Get compliant
Menu
...field notes
Insight on CMMC, DoD contracting, and the path to certification

NIST 800-171 Rev 3 Is Here, so Why Is CMMC Still on Rev 2?

NIST SP 800-171 Revision 3 has been published for nearly two years. The DoD has released its Organization-Defined Parameters for Rev 3. DFARS clause 252.204-7012 tells contractors to implement the “most current version” of 800-171. And yet every CMMC Level 2 assessment happening right now is evaluated against Revision 2.

If you’re a DIB contractor trying to plan your compliance roadmap, this gap between what NIST has published and what CMMC actually requires is one of the most important things to understand clearly, because getting it wrong in either direction costs you time and money.

The Class Deviation Is the Key

The reason Rev 2 remains the assessment standard is class deviation 2024-000013. This DoD-issued deviation explicitly directs contractors to implement NIST SP 800-171 Revision 2, overriding the DFARS clause language that would otherwise point to the latest revision. Per the CMMC FAQ, “CMMC Assessments will be conducted against Revision 2 until Revision 3 has been incorporated into the 32 CFR CMMC Program rule through rulemaking.”

That class deviation stays in effect indefinitely, until rulemaking updates 32 CFR Part 170 (where the CMMC regulation lives) to formally point to Rev 3. Based on the current pace of what some are calling “CMMC 3.0” rulemaking, the earliest realistic timeline for a Rev 3 requirement appears to be late 2026, and that could shift further.

Can You Implement Rev 3 Now?

Yes, but with a critical caveat. The CMMC FAQ (Q4, CMMC Model section) is explicit: companies can implement Revision 3 but must use the DoD’s Organization-Defined Parameters defined in the April 2025 memorandum. And because assessments are still conducted against Rev 2, any gaps between the two revisions must be addressed. Implementing Rev 3 does not exempt you from Rev 2 compliance.

This is where contractors get tripped up. Rev 3 is not a superset of Rev 2, there are structural differences, reorganized controls, and requirements that don’t map one-to-one. Moving to Rev 3 prematurely without maintaining Rev 2 coverage could leave holes that a C3PAO assessment would flag.

What This Means for Your Planning

If you haven’t started CMMC preparation: Focus on Rev 2. That is what your assessment will be scored against. Full stop.

If you’re mid-remediation: Stay the course on Rev 2. Don’t pivot your SSP, your POA&M, or your technical implementation to Rev 3 controls until rulemaking makes it official.

If you’re already compliant with Rev 2 and thinking ahead: Reviewing the Rev 3 ODP memorandum is reasonable planning, but don’t restructure your security program around it yet. When the transition does happen, there will be a defined timeline, rulemaking doesn’t flip a switch overnight.

For everyone: Watch the rulemaking process. When 32 CFR Part 170 is updated and the class deviation is rescinded, that’s when Rev 3 becomes your requirement. Until then, Rev 2 is the standard, and your assessment will reflect that.

The Bottom Line

The transition from Rev 2 to Rev 3 is coming, but it’s gated by formal rulemaking, not by NIST’s publication date and not by the DFARS clause language. Contractors who jump to Rev 3 without maintaining Rev 2 coverage risk gaps in their current assessment. Contractors who ignore Rev 3 entirely may find themselves scrambling when rulemaking does land.

If you’re not sure how the eventual Rev 3 transition affects your current compliance timeline or scoping decisions, that’s worth sorting out before you lock in your approach, not after your C3PAO is already scheduled.

Previous reads

Load More

Ready to assess your CMMC readiness?

Track all 110 NIST 800-171 requirements and prepare for your Level 2 assessment with our free compliance tracker.

Start Your Assessment

CMMC Level 1 Requires 17 Safeguards 15 Controls

The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why: 

CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.