NIST 800-171 Rev 3 vs Rev 2: What CMMC Subs Must Know

If you already have a System Security Plan (SSP) built on NIST SP 800-171 Revision 2, you have probably heard that Revision 3 dropped in May 2023 and wondered whether you need to redo your compliance work. The short answer is: it depends on when your contract was awarded and what your prime requires. The longer answer is below.

What Changed Between Rev 2 and Rev 3

Control Count: 110 Down to Roughly 97

Rev 2 organized its requirements into 14 families and 110 individual controls. Rev 3 consolidates overlapping controls, pulls in material from NIST SP 800-172 (enhanced requirements), and restructures families. The net result is approximately 97 controls, though the precise count varies depending on how you count sub-requirements versus standalone controls.

The reduction is not a relaxation. Several Rev 2 controls were merged because they addressed the same underlying protection goal. The intent is sharper, not softer.

Notable consolidations include:

• Multiple identification and authentication (IA) controls that previously addressed passwords, replay resistance, and authenticator management are tightened into fewer, more explicit requirements.
• Configuration management (CM) controls around baseline configurations and change control are rewritten to reduce redundancy.
• Several audit and accountability (AU) controls that overlapped with incident response (IR) language are rationalized across both families.

Organization-Defined Parameters (ODPs)

This is the biggest structural change for practitioners. Rev 3 introduces ODPs throughout the control text. An ODP is a bracketed placeholder that your organization fills in with a specific value, for example:

"The organization defines the frequency [ODP: at least annually] at which to review and update the access control policy."

Rev 2 used fixed language. Rev 3 deliberately borrows the ODP model from NIST SP 800-53 Rev 5. The upside: you have flexibility to tailor controls to your environment. The downside: assessors and primes now expect you to document what value you chose and justify it. Every unfilled ODP is a gap finding waiting to happen.

Expect ODPs in roughly a third of Rev 3 controls across families including access control (AC), configuration management (CM), and incident response (IR).

Tightened Phishing, MFA, and Incident Response Language

Three areas got noticeably stricter wording:

Phishing-resistant MFA. Rev 2 required multi-factor authentication (MFA) for privileged accounts and remote access (controls 3.5.3 and 3.13.5 in the Rev 2 numbering). Rev 3 explicitly calls for phishing-resistant authenticators, aligning with OMB Memorandum M-22-09 and CISA guidance. FIDO2 tokens and PIV cards satisfy this; TOTP apps (time-based one-time password, like Google Authenticator) generally do not in a strict Rev 3 reading.

Incident response. Rev 3's IR controls add clearer language around testing the incident response capability (not just having a plan), and around supply-chain events. If your current IR plan is a document that has never been exercised, Rev 3 will surface that gap immediately.

Configuration baselining. The CM family in Rev 3 strengthens requirements around maintaining and enforcing secure configurations. "Deny by default" language is more explicit than in Rev 2.

Control Numbering Changed

Rev 3 uses a new identifier scheme. Rev 2 controls like 3.1.1 (Limit system access to authorized users) have new Rev 3 identifiers. Before you attempt any mapping, download both documents from NIST and use the crosswalk table NIST published alongside Rev 3. Do not rely on memory or informal mappings.

Which Revision Applies to Your Contract

This is the question that matters most operationally, and the answer is nuanced.

DFARS 252.204-7012 (the current clause in most CUI-handling contracts) references Rev 2. As of this writing, the CMMC rule codified in 32 CFR Part 170 also aligns CMMC Level 2 assessments to Rev 2's 110 practices. That alignment is intentional: DoD needed a stable baseline for the assessment ecosystem to stand up around.

The short version for most subs today: If your contract was awarded under DFARS 252.204-7012 and you are pursuing a CMMC Level 2 certification, Rev 2 is still your operative standard.

Where Rev 3 enters the picture:

• Some primes are already asking subcontractors to self-assess against Rev 3 language as part of supply-chain risk management, even though it is not yet the regulatory baseline. This is contractually allowed because primes can impose stricter requirements on their supply chain than the government minimum.
• DoD has signaled it will update the CMMC framework to eventually align with Rev 3, but no final rule revision has been published to that effect as of mid-2025. Watch the Federal Register.
• New solicitations issued after any future DFARS update could reference Rev 3 directly.

Practical guidance: Ask your prime, in writing, which revision they expect your SSP to reference. If they say Rev 3, get that in writing and treat it as a contractual requirement. If they say Rev 2, document that conversation and keep your Rev 2 SSP current.

Still on the fence? See it on your data.

30 minutes, live screen-share against your real SSP or POA&M. No slides, no card on file.

Book a demo

How to Map an Existing Rev 2 SSP to Rev 3

If a prime or a new contract requires Rev 3, here is a workable migration sequence.

1. Download the NIST Rev 3 crosswalk. NIST published a mapping table from Rev 2 to Rev 3 identifiers. Start there, not with a blank slate.

2. Import your Rev 2 control statements into a side-by-side comparison. For each Rev 2 control, identify the corresponding Rev 3 control(s). Note: some Rev 2 controls map one-to-one, some merge into a single Rev 3 control, and a handful have no direct equivalent.

3. Identify ODP gaps. For every Rev 3 control that has an ODP, record the value your organization has chosen and the justification. This is new documentation work that did not exist under Rev 2.

4. Audit phishing-resistant MFA coverage. If your Rev 2 implementation used TOTP-based MFA, you likely have a gap against Rev 3 IA expectations. Document it as a Plan of Action and Milestones (POA&M) item with a remediation timeline and budget.

5. Test your incident response plan. Schedule a tabletop exercise if you have not done one. Rev 3 assessors will ask for evidence of testing, not just the plan document.

6. Update your SSP narrative. The SSP introduction should state which revision it targets. Change the reference from Rev 2 to Rev 3, update the control identifier column, and ensure every control statement addresses the Rev 3 language, including ODP values.

7. Have a qualified reviewer check the mapping. An internal reviewer who knows both documents, or a C3PAO (Certified Third-Party Assessment Organization) pre-assessment, will catch gaps your team normalizes past.

This migration is a moderate lift for a well-documented Rev 2 SSP. Expect 40 to 80 hours of effort for an organization with 50 to 150 in-scope users, depending on how mature your existing documentation is.

What Subs Should Expect in 2026-2027 Contracts

CMMC Phase 2 begins November 10, 2026. For context on the full Phase 2 timeline and what that means for contract flow-down, see the CMMC Phase 2 timeline post.

Here is what the Phase 2 ramp means specifically for the Rev 2 vs Rev 3 question:

• Phase 2 contracts will require CMMC Level 2 certification for any contractor handling Controlled Unclassified Information (CUI). The current certification assessment framework is still Rev 2 aligned.
• By 2027, DoD is expected to begin proposing a DFARS update that moves the framework reference to Rev 3. The timeline is not confirmed in published rulemaking, but the NIST publication cadence and DoD's stated alignment with SP 800-53 Rev 5 make this directionally clear.
• Primes under Phase 2 will flow CMMC requirements to subs. A prime that gets a Phase 2 contract in late 2026 will have a contractual obligation to ensure their subcontractors meet CMMC Level 2. Many primes will use this moment to ask subs for Rev 3 SSPs even if the regulatory baseline is still Rev 2, because it reduces their own supply-chain risk exposure.
• Self-assessments for Level 2 are still allowed in Phase 2 under some contract types. But third-party assessments by a C3PAO are required for contracts with higher CUI sensitivity. Whichever path applies to you, the control set being assessed is what the CMMC rule specifies at that time.

The safest posture: keep your Rev 2 SSP current and compliant now, and begin the Rev 3 gap analysis this year so you are not starting from scratch when a prime or contracting officer asks for it.

A Practical Migration Approach for Right Now

You do not need to choose between Rev 2 and Rev 3 compliance. You need both documents maintained in parallel for the next 18 to 24 months.

Structure your SSP so the control section can be toggled between Rev 2 and Rev 3 identifier columns. Track your ODP values in a separate register so they are easy to produce on request. Keep your POA&M updated against whichever revision a given contract requires.

The controls that got stricter in Rev 3, phishing-resistant MFA, tested IR, and enforced config baselines, are worth implementing now regardless of which revision your current contract references. An assessor reviewing a Rev 2 SSP will still look favorably on an organization that has moved to FIDO2 tokens and can produce a tabletop exercise after-action report.

Good compliance documentation is not revision-specific. It is accurate, current, and defensible. Build it that way and the Rev 2 to Rev 3 migration becomes an update exercise, not a rebuild.