NIST 800-171 Rev 2 vs. Rev 3: What Defense Contractors Need to Know

EXECUTIVE BRIEF

Over the past two years, the National Institute of Standards and Technology (NIST) have released revised versions of Special Publications 800-171 and 800-172. 

These standards are the basis for Levels 2 and 3 of the Cybersecurity Maturity Model Certification (CMMC). However, CMMC still requires contractors to implement Revision 2 instead of the most current Revision 3. 

This blog provides contractors with:

• A comparison of NIST SP 800-171 Rev 2 and Rev 3
• Insights on how to prepare for the transition to Rev 3
• Context on why starting to map to Rev 3 now positions your business for success

Dig deeper and continue reading below! 

Why this matters

If your company handles Controlled Unclassified Information (CUI) for the Department of Defense (DoD) (also known as the Department of War), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is your compliance baseline. Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires it. Cybersecurity Maturity Model Certification (CMMC) enforces it.

NIST published Revision 3 in May 2024. DoD's CMMC program, finalized in October 2024, still references Revision 2 and says so explicitly. That gap creates real confusion for contractors.

Rev2 at a glance

• Published: February 2020 (updated January 2021)
• 110 security requirements across 14 control families
• Organized as "basic" and "derived" requirements
• The current standard for CMMC Level 2 assessments
• Self-assessment scores submitted to Supplier Performance Risk System (SPRS) (max score: 110)
• Requires a System Security Plan (SSP) and, where gaps exist, a Plan of Action & Milestones (POA&M)

DFARS 252.204-7012 requires contractors to implement Rev2 on all covered information systems and flow those requirements down to subcontractors.

What changed in Rev3

NIST overhauled the structure and tightened the requirements. Key changes:

• Eliminated the basic/derived distinction and all requirements are now weighted equally in structure
• Added new requirements and removed outdated or redundant ones
• Introduced Organization-Defined Parameters (ODPs) giving organizations flexibility to tailor select controls to their risk environment
• Increased specificity to reduce ambiguity and improve assessment consistency
• Added titles to every requirement for easier navigation
• Aligned more closely with NIST SP 800-53 Rev5 control language
• Restructured discussion sections and added new tailoring categories
  

The CMMC reality: Rev2 still governs

DoD was direct about this in the final 32 Code of Federal Regulations (CFR) Part 170 rule:

• CMMC Level 2 assessments are conducted against NIST SP 800-171A R2
• DoD cited industry preparation time and ecosystem readiness as the reasons for not jumping to Rev3
• Future rulemaking will be required to formally incorporate Rev3 with a public comment period and transition timeline
• Contractors will not be expected to stop work during standard transitions
  

What you need to do now

If you're pursuing CMMC Level 2:

• Assess against Rev2 (all 110 requirements)
• Post your SPRS score (self-assessment or C3PAO result)
• Maintain a current SSP; close or document POA&Ms
• Annual affirmations are required post-certification
  

If you're preparing for the future:

• Start mapping your controls to Rev3 now (especially new ODPs)
• Watch for DoD rulemaking that will formally adopt Rev3 into CMMC
• Engage your CMMC Registered Practitioner or C3PAO on transition planning

Quick-reference comparison

The takeaway

Rev3 is the direction the industry is heading. Rev2 is where compliance is measured today. Build your program to pass Rev2 assessments and architect it to absorb Rev3 when DoD makes it official.