Every defense contractor preparing for CMMC Level 2 hits the same question within their first two weeks of reading: should I be implementing NIST 800-171 Revision 2, or Revision 3? Both exist. Both are official. The answers you get from consultants depend on what they are selling.
Here is the answer without an agenda.
The short version
Your CMMC Level 2 assessment is scored against NIST 800-171 Revision 2 today, and through at least the end of 2026 by current DoD posture. Revision 3 is published, but the DoD has not adopted it into the CMMC rulemaking. You implement Rev 2 controls now, and you architect your evidence model so the Rev 3 migration is a remap, not a rebuild.
The rest of this article is the long version of why that is the right call, and what the practical differences look like.
What changed between Rev 2 and Rev 3
NIST published Revision 2 in February 2020 and Revision 3 in May 2024. The high-level shape:
| Dimension | Revision 2 (current) | Revision 3 |
|---|---|---|
| Total controls | 110 | 97 |
| Control families | 14 | 17 |
| New categories | n/a | Supply Chain Risk Management, Planning, System & Services Acquisition |
| Removed | n/a | A handful of duplicate / redundant controls consolidated |
| Notable additions | n/a | Phishing-resistant MFA, modernized access control language, data classification tighter scope |
| CMMC adoption | Required for CMMC L2 today | Not adopted (as of 2026) |
The Rev 3 control count goes down even though Rev 3 added entire new families. That is because Rev 3 also consolidated duplicate and overlapping controls from Rev 2.
Why DoD has not adopted Rev 3
The CMMC rulemaking that codified DoD's reliance on NIST 800-171 explicitly references Revision 2. Changing the referenced revision requires a rulemaking update, and DoD has signaled in public comments that they want CMMC assessment infrastructure (assessors, training, C3PAO accreditation, MAP scoring) to stabilize at Rev 2 before introducing Rev 3.
This is not a temporary delay measured in weeks. The realistic window for DoD to adopt Rev 3 into CMMC is 2027 at the earliest, and possibly later. Treat Rev 3 as a forecasted standard, not an active requirement.
The DFARS clauses that reference NIST 800-171 outside the CMMC program (such as DFARS 252.204-7012) may move to Rev 3 on a different timeline. If you are subject to those clauses directly (not through CMMC), check the specific contract language.
Where Rev 3 is materially different in implementation
For the contractors who want to forward-look, here are the four areas where Rev 3 will require new evidence shape, not just remapping:
1. Supply Chain Risk Management (new family)
Rev 3 introduces SR (Supply Chain Risk) as a full control family. The SR controls require documented evidence of supplier evaluation, supply chain risk policies, and contract clauses that flow CMMC requirements down to your own subcontractors.
If you are a defense prime, you already do some of this informally. Rev 3 wants the documented version. Build the evidence flow now and the Rev 3 migration is cheap.
2. Phishing-resistant MFA
Rev 3's identification and authentication controls explicitly elevate phishing-resistant MFA (FIDO2 / hardware keys / passkeys) above SMS or TOTP for high-privilege accounts. Rev 2 says "multi-factor"; Rev 3 says "phishing-resistant multi-factor" for the controls that matter.
You can deploy phishing-resistant MFA on a Rev 2 implementation and benefit immediately. Most CMMC L2 contractors already need to, because TOTP-only MFA is increasingly flagged as a residual risk by C3PAOs even under Rev 2.
Ready to ship CMMC?
L1 for subcontractors, L2 for primes, L3 for enterprise. Same tenant, transparent pricing.
See plans
3. Data classification scope
Rev 3 tightens what CUI is and how it must be marked. Rev 2's scope was already CUI-centric but Rev 3 adds explicit handling rules for marked subcategories (CUI Specified, Privacy Act information, controlled technical information).
The practical impact: your CUI handling policy needs to enumerate subcategories you encounter, not just "CUI" as a single bucket. Most existing CUI policies already do this informally; Rev 3 makes it required.
4. Modernized access control
Rev 3 replaces some of Rev 2's vintage language ("dial-up", "modems") with current network-architecture language. The intent of the controls is unchanged but the assessor-friendly evidence shape (zero-trust segments, identity-aware proxies, conditional access policies) is different.
If you have already deployed zero-trust patterns, your Rev 3 evidence is already cleaner than your Rev 2 evidence. Rev 2 just does not have the vocabulary to fully describe what you built.
What to build now
The architectural recommendation we give every prospect:
- Implement Rev 2 controls as your assessment scope. That is what your C3PAO will score you against.
- Store evidence in a system that can remap controls without rebuilding the underlying data. Whether that is Readyline or any other GRC tool, the question to ask is: can I switch the framework reference from "NIST 800-171 Rev 2" to "NIST 800-171 Rev 3" and keep my evidence intact? If the answer is "I would have to re-link every evidence artifact", you are stuck.
- Adopt the Rev 3-flavored choices that are also Rev 2-compatible today. Phishing-resistant MFA is the easy example. Documented supplier evaluation is the harder one but the same logic applies.
Readyline's L1, L2, and L3 templates ship with Rev 2 as the active framework today. When DoD moves to Rev 3, the remap happens centrally and customer evidence stays where it is, with the framework reference updated alongside it. We do not believe in making customers rebuild on a regulator's schedule.
Related reading
- Why Excel fails for CMMC Level 2 — for context on why a system-of-record matters more than a checklist.
- How to build an SSP without a consultant — the SSP shape that maps cleanly to either revision.
- Free SSP template — Rev 2-aligned. Email-gated, instant download.
