Which version of NIST SP 800-171 does CMMC require — Rev 2 or Rev 3?

CMMC Level 2 is currently assessed against NIST SP 800-171 Revision 2. A DoD class deviation directs that Revision 2 remain the applicable standard, and it stays acceptable until formally rescinded. Revision 3, although published by NIST, is not yet the CMMC requirement.

When will CMMC move to NIST SP 800-171 Revision 3?

There is no firm date. The transition to Revision 3 will happen through future rulemaking, which industry observers expect sometime between the second half of 2026 and 2027. Until that rulemaking takes effect, Revision 2 remains the standard you are assessed against.

What changed in NIST SP 800-171 Revision 3?

Revision 3 restructured the requirements to align more closely with NIST SP 800-53 Revision 5, introduced Organization-Defined Parameters (ODPs) that let the government set specific values such as password or session settings, and withdrew or consolidated some requirements while adding others. The intent and most underlying controls remain familiar.

Should I implement Rev 2 or Rev 3 right now?

Build for Revision 2 now, because that is what CMMC assessments use today. A well-implemented Rev 2 program carries most of the way to Rev 3, so the work is not wasted. Avoid rebuilding your program around Rev 3 before the rulemaking is final, but track the ODPs so you are ready when the transition comes.

NIST 800-171Rev 3CMMC Compliance

NIST 800-171 Rev 2 vs Rev 3: What CMMC Requires Now (and What's Coming)

By Glenn Ballard·CMMC Registered Practitioner·June 19, 2026·8 min read

NIST published Revision 3 of SP 800-171, and a wave of vendors immediately started telling defense contractors to rebuild their programs. Don't — not yet. The version that actually governs your CMMC assessment today is Revision 2, and it will stay that way until the government formally changes it. Here is the real status, what's different in Rev 3, and how to prepare without wasting effort on a standard you're not assessed against.

What CMMC Requires Today: Revision 2

CMMC Level 2 is anchored to NIST SP 800-171 Revision 2 — its 110 requirements across 14 families. To remove any ambiguity, the DoD issued a class deviation directing that Revision 2 remain the applicable standard, even though Revision 3 exists. Critically, that deviation has no end date: Revision 2 stays acceptable “until rescinded.”

Translation: if you are scoping, assessing, or being assessed for CMMC right now — including for the Phase 2 C3PAO certification requirements arriving November 10, 2026 — you are working against Revision 2. That is the standard our assessment engine uses, control for control.

What's Different in Revision 3

Revision 3 is an evolution, not a teardown. The headline changes:

Closer alignment with NIST SP 800-53 Rev 5 — the requirements were restructured to track the broader federal control catalog more directly.
Organization-Defined Parameters (ODPs) — the most consequential change. Rev 3 leaves certain values (think password rules, session-lock timeouts) for the government to define, giving the DoD a dial to set specifics across the Defense Industrial Base.
Requirements consolidated, withdrawn, and added — some Rev 2 items merged or moved, with new emphasis in areas like supply-chain and planning.

The underlying intent — protect CUI with sound, well-documented security — is unchanged. A team that genuinely meets Rev 2 already does most of what Rev 3 will ask.

When the Transition Is Expected

The move to Revision 3 will come through future rulemaking — not a flip of a switch. Industry observers broadly expect that window somewhere between the second half of 2026 and 2027, but no date is official, and rulemaking timelines slip. Treat any specific date you see as an estimate until a rule is published.

This article reflects the status as of mid-2026 and is general information, not legal or regulatory advice. The authoritative sources are the DoD class deviation and any future DFARS/CMMC rulemaking — verify the current state before making program decisions.

What to Do Right Now

Build for Rev 2. It's what you're assessed against today, including for Phase 2 certification.
Don't rebuild for Rev 3 prematurely. Re-architecting around a draft target before the rule is final risks rework when ODP values land.
Build clean and well-documented. A strong SSP and disciplined evidence transfer to Rev 3 with far less friction than a patchwork program.
Watch the ODPs. When the government sets parameter values, that's your signal to map the delta — not before.

Get Solid on Rev 2 First

The best preparation for Rev 3 is a genuinely strong Revision 2 posture — not speculation about a rule that hasn't landed. The Dragonfli Group CMMC Accelerator assesses you against all 110 Rev 2 requirements, produces a draft SSP, POA&M, and gap plan reviewed by a CMMC Registered Practitioner, and gives you the documented, evidence-backed program that will carry forward when Rev 3 eventually arrives.

BUILD ON THE RIGHT STANDARD

Get solid on Rev 2 — and ready for Rev 3.

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

The Complete CMMC 2.0 Guide

The 14 families and 110 Rev 2 requirements →

CMMC Deadlines 2026

The phased rollout — all aligned to Rev 2 →