HomeBlog › CMMC Level 2
NIST 800-171 Rev 3 Update June 20, 2026 · 14 min read

NIST SP 800-171 Rev 3: What Changed and What Defense Contractors Need to Do

NIST published the final version of SP 800-171 Revision 3 in May 2024. If you are a defense contractor working toward CMMC Level 2, here is exactly what changed from Rev 2, whether it affects your current compliance work, and what to do about it.

Bottom line for CMMC contractors: CMMC 2.0 still maps to NIST SP 800-171 Rev 2. Your 110-practice compliance baseline has not changed. Rev 3 matters for future planning, and you should understand it, but your current CMMC assessment prep should remain focused on Rev 2 requirements. Do not let a Rev 3 blog post derail your Rev 2 assessment work. Finish the sprint you are in first.

What Is NIST SP 800-171 and Why Does It Matter for CMMC?

NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. CUI is government information that is sensitive but not classified - think technical data, export-controlled engineering specs, contract details. If you handle it, you need to protect it. NIST 800-171 is the rulebook for how to do that.

For defense contractors, it is the technical foundation of CMMC Level 2 - the 110 practices in CMMC Level 2 map directly to the 110 security requirements in NIST SP 800-171 Rev 2.

When NIST updates 800-171, it eventually becomes the new baseline for CMMC. Rev 1 was published in 2015, Rev 2 in 2020 (which CMMC adopted), and Rev 3 in May 2024. The pattern suggests DoD will eventually align CMMC to Rev 3, but the formal adoption process takes time - historically 18 to 36 months between NIST publishing a revision and DoD formally requiring it in contracts. So you have runway, but not infinite runway.

What Changed from Rev 2 to Rev 3

Rev 3 is a substantial update - not a minor revision. The structural and content changes are significant enough that organizations will need a dedicated gap analysis when DoD formally adopts it.

New Control Families Added

The most significant structural change in Rev 3 is the addition of control families that did not exist in Rev 2:

New Family

Planning (PL)

Rev 3 adds a formal Planning family requiring organizations to develop and maintain a cybersecurity plan for their systems. Rev 2 had the SSP requirement embedded in the Security Assessment family (CA). Rev 3 elevates planning to its own family with dedicated requirements around documenting the rules of behavior for system users, defining system characteristics and boundaries, and establishing a formal planning process. Organizations that have comprehensive SSPs will have a head start on PL requirements - but the Rev 3 expectations are more granular than what Rev 2's SSP alone requires.

New Family

Supply Chain Risk Management (SR)

This is the highest-impact addition for most contractors. Rev 3 introduces dedicated Supply Chain Risk Management requirements covering: establishing and documenting supply chain risk management policies and plans, identifying and assessing supply chain risks, using trustworthy components and acquiring from trusted suppliers, requiring suppliers to disclose vulnerabilities in their products, and protecting against counterfeit or compromised components.

If your organization relies on third-party hardware, software, or services - and every organization does, unless you are manufacturing your own chips and writing your own operating system from scratch - SR requirements will require new documentation and processes that do not exist in your current Rev 2 compliance program. Most organizations have never formally documented who their critical suppliers are, let alone assessed the security risk of those suppliers. That work is coming.

Significant Changes to Existing Families

Beyond the new families, Rev 3 substantially updated content within existing control families:

Family Key Rev 3 Changes Rev 2 Coverage
Access Control (AC) Added requirements around account management, remote access, and information flow enforcement. Tightened language around least privilege and privileged account controls. 22 practices - most carry over but with updated specificity
Awareness & Training (AT) Added explicit requirement for role-based training tailored to specific organizational roles and responsibilities. Rev 2 implied this but did not state it explicitly. 3 practices in Rev 2; expanded scope in Rev 3
Configuration Management (CM) Added requirements around system component inventory, software usage restrictions, and user-installed software controls. Stronger language on deny-by-default posture. 9 practices in Rev 2
Identification & Authentication (IA) Updated to reflect current authentication standards - stronger alignment with NIST SP 800-63B. Added requirements around device authentication and authenticator management. 11 practices in Rev 2
Risk Assessment (RA) Significantly expanded. Added requirements around criticality analysis, risk response, and supply chain risk assessment (now coordinated with the new SR family). 3 practices in Rev 2; substantially expanded in Rev 3
System & Comm. Protection (SC) Updated cryptography requirements to align with current NIST standards. Clarified boundary protection requirements for cloud environments and modern architectures. 16 practices in Rev 2

Structural and Numbering Changes

Rev 3 also changed the numbering format for requirements. Rev 2 used a three-part numbering scheme (e.g., 3.1.1, 3.1.2). Rev 3 uses a different structure that aligns more directly with NIST SP 800-53 Rev 5, the federal baseline from which 800-171 is derived. In plain terms: all the familiar practice numbers you have spent months memorizing are going to be different.

This matters practically because any crosswalk mapping, SSP documentation, or compliance tool built around Rev 2 practice numbers will need to be updated when DoD formally adopts Rev 3. Your "3.1.1" references in your SSP will not map to the same place in Rev 3. NIST provides a crosswalk to help with the translation - use it.

What Does Rev 3 Mean for Your Current CMMC Compliance?

For contractors actively pursuing CMMC Level 2 certification today: nothing changes immediately. Your assessment will be conducted against Rev 2 requirements. Your SSP covers Rev 2 practices. Your policies and controls are structured around the 14 domains and 110 practices in Rev 2.

What does change is your planning horizon. Rev 3 will eventually become the CMMC baseline, and the gap between Rev 2 and Rev 3 is significant enough that you should not assume your current compliance program will carry forward unchanged. The supply chain requirements alone represent a new category of documentation and vendor management that most organizations have not done under Rev 2.

Practical advice: Get CMMC Level 2 certified under Rev 2 requirements first. Then use the period after certification to begin a Rev 3 gap analysis - identifying what new requirements exist that you are not currently meeting. Treating them as two separate projects is more manageable than trying to jump directly to Rev 3 before Rev 2 work is complete.

The Two Rev 3 Areas to Start Thinking About Now

Even though Rev 3 is not yet in CMMC contracts, two areas are worth early attention because the underlying security practices are important regardless of regulatory status:

Supply Chain Risk Management

The question "do you know where your software and hardware components come from, and have you assessed the security risk of your suppliers?" is a legitimate security question independent of regulation. Rev 3's SR requirements formalize what good security practice already looks like. Organizations that begin documenting their critical suppliers, understanding the software components in their products, and establishing vendor security requirements now will have a significant head start when SR requirements become contractually required. (They will also have better security posture in the meantime.)

Cybersecurity Planning

If your current SSP is comprehensive, well-maintained, and accurately reflects your actual environment, you are largely ahead of where Rev 3's PL requirements will take you. If your SSP is a template that was filled in once in 2022 and has not been touched since - and describes a network that no longer matches what you actually have - Rev 3 is an uncomfortable reminder that cybersecurity planning is supposed to be ongoing, not a box you checked before moving on. Start treating your SSP like a living document now, before Rev 3 makes it mandatory.

Practical Steps for Defense Contractors

  1. Complete your Rev 2 compliance program first. If you have an active CMMC assessment scheduled or in progress, stay focused on your Rev 2 requirements. Rev 3 is not yet an assessment standard and should not distract from current compliance work.
  2. Download and read the Rev 3 publication. NIST SP 800-171 Rev 3 is available free from the NIST website. The publication includes a crosswalk appendix comparing Rev 2 requirements to Rev 3 - this is your starting point for understanding what you already have and what is new.
  3. Conduct a Rev 3 gap analysis after achieving Rev 2 compliance. Identify which Rev 3 requirements have no corresponding Rev 2 practice - these represent genuinely new work. Prioritize the gaps by security impact, not just by document presence.
  4. Start documenting your supply chain now. Even without a formal regulatory requirement, begin identifying critical suppliers, documenting software provenance for systems that handle CUI, and establishing basic vendor security requirements. This work will be required eventually and provides real security value in the interim.
  5. Monitor DoD and CyberAB announcements. The formal transition timeline will come from DoD rulemaking and the CMMC Accreditation Body. Set up alerts for CMMC rulemaking updates so you are not caught off guard by a transition announcement.

Your Rev 2 Documentation Should Already Be in Order

Before planning for Rev 3, make sure your current CMMC Level 2 foundation is solid. Our Complete Domain Policy Bundle covers all 14 CMMC domains with formal policy language that maps directly to NIST SP 800-171 Rev 2 requirements - giving you the documentation foundation that assessors expect to see on day one of your assessment.

Get the Complete Domain Policy Bundle →

12 domain policies - instant download - written for C3PAO assessment

Frequently Asked Questions

CMMC 2.0 as published uses NIST SP 800-171 Rev 2 as its foundation. The 110 practices in CMMC Level 2 map to Rev 2. As of mid-2026, DoD has not formally adopted Rev 3 into the CMMC framework. Contractors should continue using Rev 2 as their compliance baseline while tracking Rev 3 for future planning.
Rev 3 significantly expands the control set from Rev 2's 110 practices. It adds new control families - including Planning (PL) and Supply Chain Risk Management (SR) - and new requirements within existing families. The total number of net-new requirements depends on how you count practices that were merged, split, or rewritten rather than simply added. The overall compliance burden increases meaningfully compared to Rev 2.
The two most significant changes are Supply Chain Risk Management (SR) as a formal new family and Planning (PL) requirements. Supply chain requirements address the security of technology and software acquired from suppliers - a significant new documentation and assessment burden. Planning requirements formalize cybersecurity planning activities that were previously implied but not explicitly required in Rev 2.
As of mid-2026, DoD has not announced a specific timeline for CMMC alignment to Rev 3. Historically, DoD transitions take 18-36 months after NIST publishes a new revision before the updated requirements appear in contracts. Contractors should monitor official DoD and CyberAB announcements for transition guidance.
The pragmatic answer for most organizations is to get Rev 2 right first, then begin Rev 3 gap analysis in parallel. For organizations already compliant with Rev 2 that have bandwidth for forward-looking work, focusing on supply chain risk management documentation now makes sense - it will be required eventually and represents genuine security improvement regardless of regulatory status.
Yes. NIST published crosswalk documentation between Rev 2 and Rev 3 alongside the Rev 3 release. The crosswalk shows which Rev 2 practices map to Rev 3 requirements and identifies new Rev 3 requirements with no Rev 2 predecessor. This is the best starting point for understanding your current coverage gap when planning for the eventual transition.

Related Resources

🔄 NIST 800-171 vs CMMC Level 2: What Is the Difference? Read → 📋 CMMC Level 2 Evidence Guide: What Assessors Want to See Read → 📄 CMMC Level 2 SSP - What It Is and Why You Need One Read → How to Pass a CMMC Level 2 Assessment Read →
📬

Stay current on CMMC and NIST updates

We track regulatory changes so you don't have to. Subscribe for updates when things that matter to defense contractors change.