Home β€Ί CMMC FAQs β€Ί CMMC Model
CMMC Model β€” Official DoD FAQ

Will CMMC Update to Use NIST SP 800-171 Revision 3?

πŸ’Ό
Confused about Rev 2 vs Rev 3? Jun Cyber can help you prioritize the right controls for compliance today.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (B-Q3)

Yes, the Department will incorporate Revision 3 with future rulemaking. In the interim, the Department has issued a class deviation to DFARS clause 252.204-7012 to maintain Revision 2 as the standard against which defense industrial base companies will be assessed until Revision 3 has been incorporated into the 32 CFR CMMC Program rule through rulemaking.

In-Depth Analysis

Rev 2 vs Rev 3: What You Need to Know

NIST released SP 800-171 Revision 3 in May 2024 with significant changes, but CMMC assessments will continue using Revision 2 until the DoD completes formal rulemaking to adopt Rev 3.

What Changed in Revision 3

  • Reorganized from 14 families to aligned with NIST SP 800-53 structure
  • Added new requirements for supply chain risk management
  • Enhanced requirements for incident response and system integrity
  • Organization-Defined Parameters (ODPs) allow more flexibility

What This Means for You

For now: Prepare for and be assessed against NIST SP 800-171 Revision 2. This is the current standard per the class deviation memo.

Looking ahead: Begin familiarizing yourself with Rev 3 changes, but do not implement them at the expense of Rev 2 compliance. When the DoD formally adopts Rev 3, there will be a transition period.

The DoD has issued a class deviation memo specifically to prevent confusion β€” Revision 2 remains the assessment standard until further notice. This gives contractors clarity while the rulemaking process for Rev 3 incorporation proceeds.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

CMMC Model

What Is the Relationship Between NIST SP 800-171 and CMMC?

β†’ CMMC Model

Can Department Contractors Implement NIST SP 800-171 Revision 3?

β†’ CMMC Model

What Is the Relationship Between NIST SP 800-172 and CMMC?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’