Skip to main content
govconCyber
Rule Updates

NIST Just Finalized 800-172 Rev 3 — Here's Why CMMC Level 3 Contractors Shouldn't Panic Yet

On May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.

Brandon Hancock, J.D., CMMC-RPPublished June 17, 2026Updated June 17, 20266 min read

# NIST Just Finalized 800-172 Rev 3 — Here's Why CMMC Level 3 Contractors Shouldn't Panic Yet

*On May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.*

On May 13, 2026, NIST released the final versions of Special Publication 800-172 Revision 3 and its companion assessment guide, 800-172A Revision 3. For the small but high-stakes group of defense contractors pursuing CMMC Level 3, the change looks dramatic on paper: the enhanced security requirements grew from 39 in the original publication to roughly 115 in Rev 3. The natural reaction is to assume a massive new compliance lift just landed. It didn't — at least not yet. Here's what actually happened, and what it means for your timeline.

What 800-172 Is, and Where It Sits

NIST SP 800-171 is the familiar 110-control baseline for protecting Controlled Unclassified Information (CUI) on contractor systems. 800-172 is the "enhanced" layer on top of it — a set of additional requirements aimed at defending against the Advanced Persistent Threat: well-resourced adversaries targeting high-value assets and critical programs.

In the CMMC framework, those enhanced requirements are what distinguish Level 3 from Level 2. Level 2 maps to the full NIST 800-171; Level 3 adds a selected subset of 800-172's enhanced requirements, assessed by the government rather than a third party. Level 3 applies to the most sensitive defense work, so it touches a relatively narrow slice of the Defense Industrial Base — but for that slice, 800-172 is the rulebook.

What Changed in Revision 3

Rev 3 is a substantial rewrite, not a touch-up:

  • Far more requirements. The publication expands from 39 enhanced security requirements to approximately 115, with the large majority being new. Early community analysis also notes a heavy use of organization-defined parameters (ODPs) — values that an agency or DoD fills in, the same mechanism that has complicated the 800-171 Rev 3 conversation.
  • Broader coverage. New and expanded material addresses access control, network segmentation, asset management, and supply-chain security, with fresh mappings to NIST's SP 800-160 protection strategies and adversary-effects model to support cyber resiliency.
  • Restructured to match 800-171 Rev 3. The format and numbering were revised for consistency with the Rev 3 family, which means the control identifiers themselves changed.

The companion 800-172A Rev 3 was updated in step, so assessors have procedures matching the new requirements.

Why You Shouldn't Panic Yet

Here's the part that matters for planning: CMMC Level 3 has not adopted Revision 3. The program still draws its enhanced requirements from the February 2021 edition of 800-172. DoD has not opened rulemaking to move CMMC to Rev 3, and until it does, the requirements you are assessed against — and the control IDs your documentation references — remain the 2021 set.

In other words, NIST finalizing a publication is not the same as DoD requiring it. The two move on separate tracks. A NIST special publication becomes a contractual obligation only when an acquisition rule (here, the CMMC rule and the DFARS) points to it. Right now, that pointer still aims at the 2021 edition.

So if you are mid-effort toward Level 3, keep building to the current 24 enhanced requirements. Swapping to the Rev 3 control set today would mean documenting against a standard your assessment won't use.

What This Sets Up

The reason to track this closely is what it enables. With Rev 3, both halves of the CUI standard are now final at the new revision level — 800-171 Rev 3 and 800-172 Rev 3. That gives DoD the option, whenever it chooses to act, to modernize CMMC Level 2 and Level 3 in a single rulemaking rather than two. When (not if) that rulemaking opens, expect a comment period and a phase-in — DoD has consistently used class deviations and transition windows rather than flipping a switch.

The smart posture: treat Rev 3 as a preview of the next baseline, not the current one. Read it, brief your team, and note where the expansions (segmentation, asset management, supply chain) would stretch your current program — but make today's compliance decisions against the 2021 edition that CMMC still enforces.

Key Takeaways

  • NIST finalized SP 800-172 Rev 3 and 800-172A Rev 3 on May 13, 2026, expanding enhanced CUI requirements from 39 to roughly 115.
  • CMMC Level 3 still uses the February 2021 edition. DoD has not adopted Rev 3, so your current requirements and control IDs are unchanged — keep building to the existing set.
  • Both 800-171 Rev 3 and 800-172 Rev 3 are now final, giving DoD the option to update CMMC Levels 2 and 3 together in a future rulemaking. Watch for that rulemaking; don't pre-migrate.

See how the enhanced requirements fit the broader standards on Frameworks, and how CMMC levels apply to defense work on the Defense industry page. Confirm what governs your contracts with Find My Requirements.

---

*Sources: NIST — Releases SP 800-172r3 and 800-172Ar3; CSRC — SP 800-172A Rev. 3 (final); Wiley — Updates to NIST Cybersecurity Guidance May Impact Government Contractors. Informational only, not legal advice.*

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesWhere Did DFARS 7019 and 7020 Go? The FAR Overhaul's Quiet Cybersecurity ReshuffleTwo DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.June 17, 2026 · 5 min readRule UpdatesCISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It TooCISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.June 14, 2026 · 6 min readRule UpdatesFedRAMP's 2026 Consolidated Rules Are Coming This Month: What Cloud Contractors Should Do NowFedRAMP will publish its 2026 Consolidated Rules (CR26) by the end of June: one stable rulebook through 2028, plus a shift from change requests to change notifications for cloud providers.June 9, 2026 · 6 min read