The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Fundamentals & NIST 800-171

NIST 800-171 Rev 2 vs Rev 3: Which Revision Applies to CMMC in 2026?

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and DIB compliance.

Last reviewed: · Last verified:

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before acting.

NIST 800-171 Rev 2 vs Rev 3 comes down to one distinction. Revision 3 is NIST’s current publication, but Revision 2 remains the CMMC Level 2 baselineand the Department’s current Level 2 assessment standard in 2026. Keep your Level 2 evidence, System Security Plan, and Supplier Performance Risk System score mapped to Revision 2. You can implement Revision 3 in parallel — just don’t leave Revision 2 gaps behind while you do it.

The condition that changes this answer:your solicitation, contract, modification, or prime flow-down controls when it expressly names a revision or incorporates a specific clause version. NIST’s publication status, on its own, does not tell you what your agreement incorporated.

There’s a second question forming underneath this one, and almost nobody is tracking it yet. On June 23, 2026, the Federal Acquisition Regulatory Council proposed a governmentwiderule that would require Revision 3 on covered contracts involving Controlled Unclassified Information — including covered Department contracts — while current CMMC and DFARS deviation authorities still point to Revision 2. How those two would be harmonized is unresolved. We map who’s exposed, and what that means for your next move, in the multi-agency section below.

Answers on the first screen

NIST 800-171 Rev 2 vs Rev 3 quick answers
QuestionDirect answer
Which revision is current at NIST?Revision 3 (published May 14, 2024)
Which revision governs CMMC Level 2 today?Revision 2 — 110 requirements, 14 families
What does CMMC Level 1 use?The 15 basic safeguarding requirements in FAR 52.204-21(b)(1) — not NIST 800-171
Did NIST’s withdrawal of Rev 2 automatically change your contract?No
Can a Department contractor implement Rev 3 now?Yes, in parallel — while still closing Revision 2 gaps
Should you rewrite your SSP to Rev 3 identifiers?No
Does Rev 3 apply governmentwide today?No. A specific agency or contract may already name it. FAR Case 2026-001 would create a uniform governmentwide requirement if finalized
Is the November 10, 2026 Phase II transition still on?No. Suspended July 13, 2026

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

Who this page is for — and who should go somewhere better

Audience guidance for this page
This page is for you if…Start somewhere else if…
You’re deciding which revision should govern your SSP, evidence index, self-assessment, or SPRS score right nowYou want the full walkthrough of all 110 Rev 2 requirements → NIST 800-171 requirements checklist
A prime, consultant, auditor, or software vendor just told you something that contradicts what you builtYou need assessment-objective-level evidence depth → NIST 800-171A assessment objectives
You want to prepare for Revision 3 without breaking Revision 2 traceabilityYou haven’t confirmed whether you handle FCI or CUI yet → CMMC scoping guide
You hold or are pursuing work across multiple federal agenciesYou’re still working out which level applies at all → CMMC Level 1 vs Level 2 vs Level 3

Does CMMC use NIST 800-171 Rev 2 or Rev 3 in 2026?

CMMC Level 2 uses NIST SP 800-171 Revision 2. Section 170.14 of the CMMC Program Rule incorporates Revision 2 by reference and states that the Level 2 security requirements are identical to it. NIST’s publication of Revision 3 in May 2024 did not automatically rewrite that incorporated baseline; changing it requires rulemaking by the Department.

We understand why this feels unstable. Four separate instruments have to agree before you can trust an answer like that, and most articles cite one of them and move on. So we read all four and put them in a single table.

The Revision Authority Map

Every instrument that can obligate you to a revision, what it points at, when it applies to you, and when we last checked it.

Revision authority map — what each instrument requires
AuthorityPoints toWhat it saysWhen it applies to youSource · verified July 18, 2026
NIST (the publisher)Rev 3Revision 2 is marked withdrawn and superseded by Revision 3 as of May 14, 2024Always relevant as context — never, by itself, as an obligationNIST CSRC — SP 800-171 Rev. 2
32 CFR § 170.14 — CMMC Program RuleRev 2The CMMC Model incorporates NIST SP 800-171 R2 by reference; Level 2 requirements are identical to Revision 2Whenever a CMMC Level 2 requirement applies to your contracteCFR § 170.14
DFARS 252.204-7012 as codifiedDepends on solicitation dateRequires the version of NIST SP 800-171 “in effect at the time the solicitation is issued, or as authorized by the Contracting Officer”When your award contains the unmodified codified clauseAcquisition.gov — 252.204-7012
DFARS 252.204-7012 under Class Deviation 2024-O0013Rev 2Directs contracting officers to use an alternate clause requiring Revision 2 instead of the version in effect at solicitation; “remains in effect until rescinded”When your award incorporates the deviation clause — check the textClass Deviation 2024-O0013
CMMC Phase II suspension memo, Attachment 1Rev 2 (Level 2)Level 1 self-assessments continue against the FAR basic safeguards; CMMC Level 2 is aligned with NIST SP 800-171 Revision 2Any Department procurement request or contract action during the suspensionImplementing Suspension of CMMC Phase II
Department ODP memorandum, April 2025Rev 3 (preparatory)Establishes Department-defined values for Revision 3 organization-defined parameters, in preparation for possible implementationOnly if you choose to implement Revision 3 in parallel todayDoD ODPs for NIST SP 800-171 Rev. 3
Proposed governmentwide FAR CUI ruleRev 3Would require contractor systems handling CUI to meet NIST SP 800-171 Revision 3 under a new clause at FAR 52.240-7Not yet — proposed only. Comments closed July 23, 2026FAR Case 2026-001, 91 FR 37550

The one-line takeaway: a NIST publication becomes your obligation only when a rule or a clause points at it. Today, the CMMC rule and the 7012 deviation point at Revision 2. The FAR Council has proposed pointing at Revision 3 across the government.

The four layers most pages collapse into one

This is the frame that makes the whole thing click. Four separate questions hide inside “which revision applies,” and mixing them up is what produces expensive mistakes.

Four layers of the revision question
LayerThe questionCurrent answerWho decides
PublicationWhat does NIST currently publish?Revision 3NIST
ContractWhat did this instrument incorporate?Read the clauseYour contracting chain
ProgramWhat does CMMC Level 2 assess against?Revision 232 CFR Part 170
ModernizationWhat should we prepare for next?Revision 3You, informed by Department ODP guidance

Vendors tend to sell you layer one. Assessors test layer three. Your legal exposure lives in layer two. Keep them separate and this stops being confusing.

What the July 13, 2026 suspension did — and didn’t — change

The implementing procedures are specific, and the details matter more than the headline:

Read that list again and notice what isn’t in it: anything about Revision 3. The suspension changed who assesses you and when. It did not change what you’re assessed against.


Is NIST 800-171 Rev 2 obsolete because NIST withdrew it?

No. NIST marks Revision 2 as withdrawn and superseded in its own publication catalog, but that is a publishing status, not a contractual one. The CMMC Program Rule incorporates a specific dated edition of Revision 2 by reference, which fixes that text into the regulation until the agency amends the rule through formal rulemaking. A publisher retiring a document does not amend a federal regulation.

If you take one concept from this page, make it this one. It’s the piece that stops the panic — and the piece that keeps you from spending money you don’t need to spend.

Incorporation by reference, in plain language

When a federal rule “incorporates by reference,” it pulls a specific, dated edition of an outside document into the regulation and gives it the force of the rule. That edition is pinned. It does not float forward when the publisher issues a new version.

That’s why 32 CFR § 170.14 doesn’t say “the current version of NIST SP 800-171.” It says NIST SP 800-171 R2, with the incorporation mechanics handled at § 170.2. For CMMC to move to Revision 3, the Department has to amend the rule — publish a proposal, take comments, issue a final rule. There is no back door where a NIST website update changes your obligations for you.

The DFARS 7012 version puzzle — and the deviation that resolves it

Here’s where readers who actually open their contract clause get ambushed.

As codified, DFARS 252.204-7012— the Safeguarding Covered Defense Information and Cyber Incident Reporting clause that has carried NIST 800-171 into defense contracts since 2017 — requires the version of NIST SP 800-171 in effect at the time the solicitation is issued, or as authorized by the contracting officer. For a solicitation issued after May 14, 2024 using the unmodified codified clause, that language can point to Revision 3. Which would put your DFARS clause and your CMMC assessment on two different standards.

The Department saw that coming. Twelve days before Revision 3 published, it issued Class Deviation 2024-O0013 (May 2, 2024), directing contracting officers to use an alternate 7012 clause requiring Revision 2in lieu of the codified version language. A Revision 1 of the deviation followed to update the links to NIST SP 800-171 Revision 2 and the FedRAMP Moderate baseline. The deviation carries no expiration — it remains in effect until rescinded.

So where your award includes the deviation clause, it reconciles the codified floating-version language with the Revision 2 CMMC baseline. Where it doesn’t, verify what text was actually incorporated. Asking your contracting officer which version of 7012 is in your award is a fair, professional question, and the written answer belongs in your file.

One argument you’ll hear that doesn’t hold up

You’ll find guidance asserting that federal policy expectations around adopting new NIST publications made Revision 2 “deprecated” in 2025, and that Revision 3 is therefore the standard for new contracts.

Be careful with that reasoning. Government-wide policy about how federal agencies manage their own information resources is not a term of your contract. It does not amend an incorporation by reference in 32 CFR Part 170, and it does not rewrite the clause in your award. Your obligation is what your instrument says it is. Where a commentator’s conclusion and the controlling rule text disagree, follow the rule text.

When each revision actually controls

Revision 2 controls when:

(Level 1 is different: it’s based on the 15 basic safeguards in FAR 52.204-21(b)(1), not on NIST 800-171.)

Revision 3 may control when:

And when your contract just says “NIST SP 800-171” with no revision? Don’t guess, and don’t overwrite your current package. Request written clarification from the contracting chain, log the answer, and confirm your interpretation with an RP/RPO or federal-contracts counsel. There’s a ready-to-send request further down this page.


Can we implement Rev 3 now without damaging our CMMC work?

Yes — in parallel, not as a replacement. Current Department CMMC guidance contemplates contractors implementing Revision 3 using Department-defined organization-defined parameter values while continuing to address gaps against Revision 2, because CMMC assessments remain tied to Revision 2. The operating rule is simple: add Revision 3 as a secondary mapping and never let it overwrite the Revision 2 evidence chain that is actually being assessed.

This is the question behind the question for most readers. Leadership wants to future-proof. You want to avoid doing the work twice. Both instincts are reasonable, and they can coexist.

Three valid approaches — pick honestly

Three approaches to implementing Rev 2 alongside Rev 3
ApproachRight whenMain riskWho it fits
Rev 2 onlyYou have a near-term self-assessment, a live bid, or constrained resourcesMapping work remains laterSmall suppliers working a deadline
Rev 2 primary + Rev 3 crosswalkMost of the DIB, most of the timeRequires disciplined dual traceabilityContractors with 12+ months of runway
Rev 3 primary + Rev 2 overlayA customer expressly requires Revision 3 and you hold a separate Revision 2 obligationHidden Revision 2 evidence gapsContractors with mixed federal customers

What “in parallel” should mean operationally

And four things not to do

  1. Don’t delete Revision 2 identifiers from your SSP. Those are the ones an assessor traces.
  2. Don’t replace Revision 2 assessment objectives with Revision 3 determination statements. Different documents, different structures, different counts.
  3. Don’t submit a Revision 3-based score as your current SPRS result. The Department’s Level 2 scoring methodology is built on the 110 Revision 2 requirements.
  4. Don’t substitute one representation for another. You can implement both revisions. What you cannot do is represent Revision 3 implementation as satisfying a Revision 2 contract, SPRS, or CMMC requirement unless the applicable authority accepts that mapping. See our coverage of CMMC enforcement and non-compliance exposure.

What actually changed between NIST 800-171 Rev 2 and Rev 3?

Revision 3 is a structural rewrite, not a renumbering. It realigns the requirements to the NIST SP 800-53 Revision 5 catalog and the SP 800-53B moderate baseline, eliminates the basic-versus-derived distinction, retires the NFO tailoring category, introduces organization-defined parameters, adds three security requirement families, and changes both how requirements are written and how they are assessed.

Here’s the side-by-side, then the part that takes actual work: NIST’s own change counts.

NIST 800-171 Rev 2 vs Rev 3 side-by-side comparison
Revision 2Revision 3
PublishedFebruary 2020; updated January 2021May 14, 2024
NIST status todayWithdrawn / supersededCurrent
Top-level security requirements11097
Requirement families1417
New familiesPlanning (PL), System and Services Acquisition (SA), Supply Chain Risk Management (SR)
Renamed familySecurity AssessmentSecurity Assessment and Monitoring (CA)
Requirement structureBasic + derivedBasic/derived distinction eliminated
Identifier format3.1.103.01.01 (leading zeros for tooling consistency)
Tailoring categoriesCUI, NFO, NCO, FEDNFO eliminated; ORC and NA added
Organization-defined parametersNone49 requirements contain one or more
Source catalogSP 800-53 Rev. 4 lineageSP 800-53 Rev. 5 / SP 800-53B moderate baseline
Companion assessment guideSP 800-171ASP 800-171A Rev. 3
Governs CMMC Level 2 todayYesNo

Structural changes above are drawn from NIST’s FAQ for SP 800-171r3 and SP 800-171Ar3 and the Revision 3 publication record.

What NIST’s own transition workbook shows

NIST published a change-analysis workbook alongside Revision 3 — sp800-171r2-to-r3-analysis.xlsx, available under Supplemental Material on the Revision 3 publication page. The flag counts:

NIST transition workbook flag counts
NIST workbook flagCount
No significant change18
Significant change46
Minor change15
New requirement19
Withdrawn requirement33
Requirements containing one or more new ODPs49
Total Revision 3 requirements97

Two honest readings of that table:


Why did 110 requirements become 97 — and does that mean less work?

Revision 3 lists 97 top-level requirements against Revision 2’s 110. That lower count reflects consolidation, restructuring, withdrawals, and additions — not the disappearance of 13 protection outcomes. NIST’s FAQ states that grouping requirements does not add to the total number of requirements, and the companion assessment guide’s determination statements increased substantially under Revision 3.

If a vendor leads with “Revision 3 is 13 fewer controls,” they’ve selected the one number that makes Revision 3 sound smaller.

The count reconciliation table

Several different numbers circulate for this standard, and published pages contradict each other constantly. Here’s what each one counts — and which one your score depends on.

NIST 800-171 count reconciliation
NumberWhat it actually countsAffects your SPRS score?
110Revision 2 security requirementsYes — this is the one
14Revision 2 requirement familiesStructure only
97Revision 3 active top-level requirementsNo
17Revision 3 requirement familiesNo
130 / 33Rows in NIST’s transition workbook / of those, marked withdrawn — leaving 97 activeNo
49Revision 3 requirements containing one or more new ODPsNo
88ODP determination statements in SP 800-171A Rev. 3No
422Non-ODP determination statements in SP 800-171A Rev. 3No
510Total Revision 3 determination statements (422 + 88)No
320Assessment objectives used to evaluate the 110 current Level 2 requirementsThe reported score comes from the weighted 110-requirement methodology, not from the objective count

Count hygiene: never publish a number without its unit

This is the discipline that separates a usable comparison from noise. Before you repeat any figure from this standard — in a board deck, a vendor evaluation, or a proposal — say what it counts:

requirement · family · requirement containing an ODP · ODP determination · non-ODP determination · total determination · source control · tailoring category · assessment objective

Both “49” and “88” are in circulation for ODPs, and they’re usable only with their units attached: 49 Revision 3 requirements contain one or more ODPs, while SP 800-171A Revision 3 contains 88 ODP determination statements. “Revision 3 has 49 ODPs” uses the wrong unit. Get it backwards in a project plan and you will materially undercount the determination statements your team has to work through.

How the counts were produced, so you can check them

Revision 3 assessment counts come from the final May 2024 SP 800-171A Rev. 3 publication — not a draft. The method: start at the first assessment identifier, extract every unique identifier, classify those containing .ODP[ as ODP determinations, and strip each to its requirement base to confirm 97 unique requirements. Result: 97 requirement bases, 422 non-ODP determinations, 88 ODP determinations, 510 total.

For Revision 2, the current CMMC Level 2 Assessment Guide contains 320 assessment objectives across 110 requirements. NIST’s supplemental spreadsheet represents these as 297 separately lettered objective rows plus 23 single-objective requirements where the determination sits on the requirement row rather than a separate [a] row. 297 + 23 = 320. Count only the lettered rows and you land 23 short — a common and consequential slip.


How many ODPs are in Revision 3, and who sets the values?

Organization-defined parameters are the variable values inside a Revision 3 requirement — lockout thresholds, review frequencies, retention periods. Revision 2 has no ODP construct. NIST’s transition workbook identifies 49 Revision 3 requirements containing one or more new ODPs, and SP 800-171A Revision 3 expresses them as 88 separate ODP determination statements. A federal agency may set the values; where none does, NIST states the nonfederal organization must assign them.

That last sentence is the operational one. Under Revision 2, you pick your lockout threshold and defend it. Under Revision 3, somebody may hand it to you — and then it’s assessable as part of the requirement.

What the Department’s ODP memorandum does

The Department published Revision 3 ODP values in an April 2025 memorandum, with the values in Attachment A. Two details worth knowing:

What the memorandum is: a published set of Department expectations, issued in preparation for possible Revision 3 implementation. What it is not: an amendment to the CMMC Program Rule. It does not make Revision 3 your current baseline. (DCR inference: publishing parameter values is a planning signal that the Department has prepared for a possible transition. It is not a commitment to a date or a final transition method.)

What the proposed FAR rule would do differently

Under the June 23, 2026 proposed rule, the mechanism changes again. The new Standard Form that agencies would complete for each covered CUI contract was updated to identify the applicable organization-defined parameters for NIST 800-171 Revision 3. Translation: the contract paperwork would carry your parameters.


What do the three new Revision 3 families actually require?

Revision 3 adds Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) to stay consistent with the SP 800-53B moderate baseline. It also eliminates the NFO tailoring category and adds Other Related Control (ORC) and Not Applicable (NA). Supply Chain Risk Management is a genuinely new family with no Revision 2 predecessor.

Planning (PL)

Policies and procedures, the System Security Plan, and rules of behavior — formalized as explicit requirements.

System and Services Acquisition (SA)

Security engineering principles, unsupported system components, external system services, and the responsibility split between you and your providers. If you use a managed service provider or a cloud service for CUI, this family formalizes conversations you should already be having about who does what.

Supply Chain Risk Management (SR)

A supply chain risk management plan, acquisition strategies and tools, and controls to identify supply chain weaknesses. DCR editorial judgment:for most small contractors this is the heaviest genuinely new lift, because it’s a process with evidence — vendor assessments, documented decisions, a maintained plan — rather than a control you can configure or a license you can buy.

NFO removal, and what ORC and NA mean

Revision 2 tagged a set of source controls as NFO— expected to be routinely satisfied by nonfederal organizations without being called out individually. NIST’s own FAQ explains why that changed: feedback indicated that certain NFO controls, including foundational ones such as the policy-and-procedures control in each family, were not being implemented or assessed in nonfederal organizations.

Revision 3 eliminates the NFO category. Be precise about where those controls went: NIST’s FAQ states the elimination produced an increase in the NCO, FED, and CUI categories— not a wholesale conversion of every NFO control into a CUI requirement. You will see the “all 61 NFO controls became CUI requirements” claim in circulation. NIST’s own language doesn’t support it.

ORC (Other Related Control) flags a control whose protection capability is already provided by another control. NA (Not Applicable)was added for completeness in the tailoring analysis, covering the Program Management and PII Processing and Transparency families, which aren’t allocated to any SP 800-53B baseline.

One caution: these are NIST’s tailoring decisions about source controls. They are not permission for a contractor to unilaterally declare a top-level requirement inapplicable.


How do Revision 2 requirements map to Revision 3?

Requirements do not move one-to-one. NIST’s transition workbook shows five distinct relationships: direct carryover, carryover with expanded detail, consolidation into another requirement, division across several requirements, and new requirements with no Revision 2 predecessor. A technical crosswalk tells you where a safeguard went; it cannot tell you which revision your contract incorporated.

The five mapping patterns, with worked examples

Use this to recognize what you’re looking at when you open NIST’s workbook. Row-level requirement identifiers should always be taken from the official workbook rather than from any secondary source, including this one.

Five mapping patterns from Rev 2 to Rev 3
PatternWhat happensWorked exampleWhat it does to your evidence
Direct carryoverSame outcome, refreshed wordingMost access control and identification requirementsEvidence usually holds; identifier changes format
Carryover with expanded detailSame topic, more specificity, often a new ODPRequirements now carrying a parameter valueEvidence needs a second look against the ODP
ConsolidatedSeveral Revision 2 requirements absorbed into one multi-part Revision 3 requirementNIST withdrew 33 requirements, many folded into related onesOne new identifier now traces to several old ones
Split or relocatedOne requirement’s content distributed or moved to a different familySSP moves from Security Assessment (3.12.4) into the new Planning familyThis is where evidence indexes break
NewNo Revision 2 predecessorThe entire Supply Chain Risk Management family — Revision 2 has no SR familyNew artifacts required; nothing to map from

Two structural changes affect every row: the identifier format shifts from 3.1.1 to 03.01.01, and the basic/derived distinction disappears. Neither changes a security outcome. Both break string matching in documentation and tooling, which is exactly why a bulk find-and-replace across your SSP is a bad idea.

What a usable crosswalk has to include

A two-column old-ID/new-ID table is not a plan. A crosswalk you can actually work from carries:

Revision 2 requirement · Revision 2 objective · Revision 3 requirement · Revision 3 determination · ODP involved? · Department ODP value · existing evidence · evidence location · evidence owner · Revision 3 gap · contract applicability · change trigger · last verified

Build it from NIST’s official change-analysis workbook, not from a vendor’s reconstruction. The workbook is free, authoritative, and already has the mapping columns.

Why a crosswalk can never answer the contract question

This boundary gets crossed constantly, usually by well-meaning people:


What if we hold work across multiple federal agencies?

Then you have a second variable to track. On June 23, 2026, the FAR Council published a proposed rule at 91 FR 37550 (FAR Case 2026-001) that would establish a governmentwide FAR mechanism requiring contractor systems handling CUI to meet NIST SP 800-171 Revision 3, through a new clause at FAR 52.240-7 and a contract-specific Standard Form. The proposal is governmentwide, including covered Department contracts. Comments closed July 23, 2026.

What it would do, per the Federal Register text:

It carries forward and revises the CUI work previously proposed in FAR Case 2017-016 (90 FR 4278, January 2025) after consideration of comments on that proposal. If your team analyzed the earlier proposal, that analysis needs a refresh.

The unresolved part, stated plainly:

Current Department CMMC and deviation authorities point to Revision 2. This proposed FAR clause would point to Revision 3 and would reach covered Department contracts. How those authorities get harmonized — if the rule is finalized — has not been resolved publicly. That is not a reason to change anything today. It is a reason to know where your instruments sit.

Who could be affected, and what to do now

FAR CUI rule impact by contractor type
Your situationBaseline todayIf the rule is finalized as proposedWhere this leaves you
Department only, FCI onlyFAR 52.204-21 — the 15 basic safeguardsThe CUI clause turns on CUI, not FCINo transition action; hold your Level 1 baseline
Department only, CUIRevision 2 under current CMMC and deviation authoritiesRecheck the interaction with any final FAR 52.240-7 text and the Department deviationNo transition action today; preserve the Revision 2 evidence baseline and watch the docket
Civilian agency, CUIWhatever your agency has independently imposedRevision 3 under the new FAR clauseRead the rule; consider commenting
Multiple agencies, CUIRevision 2 for CMMC Level 2 work; agency-specific elsewherePotential overlapping baselines pending harmonizationModel the delta; comment
Subcontractor receiving CUIWhatever flows down in writingFlow-down of Revision 3 security and reporting termsGet the flow-down in writing
Prime questionnaire says Rev 3, flow-down says Rev 2Revision 2 — the incorporated requirement governsDepends on the finalized ruleAnswer the questionnaire separately; label that evidence separately

What should a defense contractor implement right now?

For current CMMC Level 2 work, implement and evidence Revision 2 — that is what gets assessed and scored. In parallel, do the Revision 3 work that also strengthens a Revision 2 assessment: real policies and procedures, documented parameter values, supply chain risk documentation, and a tighter system boundary narrative. Do not renumber your SSP, do not rescore against 97 requirements, and do not buy a Revision 3 engagement sold as a current requirement.

The table below separates what the rules actually require from what we recommend. That distinction matters more than any single recommendation.

What to implement now vs. what is optional
ActionRequired now by current authorityPermitted now for future-readinessDCR recommendation
Implement and evidence all 110 Revision 2 requirements (Level 2 scope)YesDo it first, finish it, freeze it
Maintain a current SSPYes (Rev 2 § 3.12.4; § 170.24)Non-negotiable
Write real policies and procedures for every familyExpected within your Revision 2 programAligns with Revision 3’s Planning familyDo it now — it improves both baselines
Document every parameter value, with owner and approval dateNot as an ODP constructYes — the basis of Revision 3 ODP governanceDo it now; low cost, high carryover
Build vendor and supply chain risk documentationNoYesStart now if you have runway
Implement Revision 3 requirements using Department ODP valuesNoYes, alongside Revision 2Optional; sequence it after Revision 2 is stable
Renumber your SSP to 03.01.01 identifiersNoNot advisableDon’t — your assessment and SPRS record key to Revision 2 IDs
Score yourself against 97 requirementsNoNot advisableDon’t — Level 2 scoring is built on the 110
Delete documentation because “NFO is gone in Rev 3”NoNot advisableDon’t — those expectations live in your Revision 2 assessment
Purchase a “Revision 3 migration”NoOnly as clearly scoped future-readinessNever buy it on the claim that Revision 3 is currently required for CMMC

If leadership wants to future-proof, do it in this order

  1. Finish the Revision 2 evidence baseline.
  2. Freeze stable identifiers and version the package.
  3. Import NIST’s official mapping workbook.
  4. Apply Department ODP values where relevant.
  5. Record Revision 3 deltas in a separate register.
  6. Prioritize changes that improve both baselines.
  7. Keep modernization status visibly separate from contract-compliance status.

The one thing we’ll admit is genuinely annoying about our own advice

Dual traceability is a hassle.Keeping Revision 2 identifiers as your primary index while carrying Revision 3 mappings alongside means duplicate fields, two registers, and a discipline your team actually has to maintain. Nobody enjoys it. There is no clean single-migration moment available right now, and we’re not going to pretend otherwise.

Here’s why we’d still make the same call with our own money: the duplication is dramatically cheaper than the alternative.Rebuilding an evidence package around Revision 3, then discovering that your assessment, your SPRS score, your solicitation, or your prime’s flow-down still expects Revision 2 identifiers, is a full re-do — the SSP, the evidence index, the POA&M mapping, and the assessor walkthrough. The dual-track approach costs you spreadsheet columns. The clean-migration approach can cost you an assessment cycle.


How should you update your SSP, POA&M, policies, and evidence library?

Keep Revision 2 identifiers as the primary index in your System Security Plan, Plan of Action and Milestones, assessment record, and evidence library, then add Revision 3 cross-reference and ODP fields alongside them. Do not delete Revision 2 artifacts or convert the primary package to Revision 3 identifiers while Revision 2 remains the governing CMMC Level 2 baseline.

The Keep / Map / Add / Monitor framework

Run every artifact you own through four statuses. It turns an abstract “transition” into a finite list of tasks your team can actually close.

Keep / Map / Add / Monitor framework
StatusMeaningTypical example
KeepExisting Revision 2 evidence remains directly usefulMFA configuration records, audit log samples
MapThe safeguard exists; identifiers or references need cross-mappingPolicy documents citing 3.x.x identifiers
AddRevision 3 introduces a new or materially broader obligationSupply chain risk management plan
MonitorNo obligation to change today, but a rule or contract event could alter itAnything driven by the FAR CUI rule outcome

System Security Plan

Add these fields rather than rewriting the document: governing revision · secondary mapped revision · applicability source (the clause or instrument) · Revision 2 requirement · Revision 3 requirement · ODP values · revision history · change trigger.

POA&M

Keep each open deficiency tied to the currently applicablerequirement, and add future-state mapping as a secondary field. Two traps: don’t close a Revision 2 gap merely because the wording softened in Revision 3, and don’t assume Revision 3 POA&M eligibility rules will match today’s. Under 32 CFR § 170.21, the current rules are specific about which requirements can be deferred at all — and a future rule may draw those lines differently.

Policies and procedures

Stop hard-coding a single identifier into policy prose. Move control references into an appendix table you can reversion without touching the policy body. Add ODP governance: who owns each value, its source, who approved it, effective date, and change history.

Evidence library

Index along this path so a version change doesn’t orphan your proof:

Outcome → Current requirement → Current objective → Evidence artifact → Rev 3 mapping → ODP → Owner → Verification date

GRC platform configuration — ask these before your next vendor call

If you use a governance, risk, and compliance (GRC) platform, settle these before anyone touches a framework setting:

A GRC platform manages evidence. It does not, by itself, satisfy CMMC. Any vendor who tells you otherwise is selling, not advising.


What happens to SPRS scores and CMMC assessments during the suspension?

Department baseline compliance continues through CMMC Level 1 self-assessments against the 15 basic safeguards in FAR 52.204-21 and CMMC Level 2 self-assessments aligned to NIST SP 800-171 Revision 2, plus select government-led assessments. Level 1 results and affirmations are entered in the Supplier Performance Risk System as a compliance result; Level 2 uses the 110-requirement weighted scoring methodology and reports an overall score in SPRS. DFARS 252.204-7012 remains in effect throughout.

Did the suspension remove the safeguarding requirements? No. The implementing memorandum states that the DFARS 252.204-7012 cybersecurity requirements remain in effect and that Level 1 and Level 2 self-assessments continue. During the suspension, Level 1 (Self) and Level 2 (Self) are the only contractor assessment designations permitted in new procurement requests, while select government-led assessments may continue. DCR editorial conclusion: with third-party assessment designations paused, the accuracy of what you self-report carries more consequence, not less. This is not the moment to let implementation drift.

Did the suspension make Revision 3 the scoring baseline? No. The same memorandum describes CMMC Level 2 as aligned with NIST SP 800-171 Revision 2. Nothing in the suspension substituted a new standard.

What about our existing contract with Level 2 (C3PAO) language?Read your instrument, not the press release. The memorandum directs contracting officers to remove those requirements by amendment or modification — but a directive to a contracting officer is not the same as a modification in your file. Get the paper. Until you have it, your contract says what it says.

What happens after the 60-day review?Unknown, and we won’t guess. Neither the announcement nor the memorandum sets an automatic resumption date. Anyone publishing a countdown to a restart is inventing it. We’ll update this page when an official memorandum, rulemaking action, deviation, FAQ revision, or solicitation instruction appears. For scoring mechanics, see our SPRS score guide. For assessment mechanics, see our CMMC Level 2 assessment guide.


How do you verify which revision your contract actually requires?

Start with the solicitation, contract, modifications, applicable clauses, and prime flow-down — not the NIST publication page. Where the language is unclear or omits a revision, request written clarification from the contracting chain and confirm your interpretation with a CMMC Registered Practitioner or a qualified federal-contracts attorney before replacing your primary evidence baseline.

The seven-step applicability review

  1. Identify the agency or prime customer for each instrument.
  2. Identify the contract, task order, delivery order, or subcontract.
  3. Locate every CUI, safeguarding, SPRS, and CMMC clause in it.
  4. Record the revision expressly named — or note that none is.
  5. Check modifications, deviations, and amendments. Effective February 1, 2026, Class Deviation 2026-O0025 directs Department contracting officers to use revised FAR Part 40 and DFARS Part 240 text in lieu of codified text for covered new or modified instruments. Under that deviation, the assessment clause appears at DFARS 252.240-7997 rather than codified 252.204-7020, and basic safeguarding appears at FAR 52.240-93 rather than 52.204-21, while 252.204-7012 and 252.204-7021 keep their numbers. The codified regulations still carry the original numbers, so both sets are circulating. Verify what your instrument actually incorporates. (DoD FAR/DFARS overhaul class deviations)
  6. Compare the prime’s flow-down language against the prime contract requirement.
  7. Get written clarification wherever terms conflict or omit the revision.

Copy this. Send it today.

Subject: Clarification requested — NIST SP 800-171 revision applicable to [instrument number]

We are confirming the cybersecurity baseline incorporated into [solicitation / contract / subcontract identifier]. The instrument references NIST SP 800-171 but [does not identify a revision / conflicts with another referenced document]. Please confirm in writing which revision of NIST SP 800-171 and which associated assessment methodology apply to the information systems used in performance of this work, and whether DFARS 252.204-7012 is included under Class Deviation 2024-O0013.

We are not transmitting CUI or sensitive system documentation with this request.

That last line matters. Keep clarification requests clean of anything sensitive.

What to log in your contract applicability ledger

Instrument identifier · customer · clause · revision named · assessment type · affected systems · effective date · written clarification received · owner · next review date.

When to involve counsel

Conflicting flow-downs. Ambiguous “latest revision” language. Any eligibility or certification representation. A material bid decision. A dispute over a modification. Any situation where a written representation about your cybersecurity compliance could later be examined.


When will CMMC move to NIST 800-171 Rev 3?

No date has been announced. Moving CMMC to Revision 3 would require amending 32 CFR Part 170, rescinding or replacing Class Deviation 2024-O0013, and publishing assessment and scoring materials aligned to the new baseline. The July 13, 2026 Phase II suspension and the accompanying program review put the structure of the program itself in question before the revision question gets answered.

What would have to happen first

Steps required before CMMC can move to Rev 3
StepWhy it’s required
Amend 32 CFR Part 170Revision 2 is incorporated by reference; only rulemaking changes it
Rescind or replace Class Deviation 2024-O0013It ties DFARS 252.204-7012 to Revision 2 until rescinded
Publish or designate the applicable scoring methodologyToday’s Level 2 scoring is built on the 110 Revision 2 requirements
Publish or designate assessment procedures for the new baselineAssessors need Revision 3 objectives and ODP treatment
Publish effective dates and transition instructionsContractors and assessors both need lead time

The signals pointing toward a transition

The Department published Revision 3 ODP values in April 2025. NIST finalized SP 800-172 Revision 3 in May 2026. And the FAR Council has proposed Revision 3 governmentwide.

The signal cutting the other way

A comprehensive program review is underway with no announced outcome. Until it concludes and produces guidance, the honest answer is that nobody outside the Department knows the sequence.

What to watch, in order of authority: the Federal Register, the Department CIO CMMC page, the DoD class deviations listing, and NIST CSRC.


Which provider category helps with a Rev 2 to Rev 3 transition?

Most contractors researching this comparison need contract clarity, readiness work, or evidence mapping — not a formal assessment. Depending on the gap, the right category is typically an RPO/RP, a CMMC-focused MSP or MSSP, a GRC platform, or a CUI enclave specialist. A C3PAO belongs in the formal assessment lane, with independence preserved between readiness work and certification.

We’re not naming providers on this page. This is a version-comparison question, and inserting vendor names here would serve us, not you. What we can do is tell you which categorysolves which problem — and what each one can’t do.

Provider categories for Rev 2 to Rev 3 transition
Your unresolved problemCategory to investigate firstWhat that category can’t doVerify before you hire
Determining what your contract incorporatedYour contracting chain, and a qualified federal-contracts attorney where terms conflictA consultant can’t override the instrumentRelevant DIB and cybersecurity clause experience
Readiness, scoping, and requirement mapping once the revision is identifiedRPO / RP (Registered Provider Organization / Registered Practitioner)Cannot certify youCurrent Cyber AB status, scoping method, deliverables, independence boundaries
Technical implementation, monitoring, identity, logging, incident responseCMMC-focused MSP or MSSP (Managed Security Service Provider)Cannot assume your compliance accountabilityCUI handling experience, the evidence they produce, responsibility matrix, subcontractor use
Evidence mapping and workflow across two revisionsGRC platformCannot prove controls are actually implementedDual-version support, ODP fields, versioned exports, assessor-ready output
Shrinking scope by containing CUICUI enclave specialistCannot erase scope you haven’t actually movedReal data flows, external service responsibilities, inheritance, operational fit
Formal Level 2 certification assessmentC3PAO (Certified Third-Party Assessment Organization)Cannot remediate the environment it assessesCurrent authorization in the Cyber AB Marketplace, scope, availability, conflict checks

The CMMC Path Frameworkmaps a contractor’s required level, FCI/CUI handling, assessment type, IT and cloud environment, and contract timeline to a provider category. It routes to a category, not a named provider. It is not a score, a ranking, a compliance determination, or a substitute for legal advice.

For side-by-side category detail, see our CMMC provider categories comparison. For what this work typically costs by level and company size, see our CMMC Level 2 cost guide.


Which Rev 2 to Rev 3 mistakes create the most rework?

The costliest mistakes in this transition are sequence and unit errors: treating Revision 3 as the current CMMC baseline, assuming 97 requirements means less work, confusing ODP counting units, deleting Revision 2 traceability, and using a technical crosswalk as contract interpretation. Each one can leave an organization with a genuinely stronger security posture and the wrong assessment package.

The ranking below is DCR editorial judgment based on the verified facts on this page.

Rev 2 to Rev 3 common mistakes and corrections
MistakeWhy it happensWhat it costsThe correctionGrounded in
Replacing Revision 2 with Revision 3 for CMMCNIST labels Revision 3 currentMissing Revision 2 evidence and objectives at assessmentKeep Revision 2 primary; map Revision 3 separately32 CFR § 170.14
Assuming 97 is easier than 110The top-level count looks smallerUnderbudgeted implementationCompare determination statements and evidence, not requirement countsNIST FAQ; SP 800-171A Rev. 3
Saying “Rev 3 has 49 ODPs” without a unitConfuses requirements with determinationsUndercounted governance work49 ODP-bearing requirements; 88 ODP determinationsNIST workbook; SP 800-171A Rev. 3
Calling 422 the total Revision 3 assessment countOmits the 88 ODP determinationsIncomplete work estimate510 totalSP 800-171A Rev. 3
Treating Level 1 as a Revision 2 obligation“CMMC” gets used as one thingWrong scope, wrong evidence, wasted spendLevel 1 is the 15 FAR 52.204-21 safeguards32 CFR § 170.14(a)(1)
Deleting old SSP referencesMigration treated as replacementBroken assessment traceabilityVersion and preserve32 CFR § 170.24
Treating a crosswalk as a legal answerA technical map looks authoritativeWrong contractual representationVerify the incorporated clause languageDFARS 252.204-7012
Reading only the suspension headline“CMMC is paused” is easier to rememberStalled implementation, stale SPRS scoreRead the implementing memorandum; 7012 still appliesSuspension memo, Attachment 1
Hiring an assessor to do remediationConfuses readiness with assessmentConflict issues and a costly handoffKeep readiness and formal assessment separate32 CFR § 170.8(b)(17)(ii)(G)

What The Defense Compliance Report verified for this page

We read the final NIST publication records, NIST’s Revision 2 to Revision 3 transition workbook, the final SP 800-171A Revision 3 assessment publication, the current text of 32 CFR Part 170, the current CMMC Level 2 Assessment Guide, the Department’s April 2025 ODP memorandum, Class Deviation 2024-O0013, and the July 13, 2026 CMMC Phase II suspension materials. Counts on this page were produced from those official files using the method published above, so any reader can reproduce them.

What we read, and what each source supports

Primary sources verified for this page
SourceWhat it supports
eCFR 32 CFR § 170.14 and § 170.2Revision 2 incorporated by reference; Level 2 identical to Revision 2; Level 1 from FAR 52.204-21; Level 3’s 24 selected SP 800-172 (February 2021) requirements
32 CFR § 170.8(b)(17)(ii)(G)The three-year consulting conflict prohibition for Level 2 certification assessments
32 CFR § 170.21 and § 170.24POA&M limits; consequence of a missing current SSP
Class Deviation 2024-O0013 (and Revision 1)DFARS 252.204-7012 tied to Revision 2; in effect until rescinded
DoD FAR/DFARS overhaul class deviationsClass Deviation 2026-O0025 and the February 1, 2026 clause changes
Implementing Suspension of CMMC Phase II, Attachment 1Level 1 and Level 2 self-assessment continuation; Level 2 aligned to Revision 2; only Level 1 (Self) and Level 2 (Self) designations; 7012 remains; no waivers
NIST CSRC — SP 800-171 Rev. 2 and Rev. 3Withdrawal date; publication date; 17 families; supplemental materials; requirement 3.12.4
NIST FAQ — SP 800-171r3 / 171Ar3Basic/derived elimination; NFO removal and redistribution; ORC and NA; ODP responsibility; three new families
NIST transition workbook (sp800-171r2-to-r3-analysis.xlsx)The 18 / 46 / 15 / 19 / 33 / 49 change flags
NIST SP 800-171A Rev. 397 requirement bases; 422 non-ODP and 88 ODP determinations; 510 total
CMMC Level 2 Assessment Guide320 assessment objectives across 110 requirements
DoD ODP memorandumDepartment Revision 3 ODP values; four expressed as guidance rather than a value
Federal Register — FAR Case 2026-001, 91 FR 37550Governmentwide scope; Revision 3 baseline; FAR 52.240-7; Standard Form and ODPs; 72-hour reporting; July 23 comment deadline

What we could not verify, and what we’re not claiming

Who made this, how, and why

Who: The Defense Compliance Report Editorial Team.

How:We compared the final NIST Revision 2 and Revision 3 publications and their companion assessment materials, worked from NIST’s transition workbook, read the current text of 32 CFR Part 170, the Department’s ODP guidance, the class deviations, and the July 2026 suspension materials — then documented the counting method so the totals can be independently reproduced.

Why: Contractors are being asked to reconcile a current NIST publication with a different incorporated CMMC baseline, often by people with something to sell. This page separates those layers and turns the distinction into an operational plan.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page contains no named provider recommendations.

Affiliation: The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. See our Methodology, Editorial Standards, and Corrections policies.


NIST 800-171 Rev 2 vs Rev 3: frequently asked questions

Does NIST 800-171 Rev 3 replace Rev 2 for CMMC?
No. Revision 3 supersedes Revision 2 in NIST’s publication catalog, but CMMC Level 2 remains tied to Revision 2 under 32 CFR § 170.14, which incorporates Revision 2 by reference. Moving CMMC to Revision 3 requires the Department to amend the rule through formal rulemaking.
Is NIST 800-171 Rev 2 still valid in 2026?
Yes. Revision 2 remains the current CMMC Level 2 baseline and applies to instruments incorporating the Revision 2 deviation clause under Class Deviation 2024-O0013. Verify the actual DFARS 252.204-7012 text incorporated into your solicitation or award, since the codified clause and the deviation clause read differently.
Does CMMC Level 1 use NIST SP 800-171 Revision 2?
No. CMMC Level 1 is based on the 15 basic safeguarding requirements in FAR 52.204-21(b)(1) for Federal Contract Information. NIST SP 800-171 Revision 2 and its 110 requirements are the CMMC Level 2 baseline.
Can I implement Rev 3 before CMMC adopts it?
Yes, in parallel. Implement Revision 3 using the Department’s published organization-defined parameter values while continuing to close any Revision 2 gaps, and keep your primary evidence index on Revision 2 identifiers. Voluntary modernization should never be recorded as a completed contractual determination.
Does Rev 3 have fewer controls than Rev 2?
It has fewer top-level requirements — 97 versus 110 — but that count alone does not establish lower implementation or assessment effort. The reduction reflects consolidation, restructuring, withdrawals, and additions, and the companion assessment guide grew from 320 assessment objectives under the current Level 2 baseline to 510 total determination statements under Revision 3.
Does Rev 3 have 49 ODPs or 88?
Both figures are correct for different units. NIST’s transition workbook identifies 49 Revision 3 requirements containing one or more new organization-defined parameters, and SP 800-171A Revision 3 expresses those parameters as 88 separate ODP determination statements.
Are there 422 or 510 assessment statements in Rev 3?
There are 422 non-ODP determination statements plus 88 ODP determination statements, for 510 total. Citing 422 as the total omits the ODP determinations and understates the assessment work.
Do I have to rewrite my SSP for Rev 3?
Not because Revision 3 exists. Keep the currently applicable System Security Plan indexed to Revision 2 requirement identifiers and add versioned Revision 3 cross-reference fields alongside them rather than overwriting existing traceability.
Should my SPRS score use Rev 2 or Rev 3?
Revision 2. The Department’s Level 2 scoring methodology and the current CMMC Level 2 baseline are both built on the 110 Revision 2 requirements. Verify your specific solicitation or contract requirement before submitting any representation. See our SPRS score guide.
Did the July 2026 CMMC suspension eliminate the program?
No. The Department suspended Phase II and subsequent implementation milestones on July 13, 2026. Level 1 and Level 2 self-assessment requirements continue, and DFARS 252.204-7012 cybersecurity requirements remain in effect.
Would FAR Case 2026-001 apply to Department contracts?
As proposed, yes. The proposed FAR framework is governmentwide, and the rule distinguishes Department incident reporting through DIBNet from non-Department reporting through CISA. How it would interact with current Department Revision 2 authorities would have to be resolved.
Does the proposed FAR CUI rule require NIST 800-171 Rev 3?
As proposed, yes. FAR Case 2026-001, published June 23, 2026 at 91 FR 37550, would require contractor information systems handling CUI to meet NIST SP 800-171 Revision 3 under a new clause at FAR 52.240-7. It is a proposed rule; the comment period closed July 23, 2026.
Is there an official Rev 2 to Rev 3 crosswalk?
Yes. NIST publishes a change-analysis workbook and a CUI overlay under Supplemental Material on the SP 800-171 Revision 3 publication page at NIST CSRC. Use the official workbook rather than a vendor-reconstructed mapping.
What if my prime asks for Rev 3 but our flow-down says Rev 2?
Treat them as two separate requests. The incorporated flow-down language governs your contractual obligation; a customer questionnaire does not silently rewrite it. Answer the questionnaire if commercially necessary, label that evidence separately, and request written clarification from the prime.
When will CMMC move to Rev 3?
No date has been announced. The Department has indicated it intends to incorporate Revision 3 through future rulemaking, and a program review is underway following the July 13, 2026 Phase II suspension. Treat any published transition date as speculation until an official rule or memorandum sets one.

Your next step

You don’t need to memorize two versions of a security standard. You need three things: which revision your contract points at, what your evidence should be indexed to, and what kind of help closes the gap you actually have. The first two are now settled. The third takes about two minutes.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

The match routes you to a provider category first. It is not a guarantee of certification and not an endorsement by the Cyber AB or the Department. Do not submit CUI, drawings, network diagrams, SSPs, or sensitive contract details.

Provider-matching forms on this site may generate referral or lead-routing compensation, disclosed at the point of recommendation. This article is educational research and is not legal, contractual, or compliance advice. CMMC requirements vary by contract, scope, and CUI handling. Consult a CMMC Registered Practitioner (RP/RPO) or qualified federal-contracts attorney before making compliance decisions.