NIST 800-171 Rev 3 Migration Planning

What changed from Rev 2 to Rev 3 and how to plan your migration

Author: Leonard Esere | Senior Cybersecurity Engineer, CMMC Registered Practitioner

Credentials: DoD Secret Clearance | DoE Q Clearance | MITRE ATT&CK Practitioner | LANL Full ATO Lead

Date: April 2026

Organization: Aeolitech

Abstract

On May 14, 2024, NIST published the final version of Special Publication 800-171, Revision 3—the first major update to the standard since Revision 2 was released in February 2020. Rev 3 is not a minor editorial refresh: it restructures the entire framework, reduces the total control count from 110 to 97, adds three new control families (Planning, System and Services Acquisition, and Supply Chain Risk Management), introduces 88 Organization-Defined Parameters (ODPs), and increases assessment objectives from 320 to 422. Despite these changes, DoD contractors subject to DFARS 252.204-7012 are not yet required to implement Rev 3. The DoD issued a class deviation in May 2024 locking compliance to Rev 2, and the CMMC Final Rule (32 CFR Part 170) explicitly references Rev 2. However, the DoD published its ODP values memo on April 15, 2025—a strong signal that Rev 3 adoption is coming. Smart contractors are dual-tracking: maintaining Rev 2 compliance for current assessments while building Rev 3 awareness into their security programs now. This paper provides a structured migration strategy, including a crosswalk table between Rev 2 and Rev 3 controls, analysis of the three new families, and a dual-tracking SSP approach.

Table of Contents

1. Regulatory Status: Where Rev 3 Stands Today

2. Key Quantitative Changes at a Glance

3. The Three New Control Families

4. Organization-Defined Parameters (ODPs) Explained

5. Structural Changes: What Happened to Rev 2 Controls

6. Rev 2 to Rev 3 Crosswalk Table

7. Migration Strategy: Dual-Tracking Both Revisions

8. DoD ODP Values: What DoD Already Expects

9. SSP Migration Approach

10. About the Author

11. References

1. Regulatory Status: Where Rev 3 Stands Today

Understanding what is currently required versus what is coming is essential for any migration planning effort. The regulatory picture as of April 2026:

| Framework/Regulation | Current Version Required | Notes |

|---|---|---|

| DFARS 252.204-7012 (now 252.240-7997) | NIST SP 800-171 Rev 2 | DoD class deviation (May 2024) locks to Rev 2 |

| CMMC Final Rule (32 CFR Part 170) | NIST SP 800-171 Rev 2 | Published October 2024; C3PAOs assess against Rev 2 |

| Civilian agencies (non-DoD) | NIST SP 800-171 Rev 3 | No DoD class deviation applies to civilian contracts |

| DoD ODP memo (April 15, 2025) | NIST SP 800-171 Rev 3 | Published in preparation for future Rev 3 adoption |

The DoD's intent is clear: Rev 3 will become the operative standard when a DFARS rule change and CMMC update formally adopt it. No timeline has been published as of April 2026, but the publication of DoD-specific ODP values in April 2025 is the clearest signal that the transition is actively in preparation.

Key implication: If your contract is with a civilian agency (GSA, DHS, HHS, etc.) rather than DoD, Rev 3 may already apply. Non-DoD contracts do not have the class deviation locking compliance to Rev 2.

2. Key Quantitative Changes at a Glance

| Attribute | Rev 2 (Feb 2020) | Rev 3 (May 2024) |

|---|---|---|

| Publication date | February 2020 (updated Jan 2021) | May 14, 2024 |

| Control families | 14 | 17 |

| Total controls | 110 | 97 |

| Assessment objectives (800-171A) | 320 | 422 |

| Organization-Defined Parameters | None | 88 across 49 requirements |

| Basic vs. derived distinction | Yes (from FIPS 200) | Eliminated; 800-53 is single source |

| Word "periodically" in requirements | Used in 5+ requirements | Removed entirely |

| Supply Chain Risk Management family | No | Yes (SR) |

| Planning family | No | Yes (PL) |

| System and Services Acquisition family | No | Yes (SA) |

| CMMC Level 2 required version | Yes | Not yet |

| Applicable to DoD contractors | Yes (via DFARS) | Future (pending DFARS update) |

Do not mistake the lower control count (97 vs. 110) as a lower security bar. Many of the consolidated requirements are broader than their Rev 2 predecessors, and the significant increase in assessment objectives (from 320 to 422, or up to 509 including ODP as assessment items) means the evidentiary burden has increased substantially.

3. The Three New Control Families

Rev 3 adds three control families to align with the NIST SP 800-53B moderate control baseline. These families were implicitly expected under Rev 2 but never formally required as controls.

3.15 Planning (PL)

Why added: Rev 2 required contractors to have a System Security Plan (3.12.4) but placed it within Security Assessment. Rev 3 elevates planning to its own family, making the SSP and rules of behavior explicit requirements with their own assessment objectives.

Key requirements:

• 03.15.01 – System Security Plan: Develop, document, maintain, and disseminate a system security plan that covers all security requirements.
• 03.15.02 – Rules of Behavior: Establish and make users acknowledge rules of behavior for CUI systems.
• 03.15.03 – System Security Plan Updates: Keep the plan current as the system or environment changes.

Engineering impact: If you already have a mature SSP under Rev 2, this transition is mostly documentation-level. The substantive change is that SSP maintenance now has its own dedicated assessment procedure, meaning assessors will examine revision history, approval records, and whether the SSP reflects the current system state.

3.16 System and Services Acquisition (SA)

Why added: Mirrors NIST SP 800-53 SA controls relevant to protecting CUI in the acquisition lifecycle.

Key requirements:

• 03.16.01 – Policy and Procedures: Develop SA policies aligned to CUI protection.
• 03.16.02 – Acquisition Processes: Include security requirements for CUI in acquisition planning.
• 03.16.03 – External System Services: Require external service providers to comply with CUI requirements.

Engineering impact: This formalizes what many contractors were already expected to do informally: ensure that cloud providers and third-party vendors meet FedRAMP Moderate equivalency (already required by DFARS 7012(b)(2)(ii)(D)). Rev 3 makes vendor security requirements a scoreable control.

3.17 Supply Chain Risk Management (SR)

The most significant addition, directly addressing the post-SolarWinds and post-Log4j threat landscape.

Key requirements:

• 03.17.01 – Supply Chain Risk Management Plan: Develop and maintain a documented SCRM plan.
• 03.17.02 – Acquisition Strategies and Tools: Define acquisition strategies, tools, and methods to address supply chain risks.
• 03.17.03 – Supply Chain Controls and Processes: Implement processes to identify and address supply chain weaknesses.

Engineering impact: SCRM plans require organizations to assess the security posture of hardware and software suppliers, track third-party software components (Software Bill of Materials / SBOM), and establish incident response procedures specific to supply chain events. This is new operational work that most mid-tier contractors have not formalized.

4. Organization-Defined Parameters (ODPs) Explained

ODPs are the most architecturally significant change in Rev 3. They replace vague language like "periodically" with explicit fill-in-the-blank parameters that each organization must define based on their risk profile and operational environment.

What ODPs look like:

Rev 2 (3.11.2): "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified."

Rev 3 equivalent (three sub-requirements with ODPs):

1. Monitor and scan the system for vulnerabilities [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified.

2. Remediate system vulnerabilities within [Assignment: organization-defined response times].

3. Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified.

ODP statistics:

• 88 total ODPs across 49 of the 97 requirements
• Initially 100+ in the first public draft (May 2023)
• Reduced to 34 in the November 2023 draft following industry pushback
• Final version settled on 88 after additional stakeholder input

Why ODPs matter: Each ODP value must be documented, defensible, and consistent with applicable laws, regulations, and DoD guidance. Organizations cannot arbitrarily set "scan quarterly" if their risk posture demands monthly scans. When DoD formally adopts Rev 3, assessors will evaluate whether ODP implementations align with the DoD-defined values published in April 2025.

5. Structural Changes: What Happened to Rev 2 Controls

Of the 110 controls in Rev 2, a net reduction of 13 resulted in Rev 3's 97 controls. This was not a simple deletion:

• Withdrawn: 27 requirements were withdrawn from Rev 2
• Subsumed: Many withdrawn requirements were absorbed into other requirements (e.g., 3.1.1 Account Management in Rev 3 absorbed several previously separate access controls)
• New: 9 new requirements introduced across the three new families and additions to existing families (e.g., Configuration Management gained three new controls: 03.04.10 System Component Inventory, 03.04.11 Information Location, 03.04.12 System and Component Configuration for High-Risk Areas)

Tailoring criteria changes:

| Rev 2 Category | Rev 3 Equivalent |

|---|---|

| Non-Federal Organization (NFO) controls | Either incorporated into main body or categorized as NCO |

| Not Directly Related to CUI (NCO) | Retained; some new NCOs added |

| (not present) | Not Applicable (NA) — new category for inapplicable controls |

| (not present) | Other Related Controls (ORC) — identifies controls where protection is also provided by another control |

6. Rev 2 to Rev 3 Crosswalk Table

The following table maps selected Rev 2 requirements to their Rev 3 equivalents. For the full crosswalk, NIST published an official change analysis spreadsheet at csrc.nist.gov.

| Rev 2 Control | Rev 2 Description | Rev 3 Control | Rev 3 Status | Key Change |

|---|---|---|---|---|

| 3.1.1 | Limit system access to authorized users | 03.01.01 | Modified | Expanded; absorbed several sub-requirements |

| 3.1.2 | Limit access to authorized transactions | 03.01.02 | Modified | Aligned to 800-53 AC-3 language |

| 3.1.3 | Control CUI flow | 03.01.03 | Modified | Added ODP for information flow enforcement |

| 3.3.1 | Create and retain audit logs | 03.03.01 | Modified | New ODP: audit record content |

| 3.3.2 | Trace actions to users | 03.03.02 | Modified | Leading zeros added; minor wording |

| 3.4.1 | Baseline configurations | 03.04.01 | Modified | Added ODP for configuration item scope |

| 3.4.3 | Track/review/approve changes | 03.04.03 | Modified | More granular change control requirements |

| 3.5.3 | Use MFA | 03.05.03 | Modified | Clarified scope: privileged + non-privileged network access |

| 3.5.7 | Password complexity | 03.05.07 | Modified | Added ODP for complexity parameters |

| 3.11.2 | Scan for vulnerabilities | 03.11.02 | Significantly modified | Split into 3 sub-requirements; 3 ODPs added |

| 3.12.4 | System Security Plan | Moved to 03.15.01 | Moved to Planning (PL) family | Now a dedicated family requirement |

| 3.13.11 | FIPS-validated cryptography | 03.13.10 | Renumbered | Minor wording update |

| 3.14.6 | Monitor for attacks/IOCs | 03.14.06 | Modified | Aligned to 800-53 SI-4 with more specificity |

| (not present) | Supply chain risk management plan | 03.17.01 | NEW | Entirely new requirement |

| (not present) | Acquisition strategies for SCRM | 03.17.02 | NEW | Entirely new requirement |

| (not present) | Supply chain controls and processes | 03.17.03 | NEW | Entirely new requirement |

Note: Leading zeros are now standard in Rev 3 numbering (03.01.01 vs. 3.1.1 in Rev 2). This is a formatting change with no substantive impact.

7. Migration Strategy: Dual-Tracking Both Revisions

The most operationally sound approach for 2025–2026 is dual-tracking: maintaining Rev 2 compliance for current CMMC assessments and self-assessments while beginning Rev 3 gap analysis in parallel.

Phase 1: Maintain Rev 2 Compliance (Current — Through CMMC Transition)

• Continue operating your SSP against all 110 Rev 2 requirements
• Ensure SPRS score reflects actual implementation state
• Proceed with C3PAO assessments under Rev 2 / 800-171A Rev 2 framework
• Monitor Federal Register for DFARS rule updates incorporating Rev 3

Phase 2: Rev 3 Gap Analysis (Begin Now)

1. Download Rev 3 and the official change analysis spreadsheet from csrc.nist.gov

2. Map your current Rev 2 SSP to Rev 3 using the crosswalk table above

3. Identify ODP gaps: For each of the 88 ODPs, document your current value (e.g., "we scan monthly") and assess whether it meets the DoD's April 2025 ODP values

4. Identify new control family gaps: Assess your current state against PL (Planning), SA (System/Services Acquisition), and SR (Supply Chain Risk Management)

5. Document in a Rev 3 shadow SSP: Maintain a Rev 3 annex to your current SSP showing implementation status for Rev 3 requirements

Phase 3: ODP Documentation (Begin Now)

For each of the 88 ODPs:

1. Identify the current operational practice (e.g., patch cadence, log review frequency)

2. Compare against DoD April 2025 ODP values

3. Document any gaps in a Rev 3 POA&M

4. Adjust practices where needed to align with DoD values before formal requirement kicks in

Phase 4: Supply Chain Risk Management Readiness

The SR family represents the most novel work:

1. Inventory all third-party software components (SBOM)

2. Assess supplier security posture (vendor questionnaires, security certifications)

3. Draft your Supply Chain Risk Management Plan document

4. Identify high-risk suppliers and document monitoring procedures

Phase 5: Formal Rev 3 Transition (When DFARS Rule Changes)

When DoD formally adopts Rev 3 via DFARS:

1. Update your SSP from Rev 3 shadow to primary

2. Conduct a formal Rev 3 self-assessment

3. Update SPRS with the Rev 3 assessment score (when SPRS and DoD Assessment Methodology are updated for Rev 3)

4. Prepare for C3PAO assessment under updated CMMC framework

8. DoD ODP Values: What DoD Already Expects

The DoD's April 15, 2025 memorandum published specific values for all 88 ODPs. These values define the DoD's expectations for how contractors will fill in each parameter. Selected examples:

| ODP Requirement | DoD Defined Value |

|---|---|

| 03.05.08 – Account lockout attempts | At most 5 consecutive unsuccessful logon attempts |

| 03.05.08 – Lockout time period | 5-minute observation period |

| 03.05.08 – Lockout duration | At least 15 minutes, or admin release |

| 03.11.02 – Vulnerability scan frequency | At least monthly |

| 03.11.02 – Patch timeline (High/Critical) | Within 30 days of discovery |

| 03.11.02 – Patch timeline (Moderate) | Within 90 days of discovery |

| 03.11.02 – Patch timeline (Low) | Within 180 days of discovery |

| 03.05.05 – Identifier reuse prevention | At least 10 years |

These values are more specific—and in many cases more demanding—than current industry practice. The 10-year identifier reuse period (03.05.05) and the 30-day patch deadline for high/critical findings are particularly noteworthy. Organizations that begin aligning to these values now will face a less disruptive transition when Rev 3 becomes mandatory.

9. SSP Migration Approach

A practical approach to SSP migration avoids a full rewrite by building a Rev 3 annex:

Recommended SSP structure during dual-tracking:

`

System Security Plan — [Organization Name]

├── Section 1: System Overview

├── Section 2: Rev 2 Implementation (110 Requirements) [Primary — Current Requirement]

│ ├── 3.1.x Access Control (22 requirements)

│ ├── ... [all 14 families]

│ └── 3.14.x System and Information Integrity (7 requirements)

├── Section 3: Rev 3 Gap Analysis Annex [Forward-Looking]

│ ├── Rev 3 New Families (PL, SA, SR)

│ ├── ODP Value Inventory

│ └── Rev 3 Shadow POA&M

└── Section 4: Evidence Library

`

This approach satisfies current CMMC/DFARS requirements while building the organizational knowledge base needed for a smooth Rev 3 transition.

Key SSP migration tasks:

| Task | Priority | Effort |

|---|---|---|

| Map current Rev 2 SSP to Rev 3 crosswalk | High | Medium |

| Document ODP current values for all 88 ODPs | High | Medium |

| Draft Supply Chain Risk Management Plan | High | High |

| Assess compliance with DoD ODP values | Medium | Medium |

| Draft Planning (PL) family controls | Medium | Low (if SSP already mature) |

| Assess System/Services Acquisition (SA) controls | Medium | Low-Medium |

| Update vendor agreements for SA-03.16.03 | Medium | Medium |

| Train assessment team on Rev 3 assessment objectives | Low-Medium | Low |

About the Author

Leonard Esere is a senior cybersecurity engineer and CMMC Registered Practitioner with over a decade of experience securing defense and national laboratory environments. He holds a DoD Secret clearance and a Department of Energy Q clearance—the equivalent of Top Secret in the intelligence community—and has served as the lead systems engineer on a full Authority to Operate (ATO) engagement at Los Alamos National Laboratory (LANL), one of the most complex classified computing environments in the federal government. His work spans MITRE ATT&CK-based threat modeling, CMMC gap assessments for Defense Industrial Base (DIB) contractors, and cloud security architecture for Azure GCC High and AWS GovCloud environments. Leonard advises organizations from pre-assessment readiness through C3PAO engagement and remediation.

For a complimentary CMMC gap assessment and Rev 3 readiness review, visit /services/cmmc-gap-assessment.

References

1. NIST SP 800-171 Rev 3 Final, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (May 14, 2024) — https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/final

2. NIST SP 800-171 Rev 2 Final (January 2021) — https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

3. NIST SP 800-171 R2-to-R3 Change Analysis Spreadsheet — https://csrc.nist.gov/files/pubs/sp/800/171/r3/final/docs/sp800-171r2-to-r3-analysis.xlsx

4. DoD ODP Memorandum for NIST SP 800-171 Rev 3 (April 15, 2025) — https://www.acq.osd.mil/cmmc/

5. 32 CFR Part 170, CMMC Final Rule (October 2024) — https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program

6. DoD Class Deviation for DFARS 252.204-7012 (May 2024) — https://www.acq.osd.mil/dpap/dars/docs/classdeviation2024-o0003.pdf

7. NIST SP 800-53 Rev 5, Security and Privacy Controls — https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

8. NIST SP 800-53B, Control Baselines for Information Systems and Organizations — https://csrc.nist.gov/publications/detail/sp/800-53b/final

9. Holland & Knight LLP, DoD Publishes Organization-Defined Parameters for NIST SP 800-171 Rev 3 (May 2025) — https://www.hklaw.com/en/insights/publications/2025/05/dod-publishes-organization-defined-parameters-for-nist-sp

10. Government Contracts Legal Forum, NIST Releases Final Version of NIST SP 800-171 Revision 3 (May 2024) — https://www.governmentcontractslegalforum.com/2024/05/articles/cybersecurity/nist-releases-final-version-of-nist-sp-800-171-revision-3/