CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
Whatever Happened to NIST SP 800-171r3
In June 2024, we published a blog post advising the Defense Industrial Base (DIB) to hold on working on compliance against NIST SP 800-171r3. The CMMC ecosystem operated with some uncertainty regarding whether compliance against the NIST SP 800-171r2 controls or the r3 controls should take priority. How would companies pivot from revision two to revision three? When would they need to complete that pivot?
After NIST published the final draft of revision three, the initial focus on the new controls rather swiftly faded into the background. CMMC finalization occurred in November 2025, and that has retained most of the focus in the interim. Now, however, revision three is starting to re-emerge into the conversation again. What is happening with this NIST publication, and how will it impact you?
What is NIST SP 800-171r3?
NIST (the National Institute of Standards and Technology) created the third revision of 800-171 to enhance alignment with NIST SP 800-53 (the catalog of security controls for federal systems). Key changes included:
- A change in controls: Some controls were removed while others were added.
- Organization-Defined Parameters (ODP): Organizations (e.g. company, federal agencies) can determine how some of the requirements will work in their respective systems. For example, an organization may determine that multi-factor authentication needs to be updated every three months or every three weeks.
- Increased Specificity: Rev 3 is more granular in an effort to enhance CUI protection.
Read more about the differences between Revision 2 and Revision 3 on the NIST SP 800-171r3 web page.
Why is CMMC Still Based on Revision 2?
If NIST worked so hard to publish revision 3 on time, why does it still not appear as the controls behind CMMC compliance? There are a few reasons.
1. The Rulemaking "Lock-In"In May 2024, the Department of Defense published a class deviation indicating that the DIB needs to comply with the controls of NIST SP 800-171r2 until further notice. At this time, that status has not changed.
2. The Assessment Guide Gap
CMMC isn't just about the NIST requirements; it’s about how you prove you meet them. The DoD relies on NIST 800-171A (the assessment guide) to tell auditors what to look for. While the Rev 3 requirements are out, the corresponding assessment guides and CMMC-specific mapping take time to finalize.
3. Ecosystem Stability
There are thousands of contractors currently spending millions of dollars to meet Rev 2. If the DoD suddenly transitioned to Rev 3, it would create chaos, requiring companies to redo their gap analyses and purchase new tools before the first CMMC certificates are even issued.
Our Advice About NIST SP 800-171r3 Remains the Same
We will not change our advice about NIST 800-171r3 until the regulatory situation changes. Work on pursuing the controls in revision two because that is the foundation on which CMMC rests.
Eventually, there will be a "phase-in" period where Rev 3 becomes the standard, but that is still in the future.For now, the focus remains on the 110 controls of rev 2.
Questions about NIST SP 800-171R2?
Contact us today if you find yourself confused. We understand. Sometimes the class deviations and rulemaking processes can feel overwhelming. We welcome the chance to talk to you about your compliance strategy.