Cybersecurity Threat Landscape

NIST 800-171 Rev 3: What Changed and Why It Doesn't Matter Yet

Explore essential insights on NIST 800-171 Revision 3 for defense contractors' compliance success.

Alex Fuerst

Alex Fuerst

10 min read
NIST 800-171 Rev 3: What Changed and Why It Doesn't Matter Yet

Word count: ~2,720

Specificity markers used:

  1. NIST/CMMC control references: 32 CFR Part 170, CMMC Rev 2 controls (3.1.x format), Rev 3 new families (PL, SR)
  2. Cost/time estimates: Federal rulemaking timeline 18–36 months; CMMC rule published Oct 2024, Rev 3 transition realistically 3–5 years out
  3. Tool/product names: SPRS (Supplier Performance Risk System), DIBNet portal, C3PAO assessment framework
  4. Common mistake: Contractors who start implementing Rev 3 controls now because "that's where NIST is headed" — and burning resources on requirements that won't be assessed for years
  5. Decision point: Should you start implementing Rev 3 now? Decision framework based on program maturity and contract type

---

Executive Summary

Key takeaways: - NIST published SP 800-171 Rev 3 as final in May 2024. It increased the requirement count from 110 to 134 and reorganized the control family structure - CMMC Level 2 is legally anchored to Rev 2 by 32 CFR Part 170, the CMMC final rule published in October 2024 — changing that requires new federal rulemaking - Your C3PAO assessment, your SPRS score, and your annual affirmation are all against Rev 2 controls. Full stop - The transition to Rev 3 is years away, not months. Realistically 2028 at earliest before any contractual effect - Rev 3 is worth understanding because it signals where DoD's security expectations are headed — particularly around supply chain risk and planning. But it's not worth implementing ahead of your Rev 2 compliance program

---

One of the more reliable ways to waste your CMMC compliance budget is to chase the wrong version of the standard.

NIST finalized 800-171 Rev 3 in May 2024. Within weeks, contractors started asking whether their CMMC program needed to switch tracks. GRC vendors started publishing "Rev 3 readiness" assessments. The short answer: not yet, and here's the evidence to prove it.

What CMMC Is Actually Based On

CMMC Level 2 maps to NIST SP 800-171 Rev 2. This isn't convention or tradition — it's codified law.

32 CFR Part 170, the final CMMC rule published October 15, 2024, specifies in the assessment methodology that CMMC Level 2 requires implementation of the security requirements in NIST SP 800-171 Rev 2. The rule cites the specific publication: NIST SP 800-171 Revision 2, dated February 2020.

For the rule to change its reference from Rev 2 to Rev 3, DoD would need to publish a new rule — notice of proposed rulemaking, public comment period (typically 60–90 days), review of comments, final rule publication, and implementation timeline. That process takes 18–36 months under favorable conditions. Given that the current CMMC rule just went through a multi-year development process and published in late 2024, a transition rule modifying the technical standard reference is not coming quickly.

There is no announced timeline from DoD or OUSD(A&S) for transitioning CMMC to Rev 3.

Until DoD publishes a final rule changing the reference, Rev 2 is what gets assessed. SPRS scores are calculated on 110 Rev 2 controls. C3PAOs conduct assessments against Rev 2. Annual affirmations certify compliance with Rev 2. That's the legal and contractual reality.

What Actually Changed in Rev 3

Understanding what changed is worthwhile — not because you need to implement it now, but because Rev 3 shows you where DoD's requirements are headed. You can use that to build a security program that won't require major surgery when the transition happens.

Control Count: 110 → 134 Requirements

Rev 3 adds 24 new security requirements beyond the 110 in Rev 2. Some of these are entirely new concepts; others are requirements that existed implicitly in Rev 2 but are now made explicit.

The additions reflect NIST's alignment of 800-171 more closely with NIST SP 800-53 Rev 5 (the federal agency standard). Where Rev 2 was written specifically for non-federal contractors and deliberately simplified, Rev 3 pulls more rigorously from the 800-53 catalog.

New Control Families: Planning and Supply Chain Risk Management

This is the most significant structural change. Rev 3 adds two entirely new control families that don't exist in Rev 2:

Planning (PL) — requires organizations to develop and maintain a system security plan (this existed as a single control in Rev 2's Security Assessment family) and to document a security strategy that covers the lifecycle of CUI systems. Rev 3 elevates planning to its own family with dedicated requirements.

Supply Chain Risk Management (SR) — this is the major new addition. Rev 3 requires contractors to assess and manage risks from their suppliers and third-party service providers who touch their CUI environment. This includes: establishing supply chain risk management policies, identifying supply chain risks, including security requirements in supplier contracts, and assessing third-party providers before and after onboarding.

Supply chain risk management wasn't in Rev 2's 14 families at all. Its addition reflects the DoD's increasing concern about supply chain attacks — a concern that's only grown since the SolarWinds compromise in 2020.

Revised Control Numbering

Rev 3 moves away from the 3.x.x numbering format that Rev 2 uses (like 3.1.1 for Access Control requirement 1). Rev 3 uses a new reference format aligned with SP 800-53 Rev 5 control identifiers.

This is operationally relevant: any documentation, SSP content, POA&M references, or training materials built around 3.x.x control IDs will need to be updated when the transition happens. It's not a substantive change to the security requirements themselves, but it creates rework — another reason to sequence the transition carefully.

Enhanced Requirements in Existing Families

Several existing families got additional requirements or strengthened language:

Configuration Management — Rev 3 adds more specific requirements around configuration management for development environments and defines configuration management baselines more precisely.

System and Communications Protection — expanded requirements around network boundary protection and additional controls for protecting CUI in cloud environments.

Risk Assessment — more detailed requirements for threat intelligence integration and risk response documentation.

Incident Response — enhanced requirements for supply chain incident handling (coordinating with Rev 3's new SR family).

What Didn't Change

The core security requirements that most contractors are working toward remain largely intact. Access control, identification and authentication, encryption, audit logging, malware protection, patch management, physical protection — these are all still present with minimal substantive change. The foundational controls you're implementing for CMMC Level 2 Rev 2 will largely carry forward.

This is the practical reassurance: organizations that achieve full Rev 2 compliance will not be starting from scratch when Rev 3 becomes contractually required. The 24 new requirements represent additional work, not a complete replacement.

The Five Changes That Will Create Real Work

Not all 24 new requirements are created equal. Some add bureaucratic overhead; a few require genuine implementation work. Here are the five that will matter most when the transition comes:

1. Supply Chain Risk Management — end-to-end. If you rely on managed service providers, cloud platforms, or specialized subcontractors for any part of your CUI environment, Rev 3's SR family requires you to formally assess those relationships, document the risks, and include security requirements in your contracts with them. For contractors who've outsourced significant parts of their IT to an MSP, this creates work both on your side (supplier assessment process) and your MSP's side (they may need to provide evidence of their own security posture).

2. Planning — Security Strategy Documentation. Rev 3's PL family requires a documented security strategy that goes beyond the SSP. This means formal documentation of how your security program aligns with your business objectives, how resources are allocated to security, and how the program evolves over time. This isn't complex technically, but it requires your security leadership to produce and maintain documentation that most small contractors don't currently have.

3. Configuration Management for Development Environments. If your organization writes software or develops technical products under DoD contracts, Rev 3 adds specific configuration management requirements for development environments. Secure development practices, configuration management for code repositories, and separation of development from production CUI environments.

4. Enhanced Vulnerability Management. Rev 3 makes vulnerability management more demanding: more specific timelines, documented prioritization criteria, and integration with threat intelligence. Your vulnerability scanner and patch process will need documented remediation workflows with escalation criteria, not just scan-and-fix.

5. Supply Chain Incident Response. Incident response in Rev 3 extends to supply chain incidents — a compromise at your MSP or a cloud provider is a CUI incident that requires the same reporting and response process as a direct compromise. Most contractors' current incident response plans don't contemplate this.

What You Should Do Right Now (And What You Shouldn't)

Don't: Redirect your Rev 2 compliance work to implement Rev 3 requirements. Your assessments, your contracts, and your legal obligations are Rev 2. If you're not yet at full Rev 2 compliance, that's where every resource should go. An organization that implements five Rev 3 SR requirements while leaving Rev 2 gaps isn't more compliant — it's equally non-compliant with the contractual standard and has wasted resources.

Don't: Pay for a "Rev 3 readiness assessment" from a vendor until Rev 3 is actually in your contracts. Any vendor offering this service today is selling you information you can't act on yet.

Do: Understand the SR family now if you rely on external IT providers. Supply chain risk management is coming, and starting to document your third-party relationships — what systems they access, what CUI they touch, what their security posture is — is useful regardless of Rev 2 or Rev 3. This is background work, not a compliance sprint.

Do: Include Rev 3 SR requirements in contract negotiations with your MSP or C2C (cloud to contractor) provider. If you're renegotiating your MSP contract in 2025 or 2026, include security requirements clauses now. Getting them in a new contract is easier than renegotiating an existing one in 2028 under deadline pressure.

Do: Update your SSP to align with Rev 3's Planning family conventions. Rev 2's SSP requirement (under CA.L2-3.12.4) already covers the core documentation. Rev 3 asks for more strategic framing. You can build toward that structure within your existing SSP without creating a parallel document.

Decision point — when to start formal Rev 3 implementation work:

If you're still working toward Rev 2 compliance: stay the course. Not one resource diverted to Rev 3.

If you're at or near full Rev 2 compliance (score of 100-110 on your SPRS self-assessment): use the next phase of your security program to address the Rev 3 additions, particularly supply chain risk management. You have the organizational bandwidth and the foundational controls are already in place.

If you're a Tier 1 prime or major DIB contractor with long-term DoD program commitments: your legal team should be watching the federal rulemaking register for any proposed rule citing Rev 3. When you see a Notice of Proposed Rulemaking (NPRM) that references a change to the CMMC technical standard, that's when to start the formal transition planning.

What the Supply Chain Risk Management Family Actually Requires

Because SR is the most substantively new addition in Rev 3 and because supply chain security is where DoD's threat concerns are concentrated, it's worth understanding what the SR requirements actually ask for rather than treating them as an abstraction.

NIST 800-171 Rev 3's supply chain risk management requirements are derived from NIST SP 800-161 (Cybersecurity Supply Chain Risk Management Practices) and the SP 800-53 Rev 5 SR control family. In practical terms, they require contractors to:

Establish supply chain risk management policies and procedures that define how you identify, assess, and respond to risks from your suppliers and subcontractors who handle CUI or provide services that affect your CUI environment.

Identify the suppliers and third parties in your CUI ecosystem — your MSP, your cloud providers, your software vendors for CUI-handling systems, your subcontractors who receive CUI from you. Most contractors working under Rev 2 have never documented this formally.

Include security requirements in supplier contracts. When you engage a vendor who will access or manage systems that handle CUI, the contract needs to specify what security controls they must maintain, how you'll verify those controls, and what happens if they have a security incident.

Assess suppliers before granting access. Not just contractual clauses — actual evaluation of whether the vendor can demonstrate their security posture. For large MSPs, a SOC 2 Type II report or FedRAMP authorization provides evidence. For smaller vendors, you may need to conduct your own assessment or require them to complete a security questionnaire.

This isn't exotic. Defense primes have been doing supply chain security management for years — Rev 3 extends the expectation to smaller contractors and subcontractors. If you work with an MSP who manages your CUI environment, they are the highest-priority supply chain risk to understand and document. The SR family gives you the formal framework to do what should already be good operational practice.

What the Planning Family Actually Requires

The PL family in Rev 3 requires contractors to document not just how controls are implemented (that's the SSP, which exists in Rev 2) but how the security program is managed as an organizational function over time.

In practice, this means: a documented security planning process, identification of the roles responsible for security planning, a method for reviewing and updating security documentation as the environment changes, and a process for integrating security into system development life cycles and major changes.

For contractors who already have a mature CISO function and a formal security program, the PL requirements are largely documentation of what's already happening. For contractors where "CMMC" and "security program" are synonymous — where the security program started because a contract required it and is managed purely as a compliance project — the PL family requires a step change in how security is governed.

That step change is coming regardless. Start thinking about it now.

Cross-Framework Context

If you're managing compliance across multiple frameworks, Rev 3's alignment with NIST 800-53 Rev 5 is relevant:

  • FedRAMP is based on NIST 800-53 Rev 5. Organizations that maintain FedRAMP authorization already have significant coverage of the new Rev 3 requirements, particularly in the supply chain and planning families. If you're in a FedRAMP environment, your gap to Rev 3 is smaller than to Rev 2.
  • ISO 27001:2022 added supplier relationship controls and information security for supply chain in its 2022 update — precisely what Rev 3's SR family requires. If you're ISO 27001:2022 certified, your supply chain risk management documentation provides a solid foundation for Rev 3's SR family.
  • NIST CSF 2.0 (published February 2024) added a new "Govern" function that covers organizational context, risk strategy, and supply chain management. The alignment with Rev 3's PL and SR families is intentional. CSF 2.0 implementation maps more cleanly to Rev 3 than Rev 2.

What Your Assessor Expects Today

Your C3PAO assessor is evaluating you against Rev 2. They are not using Rev 3 as a supplementary reference or grading you on Rev 3 requirements. Don't include Rev 3 control language in your SSP — it creates confusion and will prompt questions about why you're referencing a standard that isn't in your contract.

What you can and should include in your SSP is a statement of your program's maturity roadmap — that you're aware of Rev 3 and have a plan for monitoring the transition. Assessors appreciate seeing that a contractor is thinking about the lifecycle of their program, not just the current assessment.

The critical discipline: keep your compliance documentation precisely aligned with the standard being assessed. Rev 2 SSP language for Rev 2 assessments. When Rev 3 becomes contractually required, you'll update the documentation. Until then, precision matters more than comprehensiveness.

---

Focused on getting to full Rev 2 compliance before worrying about Rev 3? Talk to our team about your current gap state — we can prioritize the Rev 2 work that matters most for your assessment timeline.

Related reading: The Regulatory Stack: How CMMC, DFARS, NIST, and FAR Fit Together — understanding the rulemaking structure that determines when Rev 3 will matter.


Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com

Read more