Two defense contractors received the same Cybersecurity Maturity Model Certification (CMMC) Level 2 notice in Q1 2026. The first pulled up (NIST SP 800-171 Rev 2), confirmed their 110-control gap analysis, and started booking Certified Third-Party Assessment Organization (C3PAO) time. The second did the same, then spent three weeks rebuilding their System Security Plan (SSP) around Rev 3 requirements, convinced the new version was already in play.
The first contractor is now 60 days into remediation with a clear assessment timeline. The second is untangling two parallel control frameworks with conflicting documentation, a confused assessor, and no Supplier Performance Risk System (SPRS) score that maps to either version cleanly. Both read the same Department of Defense (DoD) announcements. One understood what they meant.
Rev 3 is real, it is more demanding, and it will eventually replace Rev 2 as the CMMC baseline. The gap between “eventually” and “now” is where most compliance programs go wrong. Here is what the revision actually changes, what Class Deviation 2024-O0013 means for your assessment timeline, and how to build a program that survives both versions without building it twice.
CMMC Level 2 assessments use NIST SP 800-171 Rev 2 (110 controls, 14 families). Rev 3 consolidates the framework to 97 requirements across 17 families, adds supply chain risk management, and introduces Organization-Defined Parameters. Class Deviation 2024-O0013 locks CMMC to Rev 2 with no expiration. Stay Rev 2 compliant now. Map Rev 3 changes for the transition expected in the second half of 2027.
NIST 800-171 Rev 2 vs Rev 3: The Structural Changes That Matter
Rev 2 and Rev 3 are not a renumbering exercise. NIST reorganized the framework at the architectural level, which means a gap analysis written against Rev 2 will not map cleanly to Rev 3 without deliberate reconciliation work.
Control Count and Family Structure
Rev 2 contains 110 security requirements organized into 14 control families. Rev 3 restructures this to 97 requirements across 17 families. The reduction in requirement count does not mean Rev 3 is less demanding. Several discrete Rev 2 requirements were consolidated into broader requirements with more involved implementation expectations.
Three families appear in Rev 3 that did not exist in Rev 2: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). These additions reflect NIST’s response to federal supply chain incidents and the growing recognition that CUI protection failures often originate outside the contractor’s own environment.
Contractors who treat Rev 3 as “Rev 2 minus 13 controls” will underprepare for the new families. The Planning family alone introduces requirements around security plan development and maintenance that carry direct implications for how an SSP is structured, reviewed, and updated.
Organization-Defined Parameters
Rev 3 introduces Organization-Defined Parameters (ODPs) across multiple requirements. An ODP is a placeholder where the organization specifies a value, such as the frequency of audit log reviews or the maximum number of failed authentication attempts, within boundaries set by NIST or the authorizing agency.
This creates both flexibility and accountability risk. DoD published its own ODP values for Rev 3 in May 2025, establishing the specific thresholds contractors must meet when Rev 3 is adopted into CMMC. Organizations that select ODP values inconsistent with DoD’s published parameters will have compliant documentation that fails a DoD-scoped assessment.
Under Rev 2, requirements were more prescriptive. The lack of ODPs made SSPs easier to write but reduced adaptability to organizational context. Rev 3 trades that simplicity for precision. The documentation burden increases, but so does the opportunity to tailor controls to your actual environment without deviating from the standard.
Authentication and Access Control Enhancements
Rev 3 strengthens authentication requirements with more explicit multi-factor authentication expectations across a wider range of access scenarios. Rev 2’s multi-factor requirements focused primarily on privileged and remote access under control 3.5.3. Rev 3 extends the MFA envelope and tightens session management controls.
The practical gap for most contractors: legacy internal applications that were carved out of MFA requirements under Rev 2 will face harder scrutiny under Rev 3. Organizations that built MFA compliance narrowly around remote access and administrative accounts should flag this area for gap assessment now, before Rev 3 becomes mandatory.
The audit fix. Download NIST’s Rev 2-to-Rev 3 mapping spreadsheet. For each Rev 2 control in your SSP, identify the corresponding Rev 3 requirement and note where the Rev 3 version is materially more stringent. Flag controls where Rev 3 introduces ODP values your current implementation does not satisfy. This mapping takes one to two days and produces the transition roadmap you will need in 2027.
Class Deviation 2024-O0013: Why Rev 2 Still Controls Your Assessment
DoD issued Class Deviation 2024-O0013 to formally lock CMMC Level 2 to NIST SP 800-171 Rev 2. The deviation has no expiration date. Until DoD issues a formal rulemaking update incorporating Rev 3, every C3PAO assessment, every SPRS score submission, and every contract requirement referencing CMMC Level 2 operates against the 110 controls in Rev 2.
What the Deviation Actually Prohibits
Some contractors interpreted the deviation narrowly, assuming it only locked the assessment framework while Rev 3 could still be used for internal compliance planning. That reading is wrong for assessment purposes. A C3PAO assessing against CMMC Level 2 uses the Rev 2 control set. An SSP written in Rev 3 format creates reconciliation problems for the assessor and for the contractor’s own SPRS scoring.
SPRS scores are calculated based on the 110-point maximum under Rev 2. A score derived from a Rev 3 implementation does not translate to the SPRS system without manual mapping. Contractors submitting scores to the Supplier Performance Risk System need documentation that ties directly to Rev 2 control numbers per Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 7020.
The safe interpretation: maintain your compliance documentation in Rev 2 format until DoD formally transitions CMMC to Rev 3. Keep a parallel mapping document for internal strategic purposes. Never submit a Rev 3-native SSP to a C3PAO or contracting officer unless the relevant contract explicitly requires it.
The Transition Timeline Based on Available Evidence
No official DoD timeline exists for incorporating Rev 3 into CMMC. The realistic estimate, based on the federal rulemaking process and DoD’s published Rev 3 ODP values in May 2025, is that a formal transition requirement will not appear in new contracts before the second half of 2027. When it does, a 12-to-18-month transition period is the minimum reasonable expectation based on prior CMMC rollout patterns.
That timeline is not a reason to ignore Rev 3. It is a planning parameter. Organizations that begin mapping their Rev 2 controls to Rev 3 requirements now will face a structured gap remediation exercise in 2027, not a full program rebuild. The difference in resource requirements between those two scenarios is significant.
The audit fix. Verify your current SPRS score reflects actual Rev 2 implementation status. Do not adjust scores based on Rev 3 controls you have implemented. Do not attempt to inflate your Rev 2-based score by reflecting Rev 3 compliance. The SPRS system is a government-facing representation of your current compliance state. Scores that do not accurately reflect Rev 2 implementation status create False Claims Act exposure.
The contractors who will transition to Rev 3 at lowest cost are those who maintained strict Rev 2 compliance now while building a living crosswalk document. Two years of drift from Rev 2 standards, rationalized by “Rev 3 is coming anyway,” produces the worst of both worlds: failing the current assessment and unprepared for the next one.
The Three Rev 3 Additions Worth Tracking Now
Three areas in Rev 3 represent genuine expansion beyond Rev 2’s scope. These are worth tracking even before the mandate, because the underlying risks they address are already present in your environment.
Supply Chain Risk Management
The SR family in Rev 3 formalizes requirements that had no direct equivalent in Rev 2. Contractors must assess the security practices of suppliers and service providers who handle CUI or whose products touch CUI systems under Rev 3’s SR.01 through SR.06 requirements. This includes software supply chain risk, which became a federal priority after the SolarWinds and Log4j incidents.
Under Rev 2, supply chain risk was implicitly addressed through system boundary definitions and third-party access controls, but no explicit supply chain family existed. Rev 3 closes that gap. Contractors with subcontractor networks or significant SaaS dependencies should begin cataloging those relationships now against the SR framework.
Build a supplier CUI inventory. Document which third parties touch your CUI environment, what contractual security requirements govern those relationships, and whether those requirements would satisfy the SR controls in Rev 3. This work has value under Rev 2 as well, since C3PAO assessors examine third-party access controls as part of the existing access management and configuration management families.
Continuous Monitoring and Planning
Rev 3’s Planning family introduces requirements that transform security planning from a documentation event into an ongoing operational function. Security plans must be maintained, reviewed at defined intervals, and updated when system changes occur. Rev 2 required a System Security Plan under control 3.12.4, but the maintenance cadence was implicit rather than explicit.
The monitoring requirements in Rev 3 align with NIST SP 800-137, Continuous Monitoring, in ways that Rev 2 did not. Organizations running point-in-time assessments with annual updates will need to shift toward a continuous monitoring posture with documented monitoring frequencies tied to the ODP values DoD published in May 2025.
Contractors already operating under the Federal Information Security Modernization Act (FISMA) with a C-SCRM or continuous monitoring program will find Rev 3’s new families familiar. For a complete walkthrough of the NIST RMF seven-step process, including the continuous monitoring requirements, see our implementation guide. Those who designed their security program specifically around CMMC with no FISMA background will face the steepest learning curve in these areas.
Authentication Scope Expansion
Rev 3 extends multi-factor authentication expectations beyond Rev 2’s scope. The implementation detail that catches most contractors: Rev 3 tightens the definition of “privileged users” and expands the scenarios requiring MFA across identity and authentication controls IA.05, IA.06, and IA.07. Password requirements are also more specific, with ODP values governing minimum length, character requirements, and rotation frequency.
Organizations that built their MFA implementation around a narrow reading of Rev 2’s 3.5.3 should run a scope comparison now. If your MFA coverage does not extend to all scenarios Rev 3 will require, the gap is better identified and addressed on a planned basis than discovered during a future assessment.
The audit fix. Flag the three new Rev 3 families (PL, SA, SR) in your control tracking documentation. These have no Rev 2 predecessors, which means no existing implementation evidence maps to them. Begin a preliminary gap assessment against these families now. Any implementation work in these areas before the mandate is additive to your security posture, even if it does not affect your current SPRS score.
Building the Dual-Version Compliance Strategy
The objective is not parallel compliance programs. Running two separate control frameworks simultaneously doubles documentation burden with no assessment benefit. The objective is a single Rev 2-native program with a living crosswalk to Rev 3, so that when the transition is required, the gap analysis is already done.
The Crosswalk Document
NIST published a mapping between Rev 2 and Rev 3 requirements as part of the Rev 3 release package. This mapping identifies which Rev 2 requirements correspond to which Rev 3 requirements, where Rev 2 requirements were consolidated, and where Rev 3 introduces entirely new requirements with no Rev 2 predecessor.
Use this mapping to build a crosswalk column into your existing control tracking documentation. For each Rev 2 control, note the corresponding Rev 3 requirement. Flag controls where the Rev 3 version is materially more stringent or where Rev 3 introduces ODP values that your current implementation does not satisfy. This column costs minimal effort to maintain and creates a pre-built transition roadmap.
SSP Structure for Transition Readiness
Write your SSP in Rev 2 format, as required. Within each control implementation statement, document implementation details at a level of specificity that would satisfy the corresponding Rev 3 ODP values if they were applied today. You satisfy the Rev 2 requirement, and your documentation already supports the Rev 3 requirement when the time comes.
A C3PAO assessor reviewing your Rev 2 SSP will not penalize thorough implementation descriptions. An assessor reviewing a vague SSP will find the same implementation insufficient for Rev 2 requirements even now.
SPRS Score Integrity
SPRS scores are calculated against Rev 2’s 110-point structure. Each control is worth a specific negative point value when not implemented. Your SPRS score must reflect the current state of your Rev 2 implementation, not your aspirational Rev 3 readiness, per DFARS 252.204-7019.
Do not adjust SPRS scores based on Rev 3 controls you have implemented. Scores that do not accurately reflect Rev 2 implementation status create False Claims Act exposure, regardless of how well-intentioned the rationale.
For a detailed walkthrough of how SPRS scoring works, see our SPRS Score Calculation Guide.
The Rev 2-to-Rev 3 transition is a managed program evolution, not a compliance emergency. Rev 2 controls your assessment today, and Class Deviation 2024-O0013 provides no indication of when that changes. The contractors who will handle the transition at lowest cost and risk are those who maintain rigorous Rev 2 compliance now, build a living crosswalk document, and begin addressing the three new Rev 3 families on a planned timeline rather than a reactive one. Rev 3 readiness is not separate work. It is what a well-run Rev 2 program looks like when done right.
Frequently Asked Questions
Does CMMC Level 2 require NIST 800-171 Rev 2 or Rev 3?
CMMC Level 2 requires NIST SP 800-171 Rev 2 under Class Deviation 2024-O0013. This deviation has no expiration date. Until DoD formally amends CMMC through rulemaking to incorporate Rev 3, all C3PAO assessments, SPRS submissions, and contract requirements under CMMC Level 2 operate against the 110 controls in Rev 2.
What is the main difference between NIST 800-171 Rev 2 and Rev 3?
Rev 2 contains 110 security requirements across 14 control families. Rev 3 reorganizes the framework to 97 requirements across 17 families, adding Planning, System and Services Acquisition, and Supply Chain Risk Management as new families. Rev 3 also introduces Organization-Defined Parameters, where organizations specify implementation values within DoD-published boundaries, and strengthens authentication and continuous monitoring requirements.
When will CMMC transition from Rev 2 to Rev 3?
No official transition date exists. Based on the federal rulemaking process and DoD’s publication of Rev 3 ODP values in May 2025, the earliest realistic mandate for Rev 3 in CMMC contracts is the second half of 2027. A 12-to-18-month transition period would follow any formal mandate announcement.
What are Organization-Defined Parameters in NIST 800-171 Rev 3?
Organization-Defined Parameters are values that each organization specifies to complete a security requirement, such as the frequency of audit log reviews or the number of failed login attempts before lockout. DoD published its own ODP values in May 2025 that contractors must meet when Rev 3 is incorporated into CMMC. Selecting ODP values inconsistent with DoD’s published parameters will produce compliant documentation that fails a DoD-scoped assessment.
Should I update my SSP to Rev 3 format now?
No. Your SSP must be written against Rev 2 for any CMMC assessment or SPRS submission. Writing your SSP in Rev 3 format creates reconciliation problems for assessors and does not map cleanly to the 110-point SPRS scoring model. Maintain a Rev 2-native SSP with a crosswalk document that tracks your readiness against Rev 3 requirements for future transition planning.
Does NIST 800-171 Rev 3 add new security families with no Rev 2 equivalent?
Yes. Rev 3 adds three families that did not exist in Rev 2: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). These families address organizational security planning processes, acquisition security requirements, and supplier risk management. Begin assessing readiness against these families now, even though they are not yet required for CMMC.
How does NIST 800-171 Rev 3 affect SPRS scoring?
SPRS scoring is based on Rev 2’s 110-control structure with specific negative point values for each unimplemented control, as required by DFARS 252.204-7019. Rev 3 changes do not affect your SPRS score until DoD formally incorporates Rev 3 into CMMC. Attempting to reflect Rev 3 compliance in a way that inflates your Rev 2-based SPRS score creates False Claims Act exposure.
What should defense contractors do right now about NIST 800-171 Rev 3?
Three actions apply immediately. First, confirm your SSP, POA&M, and SPRS score are current and accurate against Rev 2. Second, obtain NIST’s Rev 2-to-Rev 3 mapping document and build a crosswalk column into your existing control tracking. Third, begin a preliminary gap assessment against Rev 3’s three new families (PL, SA, SR), since these have no Rev 2 predecessors and represent the largest remediation effort when the transition is required.
Subscribe to The Authority Brief for next week’s analysis.
