Skip to main content
govconCyber
Rule Updates

NIST SP 800-171 Rev 3: What Changed and What to Do

Revision 3 restructured the CUI standard. Here's what changed, why DoD contracts still use Rev 2, and how to prepare.

Brandon Hancock, J.D., CMMC-RPPublished April 22, 2026Updated June 8, 20266 min read

NIST SP 800-171 Revision 3 is finalized and published — but if you're a DoD contractor, you may still be required to comply with Revision 2. That apparent contradiction trips up a lot of teams. Here's what actually changed and how to plan.

Why There Are Two Live Versions

NIST published Revision 3 in 2024 to modernize the CUI protection standard. But contractual requirements don't change just because NIST updates a document — they change when the contract clause points to the new version. As of 2026, DoD has kept DFARS 252.204-7012 tied to Revision 2 (110 controls) through a class deviation, while issuing organization-defined parameters (ODPs) that prepare the ground for a Rev 3 transition. Translation: comply with Rev 2 today; get ready for Rev 3.

What Changed in Revision 3

The revision was more than cosmetic. Key shifts include:

  • Restructured control families and requirements, with some consolidation and re-organization versus Rev 2's 110 controls.
  • Organization-Defined Parameters (ODPs) — places where the standard lets the agency (here, DoD) specify values like password length or timeout periods, rather than baking them in. This is why DoD's ODP publication matters: it pre-fills those blanks for the eventual transition.
  • Updated and withdrawn requirements to reflect current threats and to better align with NIST SP 800-53.
  • Clarified language intended to reduce ambiguity in assessments.

What This Means for You

  • Don't re-baseline prematurely. If your contract references Rev 2, your assessment, SPRS score, and POA&M should be against Rev 2's 110 controls.
  • Track the transition. Watch for contract modifications, new solicitations, and CMMC guidance adopting Rev 3. The move is a question of when, not if.
  • Build transition-friendly. Where Rev 3 and DoD's ODPs are stricter or clearer, implementing to that standard now can reduce future rework — just keep your formal compliance evidence mapped to the version your contract requires.

A Practical Preparation Checklist

1. Confirm which revision each of your contracts references. 2. Keep your current Rev 2 assessment and SPRS score honest and within the three-year window. 3. Review DoD's ODPs and note where they tighten Rev 2 expectations. 4. Map your existing controls to Rev 3 so a future transition is an update, not a rebuild.

Key Takeaways

  • Rev 3 is published, but DoD contracts still run on Rev 2 for now.
  • The headline change is ODPs — agency-set parameters DoD has begun to define.
  • Comply to your contract's version, and prepare for the Rev 3 move in parallel.

Compare the standards on the Frameworks page, or score yourself with the Self-Assessment Checklists.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesTrump's AI Executive Order: What the Frontier-Model Review and Coming CISA Directives Mean for ContractorsA June 2, 2026 executive order sets up a voluntary pre-release security review of frontier AI models and puts CISA on a 30-day clock for new cyber directives. Most binding obligations reach contractors through agencies, clauses, and the supply chain.June 8, 2026 · 6 min readRule UpdatesCIRCIA Is Almost Final: The Third Cyber-Reporting Clock Contractors Can't IgnoreCISA's long-delayed cyber-incident reporting rule is back in finalization. For government contractors, it adds a third reporting clock on top of the ones you already run.June 7, 2026 · 6 min readRule UpdatesDFARS 252.204-7012: What Contractors Need to Know in 2026The cornerstone DoD cyber clause requires NIST 800-171, 72-hour incident reporting, and flow-down. Here is the 2026 picture.May 13, 2026 · 6 min read