TL;DR: DoD's 2026 Unified Agenda lists a new rulemaking, RIN 0790-AM01, that would set the deadline and transition period for shifting CMMC from NIST SP 800-171 Revision 2 to Revision 3. It is in the Final Rule Stage, would issue as an interim final rule, and targets a publication date of July 2026 — though Unified Agenda dates are DoD's own projections, not guarantees. This is the first concrete regulatory timeline for a transition GovConCyber has been tracking as "when, not if."
What Just Showed Up in the Unified Agenda
The Department of Defense (DoD) has entered a new rulemaking into the federal Unified Agenda: RIN 0790-AM01, titled "Cybersecurity Maturity Model Certification (CMMC) Program." It is listed for the first time in the 2026 edition of the Unified Agenda and sits in the Final Rule Stage — meaning DoD has moved past the proposal stage internally and is preparing to issue the rule directly. The agency contact of record is Carrie Cardwell, an Acquisition Analyst in the Office of the DoD Chief Information Officer.
One detail in the filing is worth flagging before anything else: the agency identifies itself in this entry as the "Department of War (DOW)." That is not a drafting error. In September 2025, Executive Order 14347 authorized DoD to use "Department of War" as a secondary title in official communications; it did not change the department's statutory name, which only Congress can do. GovConCyber uses "DoD" throughout this article for consistency with the underlying statutory name, but expect to see "Department of War" on more DoD paperwork going forward, including rulemakings like this one.
What the Rule Would Actually Do
Per the Unified Agenda abstract, the rule would:
- Define a deadline and transition period for moving CMMC compliance from NIST SP 800-171 Revision 2 to Revision 3.
- Revise the NIST documents incorporated by reference in 32 C.F.R. Part 170, the regulation that houses the CMMC Program.
- Add administrative and clarifying edits across multiple areas of the rule "as necessary to effect the transition."
That is a narrow, mechanical scope. This is not a rewrite of CMMC or a new certification level — it is the plumbing work needed to point the existing rule at a different version of the underlying NIST standard once DoD is ready to make that switch binding.
The Mechanism Matters: Interim Final, Not Proposed
The Unified Agenda timetable lists one action: Interim Final Rule, 07/00/2026. Two things about that entry deserve attention.
First, the "00" in the date is Unified Agenda shorthand for "day not yet set" — DoD is targeting July 2026 generally, not a specific date within it. Unified Agenda timetables are the agency's own internal planning estimates, and they slip regularly across administrations and rulemakings; "expected this month" is a fair read of the filing, not a guaranteed publication date.
Second, DoD chose an interim final rule, not a notice of proposed rulemaking. An interim final rule takes effect on publication (or on a stated effective date) without a prior public comment period, though the agency can still solicit comments after the fact and revise the rule later if warranted. Practically, that means contractors should not expect an advance draft to review and comment on before this rule binds — the transition deadline and mechanics will likely be final policy the day the rule publishes.
A Smaller Company Count, Buried in the Cost-Benefit Section
The filing includes one more data point worth pulling out. In its Anticipated Costs and Benefits section, DoD states that this rule amendment "is based on a more current estimate of the size of the Defense Industrial Base," and that, combined with the Rev. 2-to-Rev. 3 changes to CMMC Level 2 and Level 3 assessment objectives, DoD now expects approximately 20 percent fewer total companies to be affected by 32 C.F.R. Part 170 than earlier estimates assumed. DoD does not say in the filing whether that reflects a change in methodology, actual Defense Industrial Base contraction, or both — worth watching if DoD publishes supporting analysis alongside the rule.
What This Means for Government Contractors
For executives and owners: this is a real signal to build a Rev. 3 transition into your 2026-2027 planning, but not yet a reason to change what you are being assessed against. If your contract cites NIST SP 800-171 Rev. 2, that remains your compliance baseline until a final rule — not a Unified Agenda listing — actually changes it.
For government contracting professionals: watch solicitations and contract modifications for language referencing Revision 3 once this rule publishes. A transition period, once set, will likely create a window during which some contracts still reference Rev. 2 while new ones begin citing Rev. 3.
For compliance professionals: start mapping your current Rev. 2 control set to Rev. 3's restructured requirements now, per our earlier breakdown in NIST SP 800-171 Rev 3: What Changed and What to Do. Because this will likely arrive as an interim final rule, you may have less advance runway than a typical notice-and-comment rulemaking would give you.
For procurement attorneys: confirm which of your client's or company's contracts reference 32 C.F.R. Part 170 and DFARS 252.204-7012, and be ready to advise on transition-period obligations as soon as the rule text is available — an interim final rule can create binding deadlines with little lead time.
A Practical Next Step
Do not wait for the rule to publish to take these steps:
1. Confirm which of your active contracts and solicitations currently reference NIST SP 800-171 Revision 2 versus Revision 3. 2. Review your Rev. 2 System Security Plan and map it against Rev. 3's restructured control families and organization-defined parameters. 3. Set a calendar reminder for July 2026 to check the Federal Register for the actual interim final rule text, since the Unified Agenda date is a target, not a commitment. 4. Once the rule publishes, identify the actual transition deadline and period it sets — this is the detail the current filing does not yet specify.
Key Takeaways
- RIN 0790-AM01 is a real, newly listed rulemaking in DoD's 2026 Unified Agenda that would set the deadline for transitioning CMMC from NIST SP 800-171 Revision 2 to Revision 3.
- It is scheduled to issue as an interim final rule, not a proposed rule, with a July 2026 (07/00/2026) target date that is DoD's own estimate and not guaranteed.
- The rule's scope is narrow: it revises the NIST documents incorporated by reference in 32 C.F.R. Part 170 and adds clarifying edits — it does not itself announce the transition deadline, which the eventual rule text will specify.
- DoD also disclosed a revised estimate that roughly 20% fewer companies will be affected by 32 C.F.R. Part 170 than previously assumed.
For the deeper walkthrough of what changed between the two NIST revisions, see NIST SP 800-171 Rev 3: What Changed and What to Do. Track your own requirement set on Find My Requirements, or compare standards on the Frameworks page.
Sources
- RIN 0790-AM01, Cybersecurity Maturity Model Certification (CMMC) Program, 2026 Unified Agenda, Office of Information and Regulatory Affairs, reginfo.gov, accessed July 9, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202510&RIN=0790-AM01.
- Executive Order 14347, Restoring the United States Department of War, The White House, September 5, 2025, https://www.whitehouse.gov/presidential-actions/2025/09/restoring-the-united-states-department-of-war/.
Informational only, not legal advice; this is a Unified Agenda listing, not a published rule — verify all details against the Federal Register once the interim final rule is issued.