NIST 800-171 Rev 3: What Changes for Defense Contractors in 2026

NIST Special Publication 800-171 is the framework that defines how non-federal organizations should protect Controlled Unclassified Information. Revision 2 has been the anchor of CMMC Level 2 since the program was first proposed, and it is what every C3PAO is assessing against in 2026. But NIST published SP 800-171 Revision 3 in May 2024, and the companion assessment guide SP 800-171A Rev 3 followed shortly after. The question every compliance-minded contractor is asking is simple: when does CMMC move to Rev 3, and what should we be doing about it now?

The short answer is that CMMC Level 2 is still Rev 2 as of April 2026. The longer answer is that Rev 3 is inevitable, the changes are meaningful, and the contractors who start mapping their environments to Rev 3 this year will have an easier time when the DoD officially transitions.

What Actually Changed in Rev 3

Rev 3 is not a cosmetic update. NIST restructured the control catalog, rewrote many of the control statements, and tightened the linkage between 800-171 and the underlying SP 800-53 moderate baseline. The most visible changes fall into a few buckets:

• ✓Organization-Defined Parameters (ODPs). Rev 3 introduces ODPs that let (and require) contractors to specify values for things like password length, session lock timers, and audit review frequency. Rev 2 baked most of those values into the control text. ODPs give organizations flexibility but add documentation burden.
• ✓Restructured control families. Rev 3 adds a dedicated Planning family and a Supply Chain Risk Management family, reflecting how CUI risk has evolved in the seven years since Rev 2.
• ✓Removed, consolidated, and withdrawn controls. NIST withdrew some Rev 2 controls that were redundant or had been absorbed into other requirements, and consolidated several overlapping items. The total count changed.
• ✓Increased rigor in specific areas. Identity and access management, incident response, and supply chain security all received stronger language, and the assessment objectives in 800-171A Rev 3 are more explicit about what evidence is required.

Why the DoD Has Not Moved Yet

The CMMC Program Rule at 32 CFR Part 170 is written against NIST SP 800-171 Revision 2. Changing the anchor reference is not a memo. It requires rulemaking, public comment, and coordination with the C3PAO ecosystem that just finished training its assessors on Rev 2. Every C3PAO assessment report in 2026 is being written against Rev 2 objectives in 800-171A Rev 2. That infrastructure is not going to pivot overnight.

Realistically, the DoD will signal its Rev 3 transition well in advance, and there will be a grace period during which contracts can be assessed against either revision. But the direction is clear, and contractors who are planning multi-year compliance investments in 2026 should be thinking about Rev 3 alignment even while they certify against Rev 2.

What Contractors Should Do Now

The practical answer is not “throw out your Rev 2 work.” Your Rev 2 compliance program is what you need to pass your C3PAO assessment in 2026. What you can do is shape how you document and implement Rev 2 controls so that a Rev 3 transition is a mapping exercise, not a rebuild.

• Document your organization-defined parameter values now, even though Rev 2 does not require it. Password length, session timeouts, audit log retention, and incident response timelines should all exist as written policy values your team can point to.
• Build a Planning artifact and a Supply Chain Risk Management artifact, even if they are thin. When those families become required under Rev 3, you will already have something to evolve.
• Cross-reference your System Security Plan against the SP 800-53 moderate baseline. Rev 3 leans more heavily on that mapping, and tightening it now costs you nothing.
• Track the NIST public comment and FAQ pages for 800-171 and 800-171A, and subscribe to DoD CIO updates on CMMC. The transition signals will come from there first.
• When you remediate a control, implement to the tighter of the two revisions. If Rev 3 says “quarterly” and Rev 2 says “annually,” do quarterly. You lose nothing and you future-proof the work.

The Big Picture

CMMC is not a one-time event. It is a program that will evolve as NIST evolves its underlying standards and as the threat landscape changes. Rev 3 is the next waypoint, not the final destination. The contractors who treat compliance as a continuous capability instead of a one-time project will be the ones who adapt cleanly when Rev 3 becomes the standard and then, eventually, when Rev 4 shows up after that.

For right now, in April 2026, your priority is your Rev 2 assessment readiness. Just do the Rev 2 work with Rev 3 in mind, and you will be in a much better position when the DoD finally moves the anchor.