NIST Special Publication 800-171 Revision 3 was finalized in May 2024. It represents the most significant update to the CUI protection requirements since Revision 1 was published in 2016. Despite this, DoD contractors are not yet required to comply with Revision 3. Under DoD Class Deviation 2024-O0013, Revision 2 (with its 110 security requirements) remains the mandatory standard. However, understanding what Revision 3 changes is not optional for contractors who plan ahead.
Why the Revision Was Necessary
Revision 2, published in February 2020, was a significant step forward in providing defense contractors with a clear, actionable set of security requirements. However, the threat landscape evolved substantially in the years following its publication. Supply chain attacks, ransomware targeting nonfederal systems, and the emergence of sophisticated persistent adversaries targeting the Defense Industrial Base all exposed areas where Revision 2 needed strengthening.
Revision 3 was also designed to better align with NIST SP 800-53 Revision 5, the control catalog used by federal agencies. This alignment makes it easier for contractors working in both commercial and federal environments to map their security programs to a consistent set of controls and reduces the burden of maintaining parallel compliance frameworks.
What Changed in Revision 3
- Control structure reorganized: The 110 requirements are retained but reorganized into 17 requirement families from the original 14. New families include Planning, System and Services Acquisition, and Supply Chain Risk Management, reflecting areas where Revision 2 was silent.
- Organization-defined parameters (ODPs): Revision 3 introduces ODPs, which allow organizations to tailor specific control implementations based on their risk environment. This is a significant conceptual shift from the more prescriptive Revision 2 approach.
- Supply chain risk management: For the first time, NIST 800-171 explicitly addresses supply chain risk. Contractors must assess the security posture of their suppliers and take steps to manage third-party risk.
- Stronger identity and access controls: Requirements around multifactor authentication, privileged access management, and session management are more explicit and stringent.
- Enhanced logging and audit requirements: Revision 3 increases specificity around audit log content, retention, and analysis, moving closer to the continuous monitoring posture CISA and DoD expect.
The Current Status: Revision 2 Remains Mandatory
As of mid-2025, DoD contractors are required to comply with NIST 800-171 Revision 2 and assess themselves against its 110 requirements. The CMMC Level 2 assessment standard is also currently mapped to Revision 2. DoD has not announced a mandatory transition date to Revision 3 at the time of this writing, and CMMC assessment processes will need to be updated before Revision 3 requirements become enforceable through contract clauses.
DoD did publish Organization-Defined Parameters for Revision 3 in May 2025, signaling that the transition is being planned. ODPs represent the specific values that contractors would need to use for tailorable requirements in Revision 3. The publication of these parameters is a concrete step toward future adoption.
How Contractors Should Prepare
- Maintain Revision 2 compliance as your primary obligation. Do not abandon your Revision 2 program or SPRS score management in anticipation of a Revision 3 transition that has no firm date.
- Conduct a gap analysis between Revision 2 and Revision 3. Identify the new requirement families and assess where your current security program does not yet address Revision 3 requirements.
- Review the Supply Chain Risk Management family specifically. This is entirely new and represents a meaningful operational change for contractors with complex supplier networks.
- Begin documenting your ODP decisions. Even if Revision 3 is not yet mandatory, practicing the ODP documentation process will prepare you for the increased documentation burden.
- Track DoD announcements. When DoD updates the CMMC assessment methodology to incorporate Revision 3, contractors will need to re-assess their posture against a different baseline.
The window between now and the mandatory Revision 3 transition is an opportunity to build the security program you would need anyway, without the pressure of a compliance deadline. Contractors who use this time well will be well positioned when the transition comes.