NIST 800-171 Rev 2 vs Rev 3: Which One CMMC Uses
NIST published 800-171 Revision 3 in May 2024 and it supersedes Rev 2 in NIST’s own catalog. Your CMMC assessment still ignores it. Here is which version to build to, and why the gap matters.
CMMC Level 2 is assessed against NIST SP 800-171 Revision 2, not Revision 3. NIST published Rev 3 in May 2024, and in NIST’s publication history it supersedes Rev 2. But the Department of Defense still grades every CMMC assessment, every SPRS score, and every System Security Plan against Rev 2, and it will until it formally adopts Rev 3 through new rulemaking. Building your program to Rev 3 today, before that happens, can show up as unmet controls and cost you the assessment.
- CMMC Level 2 is still graded against NIST SP 800-171 Revision 2, not Revision 3.
- NIST published Rev 3 in May 2024, but DoD has not adopted it for CMMC assessments, SPRS scoring, or certification.
- You may implement Rev 3 voluntarily, but you must still meet Rev 2 and use the DoD's Organization-Defined Parameters.
- Build and score your SSP to Rev 2 today. Switching early can show as unmet controls and fail your C3PAO assessment.
- The Rev 2 to Rev 3 transition needs new rulemaking, SPRS changes, and updated assessor training. Plan for years, not months.
Does CMMC use NIST 800-171 Rev 2 or Rev 3?
Rev 2. Today, every CMMC Level 2 assessment maps to the 110 security requirements in NIST SP 800-171 Revision 2. The link is locked in by a DoD class deviation (2023-O0006) that ties CMMC and DFARS 252.204-7012 scoring to Rev 2. Until that deviation is withdrawn or superseded, Rev 2 is the standard your assessor uses, full stop.
This trips people up because NIST’s own website lists Rev 3 as the current, final publication. That is true inside NIST’s catalog. It is not true inside the DoD contracting and CMMC world, which moves on its own rulemaking clock. The two realities are separate, and the one that governs your assessment is the DoD one.
Is NIST 800-171 Rev 3 required for CMMC?
No. Rev 3 is not required for CMMC, and it is not yet permitted as the basis for your assessment score. The DoD CIO’s CMMC FAQ is explicit that assessments are conducted against Rev 2 until the class deviation changes. The Supplier Performance Risk System does not accept a Rev 3 based score. C3PAO assessors are not trained or authorized to grade you against Rev 3 controls.
So if a vendor or a forum post is telling you to rebuild your compliance program around Rev 3 right now to get ahead, that advice is early at best and harmful at worst. A control set that looks complete under Rev 3 can read as incomplete under Rev 2, because the two versions organize and word their requirements differently.

What actually changed between Rev 2 and Rev 3
The differences are structural, and they are why you cannot treat the two versions as interchangeable.
Rev 2 has 110 controls across 14 control families. The companion assessment guide, NIST SP 800-171A, breaks those 110 controls into 320 assessment objectives, and a C3PAO grades you at the objective level. That is the number that matters in practice.
Rev 3 reorganizes the framework to align with NIST SP 800-53 Rev 5. It moves to 17 control families, adding Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). The total control count drops to 97, but that reduction is misleading: many Rev 2 requirements were not removed, they were merged into other controls, so the work did not shrink. Rev 3 also introduces 88 Organization-Defined Parameters, the “fill in the blank” values for things like password length and session timeout. For CMMC, the DoD does not leave those blanks to you. Its April 2025 ODP memorandum assigns the exact values contractors must use.
The headline numbers, side by side, are the fastest way to see why a straight swap does not work.
Can you implement NIST 800-171 Rev 3 for CMMC right now?
This is where most quick answers, including some automated search summaries, get it wrong. The flat answer floating around is “no, you cannot implement Rev 3.” That is not what the DoD CIO FAQ says.
The accurate answer: you can implement Rev 3 voluntarily, but two conditions apply. First, if you do, you must use the DoD’s Organization-Defined Parameters from the April 2025 memorandum, not your own values. Second, because your CMMC assessment is still scored against Rev 2, you must ensure that every gap between Rev 2 and Rev 3 is closed. A requirement that exists in Rev 2 but was withdrawn or restructured in Rev 3 still has to be met. If an assessor finds a Rev 2 objective marked NOT MET because you built only to Rev 3, that finding counts against you.
In plain terms: adopting Rev 3 early is a planning exercise layered on top of Rev 2 compliance, never a replacement for it.
Should you build your SSP to Rev 2 or Rev 3?
Rev 2. Your System Security Plan is the document a C3PAO reads first, and it has to match the standard the assessor is grading against. That standard is Rev 2. An SSP written to Rev 3’s structure, families, and parameter language will not line up with the 110 controls and 320 objectives your assessor walks, and the mismatch creates exactly the unmet findings you are trying to avoid.
This is also the most common place the version confusion does real damage. A team reads that Rev 3 is “the current version,” rewrites the SSP around its 17 families, and shows up to the assessment with a document organized against a standard nobody is using yet. The fix is straightforward: write the SSP to Rev 2, keep it current, and track Rev 3 deltas in a separate planning file.
If you want the SSP structured the way an assessor expects, the CMMC Level 2 System Security Plan (SSP) Template ($77) is built to NIST 800-171 Rev 2 and maps each section to the control objectives a C3PAO examines. It is the same structure covered in our breakdown of what a C3PAO actually reads in your SSP.
When will CMMC move to Rev 3?
Not soon, and not by surprise. Final publication by NIST does not make a standard enforceable for DoD contracting. Before Rev 3 can become the CMMC baseline, several things have to happen in sequence:
- The DoD has to formally adopt Rev 3 and update the DFARS clauses that currently point to Rev 2.
- SPRS has to be updated to accept and score Rev 3 based assessments.
- CMMC assessment criteria, assessor training, and C3PAO evaluation procedures all have to be revised to Rev 3.
None of that is instant. Based on how DoD has handled previous transitions, expect 12 to 24 months of advance notice at the earliest once the process starts, and the full transition measured in years. The signal to watch is the class deviation: when DoD withdraws or supersedes it, the clock starts. Meanwhile, Phase 2 of the CMMC rollout begins November 10, 2026, and that phase is built entirely on Rev 2. The near-term deadline and the long-term version question are pointed at the same standard.
What to do about it now

Four moves keep you on the right side of this:
- Build and score your SSP to Rev 2. It is the only baseline a C3PAO grades you against today.
- Keep your SPRS score on Rev 2. SPRS does not accept Rev 3 based scoring, and your score is a representation the False Claims Act can reach if it is wrong.
- If you adopt Rev 3 voluntarily, close every Rev 2 gap first and use the DoD’s ODP values, not your own.
- Map the Rev 2 to Rev 3 deltas now, in a separate planning document, so that when DoD does switch, you are managing a delta instead of rebuilding from scratch.
If you are assembling the full picture, scoping through scoring through assessment readiness, the CMMC Level 2 Readiness Kit: 5 NIST 800-171 Tools ($147) bundles the SSP template with the SPRS workbook, asset scoping worksheet, POA&M tracker, and evidence tracker, all built to Rev 2, so a small team preparing for a C3PAO date is working from one consistent baseline instead of stitching together free templates written to different versions.
The bottom line
Rev 3 is the future direction of CUI protection, and it is worth understanding. It is not the standard your CMMC assessment uses. Until DoD formally adopts it through rulemaking, build to Rev 2, score to Rev 2, and write your SSP to Rev 2. Treat Rev 3 as a map of where things are heading, not a set of requirements you owe today. The contractors who get this right meet the current bar and quietly prepare for the next one. The ones who get it wrong rebuild their program around a standard no assessor is using, and walk into an assessment with avoidable gaps.
Sources
- NIST, SP 800-171 Rev 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (May 2024), and the NIST Rev 2 to Rev 3 change analysis: csrc.nist.gov
- Department of Defense CIO, CMMC Frequently Asked Questions (Section B, NIST 800-171 Rev 2 vs Rev 3; class deviation 2023-O0006): dodcio.defense.gov/CMMC
- DoD, Organization-Defined Parameters for NIST SP 800-171 Revision 3 memorandum (April 2025).
- DoD, CMMC Alignment to NIST Standards briefing.
- NIST, SP 800-171A (assessment objectives).