ISI Insights

NIST 800-171 Rev. 2 vs Rev. 3: What Defense Contractors Need to Know

Written by ISI | Sep 17, 2025 8:30:11 PM

Executive Brief 

The Cybersecurity Maturity Model Certification (CMMC) Level 2 standard is built on National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 2. But NIST has since published Revision 3, creating confusion among defense contractors about which version to follow. 

  • Right now: Assessors will benchmark against Rev. 2 controls. 
  • Looking ahead: Rev. 3 consolidates requirements and updates focus areas but is not yet tied to CMMC. 
  • Your move: Stay Rev. 2 compliant while mapping Rev. 3 changes to set yourself up for a smoother transition later. 

Want to understand the differences and how to prepare? Dig deeper below. 

Why Rev. 2 Still Rules 

CMMC Level 2 certification continues to reference NIST 800-171 Rev. 2, which includes 110 controls organized into 14 control families. This is the version that Certified Third-Party Assessment Organizations (C3PAOs) use as their benchmark during audits. 

Revision 3 does not currently apply to CMMC. While it streamlines the framework, contractors who align only with Rev. 3 today risk showing “unmet” requirements under Rev. 2 (an outcome that could fail an assessment and jeopardize contract eligibility). 

In other words: Rev. 2 remains the required baseline until DoD formally updates the security standard required for CMMC certification. Contractors who shift prematurely could set themselves back instead of moving forward. 

Key Differences in Rev. 3 

NIST 800-171 Rev. 3 isn’t a radical departure, it reorganizes controls to reduce redundancy and sharpen focus. But the differences still matter. 

  • Consolidated controls – Requirements that overlapped in Rev. 2 have been merged. For instance, separate logging and monitoring expectations are combined into broader, streamlined controls. 
  • Fewer total controls – The list drops from 110 to about 95, but that’s due to consolidation, not lowering standards. Contractors should not assume “fewer” means “easier.” 
  • New emphasis areas – Rev. 3 puts more weight on: 
    • Supply chain risk management – ensuring your vendors and subcontractors also protect Controlled Unclassified Information (CUI) 
    • Continuous monitoring – shifting from annual checklist compliance to ongoing vigilance 
    • Stronger authentication – multi-factor authentication and identity assurance are underscored throughout 
    • Restructured layout – Controls are reorganized into updated categories, which means System Security Plans (SSPs) may eventually need restructuring.

Rev. 2 vs. Rev. 3 at a Glance 

Category 

Rev. 2 

Rev. 3 

Total Controls 

110 

~95 (consolidated) 

Assessment Status 

CMMC Level 2 benchmark 

Not yet adopted into CMMC framework 

Emphasis 

Core CUI protections 

Adds supply chain, monitoring, and stronger authentication 

CMMC Certification Impact 

None (required baseline) 

High — will leave gaps under Rev. 2 


What Contractors Should Do Now 

Defense contractors don’t have the luxury of waiting to see what happens next. The 48 CFR rule is live, primes are flowing down requirements, and assessments are booking into 2026. Here’s how to position yourself: 

  1. Benchmark against Rev. 2. This is the official requirement for CMMC Level 2 today. Build your audit plan around it. 
  2. Review Rev. 3 updates. Don’t ignore Rev. 3, use it to anticipate where future assessments might shift. 
  3. Create a crosswalk. Map each Rev. 2 control to its Rev. 3 equivalent to see where coverage overlaps and where it diverges. 
  4. Keep documentation current. Your SSP, Plans of Action and Milestones (POA&Ms), and Supplier Performance Risk System (SPRS) score must reflect Rev. 2 to pass an audit. 
  5. Start thinking about the transition to Rev 3. Capture evidence and workflows now in ways that make it easier to reorganize under Rev. 3 later.
Failing to act means risking failed assessments, contract delays, and reputational damage in the Defense Industrial Base (DIB).
 

 

FAQs 

Which version of NIST 800-171 does CMMC Level 2 use? 

Rev. 2. C3PAO assessors will benchmark against it until DoD issues a formal change. For more information about how assessors will be validating your systems, view the CMMC Assessment Criteria and Methodology document. 

What happens if I only follow Rev. 3 today? 

You’ll appear to have unmet requirements under Rev. 2, which can cause you to fail your CMMC Level 2 assessment. 

When will Rev. 3 become the CMMC standard? 

The DoD has not announced a transition date. Expect Rev. 2 to remain in force through at least the early phases of the government’s CMMC 2.0 rollout. 

Does preparing for Rev. 3 give me an edge? 

Yes, if it’s done in parallel with Rev. 2. Mapping now will shorten your transition timeline later—but it cannot replace Rev. 2 compliance today.
 

Internal Links 
View full post