NIST 800-171 Rev 3 Is Coming: What Defense Contractors Need to Know Before the Transition

If you're preparing for a CMMC Level 2 assessment right now, there's one thing you need to understand clearly: your assessor can only grade you against NIST SP 800-171 Revision 2. A May 2024 DFARS Class Deviation locked the CMMC program to Rev 2 while the DoD and industry work through the transition to Revision 3. That transition is coming—but for Phase 2 assessments beginning November 10, 2026, Rev 2 is the standard. Full stop.

So why does Rev 3 matter now? Because organizations that ignore it today will face a much steeper climb when the transition becomes mandatory—and that rulemaking is expected sometime in late 2026 or early 2027.

What Changed in Revision 3

Revision 3 is a meaningful update, not a cosmetic refresh. The most significant change is the addition of 17 new requirements across several control families, raising the total from 110 to 127 practices. Many controls now include Organization-Defined Parameters (ODPs)—values that each organization must define, document, and defend. This is a meaningful shift from the more prescriptive approach in Rev 2, and it adds an administrative layer that many organizations haven't encountered before.

Rev 3 also restructures control families to align more closely with NIST SP 800-53 Rev 5 and expands supply chain risk management requirements—formalizing, in technical terms, what CMMC flow-down addresses contractually. If your supply chain posture is already in good shape, Rev 3 won't blindside you. If it isn't, the new requirements will expose that gap.

Can You Implement Rev 3 Now?

Yes—with an important caveat. The DoD issued an April 2025 memorandum defining the Organization-Defined Parameters for Rev 3, and organizations can implement those controls today. However, your C3PAO assessment will still be scored against Rev 2 until the DoD formally transitions through rulemaking. Implementing Rev 3 now represents sound security practice, but it doesn't substitute for Rev 2 compliance in the context of your current assessment.

The smart approach: use your Rev 2 assessment cycle to close Rev 2 gaps first, then treat Rev 3 as the next phase of your compliance roadmap. The transition window is an opportunity, not a delay.

The Bottom Line

The regulatory environment around CMMC is evolving quickly. Organizations that stay ahead of the curve—by achieving Rev 2 compliance now while preparing for Rev 3—will be better positioned to maintain continuity of contracts as enforcement expands. Those who wait will find themselves in an increasingly competitive queue for assessors, resources, and time.

Speak to an Essendis expert today to understand where you stand against both NIST 800-171 Rev 2 and Rev 3—and build a compliance roadmap that holds up over time.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.