementing memorandum; 7012 still applies | Suspension memo, Attachment 1 |
| Hiring an assessor to do remediation | Confuses readiness with assessment | Conflict issues and a costly handoff | Keep readiness and formal assessment separate | 32 CFR § 170.8(b)(17)(ii)(G) |
What The Defense Compliance Report verified for this page
We read the final NIST publication records, NIST’s Revision 2 to Revision 3 transition workbook, the final SP 800-171A Revision 3 assessment publication, the current text of 32 CFR Part 170, the current CMMC Level 2 Assessment Guide, the Department’s April 2025 ODP memorandum, Class Deviation 2024-O0013, and the July 13, 2026 CMMC Phase II suspension materials. Counts on this page were produced from those official files using the method published above, so any reader can reproduce them.
What we read, and what each source supports
| Source | What it supports |
|---|---|
| eCFR 32 CFR § 170.14 and § 170.2 | Revision 2 incorporated by reference; Level 2 identical to Revision 2; Level 1 from FAR 52.204-21; Level 3’s 24 selected SP 800-172 (February 2021) requirements |
| 32 CFR § 170.8(b)(17)(ii)(G) | The three-year consulting conflict prohibition for Level 2 certification assessments |
| 32 CFR § 170.21 and § 170.24 | POA&M limits; consequence of a missing current SSP |
| Class Deviation 2024-O0013 (and Revision 1) | DFARS 252.204-7012 tied to Revision 2; in effect until rescinded |
| DoD FAR/DFARS overhaul class deviations | Class Deviation 2026-O0025 and the February 1, 2026 clause changes |
| Implementing Suspension of CMMC Phase II, Attachment 1 | Level 1 and Level 2 self-assessment continuation; Level 2 aligned to Revision 2; only Level 1 (Self) and Level 2 (Self) designations; 7012 remains; no waivers |
| NIST CSRC — SP 800-171 Rev. 2 and Rev. 3 | Withdrawal date; publication date; 17 families; supplemental materials; requirement 3.12.4 |
| NIST FAQ — SP 800-171r3 / 171Ar3 | Basic/derived elimination; NFO removal and redistribution; ORC and NA; ODP responsibility; three new families |
| NIST transition workbook (sp800-171r2-to-r3-analysis.xlsx) | The 18 / 46 / 15 / 19 / 33 / 49 change flags |
| NIST SP 800-171A Rev. 3 | 97 requirement bases; 422 non-ODP and 88 ODP determinations; 510 total |
| CMMC Level 2 Assessment Guide | 320 assessment objectives across 110 requirements |
| DoD ODP memorandum | Department Revision 3 ODP values; four expressed as guidance rather than a value |
| Federal Register — FAR Case 2026-001, 91 FR 37550 | Governmentwide scope; Revision 3 baseline; FAR 52.240-7; Standard Form and ODPs; 72-hour reporting; July 23 comment deadline |
What we could not verify, and what we’re not claiming
- We cannot tell you what your contract incorporated. Only your instrument and your contracting chain can.
- Future Revision 3 CMMC scoring rules, POA&M eligibility, and transition timing are unknown until officially issued.
- The proposed FAR CUI rule is a proposal. It may change materially before it is final, or not be finalized at all. How it would interact with current Department Revision 2 authorities is unresolved.
- Department policy is under active review as we publish.
- Our provider-category guidance and the recommendation columns above are DCR editorial judgment derived from the verified facts on this page — not regulatory requirements and not a Cyber AB endorsement.
- We are not offering a semantic impact rating for all 97 requirements. That’s an engagement, not an article.
Who made this, how, and why
Who: The Defense Compliance Report Editorial Team.
How:We compared the final NIST Revision 2 and Revision 3 publications and their companion assessment materials, worked from NIST’s transition workbook, read the current text of 32 CFR Part 170, the Department’s ODP guidance, the class deviations, and the July 2026 suspension materials — then documented the counting method so the totals can be independently reproduced.
Why: Contractors are being asked to reconcile a current NIST publication with a different incorporated CMMC baseline, often by people with something to sell. This page separates those layers and turns the distinction into an operational plan.
NIST 800-171 Rev 2 vs Rev 3: frequently asked questions
- Does NIST 800-171 Rev 3 replace Rev 2 for CMMC?
- No. Revision 3 supersedes Revision 2 in NIST’s publication catalog, but CMMC Level 2 remains tied to Revision 2 under 32 CFR § 170.14, which incorporates Revision 2 by reference. Moving CMMC to Revision 3 requires the Department to amend the rule through formal rulemaking.
- Is NIST 800-171 Rev 2 still valid in 2026?
- Yes. Revision 2 remains the current CMMC Level 2 baseline and applies to instruments incorporating the Revision 2 deviation clause under Class Deviation 2024-O0013. Verify the actual DFARS 252.204-7012 text incorporated into your solicitation or award, since the codified clause and the deviation clause read differently.
- Does CMMC Level 1 use NIST SP 800-171 Revision 2?
- No. CMMC Level 1 is based on the 15 basic safeguarding requirements in FAR 52.204-21(b)(1) for Federal Contract Information. NIST SP 800-171 Revision 2 and its 110 requirements are the CMMC Level 2 baseline.
- Can I implement Rev 3 before CMMC adopts it?
- Yes, in parallel. Implement Revision 3 using the Department’s published organization-defined parameter values while continuing to close any Revision 2 gaps, and keep your primary evidence index on Revision 2 identifiers. Voluntary modernization should never be recorded as a completed contractual determination.
- Does Rev 3 have fewer controls than Rev 2?
- It has fewer top-level requirements — 97 versus 110 — but that count alone does not establish lower implementation or assessment effort. The reduction reflects consolidation, restructuring, withdrawals, and additions, and the companion assessment guide grew from 320 assessment objectives under the current Level 2 baseline to 510 total determination statements under Revision 3.
- Does Rev 3 have 49 ODPs or 88?
- Both figures are correct for different units. NIST’s transition workbook identifies 49 Revision 3 requirements containing one or more new organization-defined parameters, and SP 800-171A Revision 3 expresses those parameters as 88 separate ODP determination statements.
- Are there 422 or 510 assessment statements in Rev 3?
- There are 422 non-ODP determination statements plus 88 ODP determination statements, for 510 total. Citing 422 as the total omits the ODP determinations and understates the assessment work.
- Do I have to rewrite my SSP for Rev 3?
- Not because Revision 3 exists. Keep the currently applicable System Security Plan indexed to Revision 2 requirement identifiers and add versioned Revision 3 cross-reference fields alongside them rather than overwriting existing traceability.
- Should my SPRS score use Rev 2 or Rev 3?
- Revision 2. The Department’s Level 2 scoring methodology and the current CMMC Level 2 baseline are both built on the 110 Revision 2 requirements. Verify your specific solicitation or contract requirement before submitting any representation. See our SPRS score guide.
- Did the July 2026 CMMC suspension eliminate the program?
- No. The Department suspended Phase II and subsequent implementation milestones on July 13, 2026. Level 1 and Level 2 self-assessment requirements continue, and DFARS 252.204-7012 cybersecurity requirements remain in effect.
- Would FAR Case 2026-001 apply to Department contracts?
- As proposed, yes. The proposed FAR framework is governmentwide, and the rule distinguishes Department incident reporting through DIBNet from non-Department reporting through CISA. How it would interact with current Department Revision 2 authorities would have to be resolved.
- Does the proposed FAR CUI rule require NIST 800-171 Rev 3?
- As proposed, yes. FAR Case 2026-001, published June 23, 2026 at 91 FR 37550, would require contractor information systems handling CUI to meet NIST SP 800-171 Revision 3 under a new clause at FAR 52.240-7. It is a proposed rule; the comment period closed July 23, 2026.
- Is there an official Rev 2 to Rev 3 crosswalk?
- Yes. NIST publishes a change-analysis workbook and a CUI overlay under Supplemental Material on the SP 800-171 Revision 3 publication page at NIST CSRC. Use the official workbook rather than a vendor-reconstructed mapping.
- What if my prime asks for Rev 3 but our flow-down says Rev 2?
- Treat them as two separate requests. The incorporated flow-down language governs your contractual obligation; a customer questionnaire does not silently rewrite it. Answer the questionnaire if commercially necessary, label that evidence separately, and request written clarification from the prime.
- When will CMMC move to Rev 3?
- No date has been announced. The Department has indicated it intends to incorporate Revision 3 through future rulemaking, and a program review is underway following the July 13, 2026 Phase II suspension. Treat any published transition date as speculation until an official rule or memorandum sets one.
Your next step
You don’t need to memorize two versions of a security standard. You need three things: which revision your contract points at, what your evidence should be indexed to, and what kind of help closes the gap you actually have. The first two are now settled. The third takes about two minutes.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Related research
- NIST 800-171 requirements checklist — all 110 Revision 2 requirements with evidence tracking
- NIST 800-171A assessment objectives — the 320 objectives assessors actually test
- CMMC Level 3 requirements — the 24 SP 800-172 controls and DIBCAC assessment path
- CMMC Level 1 vs Level 2 vs Level 3 — which level your contract requires
- CMMC Level 2 assessment guide — what happens during an assessment
- CMMC self-assessment vs C3PAO assessment — which path your contract requires
- CMMC Program Rule vs acquisition rule — 32 CFR Part 170 and the DFARS rule, explained
- SPRS score guide — how to calculate and submit your score
- CMMC Level 2 cost guide — what this work costs by level and company size
- CMMC provider categories — C3PAO, RPO, MSSP, GRC platform, and CUI enclave compared