NIST published Special Publication 800-171 Revision 3 in May 2024, and it represents the most significant restructuring of CUI protection requirements since the original publication. For defense contractors who have spent years building their compliance programs around Rev 2, the question is straightforward: what changed, what do I need to update, and how does this affect my CMMC assessment? This post provides the control-by-control analysis you need to plan your transition.
Important Timing Note
CMMC Level 2 currently maps to NIST 800-171 Rev 2. The DoD has indicated that CMMC will eventually transition to Rev 3, but the timeline for that transition has not been finalized. Contractors should maintain Rev 2 compliance for current assessments while beginning to understand Rev 3 changes for future readiness.
The Big Picture: What Rev 3 Changes
Rev 3 is not a minor update. NIST fundamentally restructured the publication to align more closely with NIST SP 800-53 Rev 5, the parent control catalog. The result is a document that is more precise, more comprehensive, and more demanding than Rev 2.
Rev 2 vs. Rev 3: High-Level Comparison
| Dimension | Rev 2 | Rev 3 |
|---|---|---|
| Total Requirements | 110 | 97 (reorganized) |
| Control Families | 14 | 17 |
| Structure | Basic/Derived requirements | Requirements with ODP parameters |
| Parent Standard | 800-53 Rev 4 (Moderate) | 800-53 Rev 5 (Moderate) |
| Assessment Procedures | Separate (800-171A) | Integrated with ODP |
| Tailoring Criteria | NFO categories | Revised tailoring with rationale |
Structural Reorganization
The most visible change is the reorganization from 14 to 17 control families. Rev 3 adds three new families that were previously embedded within other families in Rev 2:
Planning (PL)
Security planning requirements that were previously implicit. Includes requirements for system security plans and rules of behavior.
Supply Chain Risk Management (SR)
New family addressing supply chain risks. Reflects growing concern about third-party and vendor security in the defense industrial base.
Personally Identifiable Information (PT)
Processing and transparency requirements for PII. Aligns with broader federal privacy requirements.
Key Control Changes by Family
Here is a family-by-family analysis of the most significant changes that will affect your existing implementation:
Access Control (AC)
Rev 2 had 22 requirements. Rev 3 consolidates and refines these. Key changes include more explicit requirements for access enforcement mechanisms, stronger language around remote access controls, and new requirements for access control decisions based on security attributes beyond just identity.
Audit and Accountability (AU)
Audit requirements are more prescriptive in Rev 3. New emphasis on audit record content requirements, cross-organizational audit processing, and audit information correlation. The requirement for audit reduction and report generation is strengthened.
Configuration Management (CM)
Rev 3 adds more explicit requirements for configuration change control, including security and privacy impact analysis before changes. Baseline configuration requirements are more detailed, and there are new requirements for configuration settings documentation.
Identification and Authentication (IA)
Significant strengthening of authentication requirements. Rev 3 includes more explicit multi-factor authentication requirements, stronger password composition rules aligned with current NIST guidance (SP 800-63B), and new requirements for authenticator management.
System and Communications Protection (SC)
Rev 3 adds requirements for cryptographic key management, boundary protection enhancements, and more explicit network segmentation requirements. The encryption requirements are more specific about algorithm selection and key management practices.
Organization-Defined Parameters (ODPs)
One of the most significant structural changes in Rev 3 is the introduction of Organization-Defined Parameters. In Rev 2, many requirements used fixed language. In Rev 3, requirements include parameters that the organization must define, such as frequency of reviews, time periods for actions, and specific thresholds.
ODP Example
Rev 2 might say: "Review audit logs periodically." Rev 3 says: "Review audit logs [organization-defined frequency]." You must define that frequency (e.g., weekly, daily) and document it in your SSP. The assessor will verify that your actual practice matches your defined parameter.
ODPs give organizations flexibility but also create a documentation burden. Every ODP must be defined, documented in the SSP, and consistently applied. If you define a parameter as "weekly" but your evidence shows monthly execution, that is a finding.
Practical SSP Update Guide
If you have an existing SSP built against Rev 2, here is the practical process for updating it to Rev 3:
SSP Update Process
Step 1: Map Rev 2 Controls to Rev 3
NIST provides a mapping table in Appendix B of Rev 3. Use this to identify which Rev 2 requirements map to which Rev 3 requirements. Some map one-to-one, some are consolidated, and some are split across multiple new requirements.
Step 2: Identify New Requirements
Flag any Rev 3 requirements that have no Rev 2 equivalent. These are net-new requirements that need fresh implementation and documentation. Pay special attention to the new SR (Supply Chain) and PL (Planning) families.
Step 3: Define All ODPs
Go through every requirement that contains an ODP and define the parameter value for your organization. Document these in a central ODP table in your SSP. Ensure the values are realistic and achievable.
Step 4: Rewrite Control Descriptions
Update each control implementation description to use Rev 3 language and reference your defined ODPs. Do not just change the requirement numbers. The requirement language has changed and your descriptions should reflect the new specificity.
Step 5: Gap Assessment
For each new or modified requirement, assess whether your current implementation satisfies the Rev 3 language. Create POA&M entries for any gaps identified. Prioritize gaps in foundational controls.
Step 6: Update Supporting Documents
Update your network diagrams, data flow diagrams, asset inventory, and policies to align with Rev 3 terminology and structure. Ensure all cross-references within the SSP point to the correct Rev 3 requirement identifiers.
Impact on Existing CMMC Assessments
For contractors preparing for CMMC Level 2 assessments in the near term, the immediate impact is limited. CMMC currently references Rev 2, and assessments will be conducted against Rev 2 requirements until the DoD formally updates the CMMC framework to reference Rev 3. However, understanding Rev 3 now gives you a head start on the eventual transition and helps you build a more robust security program.
The smart approach is to maintain your Rev 2 SSP for current assessment purposes while beginning a parallel Rev 3 analysis. When the DoD announces the transition timeline, you will be ready to update rather than starting from scratch.
Need Help Navigating the Rev 2 to Rev 3 Transition?
AeoliTech's PolicyCortex tracks both Rev 2 and Rev 3 requirements, making the transition seamless when the time comes.
Schedule a CMMC Readiness CallLeonard Esere
Founder & CEO, AeoliTech
Leonard has tracked NIST 800-171 since its initial publication and has helped contractors navigate every revision. His work at MITRE on assessment frameworks gives him unique insight into how control changes affect real-world implementations.