If you're preparing for a CMMC Level 2 assessment right now, there's one thing you need to understand clearly: your assessor can only grade you against NIST SP 800-171 Revision 2. A May 2024 DFARS Class Deviation locked the CMMC program to Rev 2 while the DoD and industry work through the transition to Revision 3. That transition is coming—but for Phase 2 assessments beginning November 10, 2026, Rev 2 is the standard. Full stop.
So why does Rev 3 matter now? Because organizations that ignore it today will face a much steeper climb when the transition becomes mandatory—and that rulemaking is expected sometime in late 2026 or early 2027.
Revision 3 is a meaningful update, not a cosmetic refresh. The most significant change is the addition of 17 new requirements across several control families, raising the total from 110 to 127 practices. Many controls now include Organization-Defined Parameters (ODPs)—values that each organization must define, document, and defend. This is a meaningful shift from the more prescriptive approach in Rev 2, and it adds an administrative layer that many organizations haven't encountered before.
Rev 3 also restructures control families to align more closely with NIST SP 800-53 Rev 5 and expands supply chain risk management requirements—formalizing, in technical terms, what CMMC flow-down addresses contractually. If your supply chain posture is already in good shape, Rev 3 won't blindside you. If it isn't, the new requirements will expose that gap.
Yes—with an important caveat. The DoD issued an April 2025 memorandum defining the Organization-Defined Parameters for Rev 3, and organizations can implement those controls today. However, your C3PAO assessment will still be scored against Rev 2 until the DoD formally transitions through rulemaking. Implementing Rev 3 now represents sound security practice, but it doesn't substitute for Rev 2 compliance in the context of your current assessment.
The smart approach: use your Rev 2 assessment cycle to close Rev 2 gaps first, then treat Rev 3 as the next phase of your compliance roadmap. The transition window is an opportunity, not a delay.
The regulatory environment around CMMC is evolving quickly. Organizations that stay ahead of the curve—by achieving Rev 2 compliance now while preparing for Rev 3—will be better positioned to maintain continuity of contracts as enforcement expands. Those who wait will find themselves in an increasingly competitive queue for assessors, resources, and time.
Speak to an Essendis expert today to understand where you stand against both NIST 800-171 Rev 2 and Rev 3—and build a compliance roadmap that holds up over time.

