NIST 800-171 Revision 3 Is Coming to CMMC. Here Is What It Means and What to Do Now.

Tego Secure IT Solutions | Cloud, Cybersecurity & IT Services > Blog > Blog > NIST 800-171 Revision 3 Is Coming to CMMC. Here Is What It Means and What to Do Now.

NIST 800-171 Revision 3 Is Coming to CMMC. Here Is What It Means and What to Do Now.

The one sentence to read twice: This rule is not yet in effect, and Revision 2 remains the standard your assessment is measured against today.

NIST 800-171 Revision 3 has moved from theory to the regulatory calendar, and every Defense Industrial Base contractor handling CUI should take note. In the Fall 2025 Unified Agenda, published in early July 2026 after a long delay, the Department of War listed the rulemaking the DIB has waited on for two years: RIN 0790-AM01, an amendment to 32 CFR Part 170 that moves the CMMC program from NIST SP 800-171 Revision 2 to Revision 3. This is the first time this action has appeared on any regulatory agenda, and it targets an Interim Final Rule in July 2026. By the DoW’s own calendar, that means this month.

The DoD’s 2024 class deviation continues to keep the program on Rev. 2. Therefore, building to Rev. 3 prematurely is the fastest way to show “unmet” requirements against the standard your C3PAO will actually use. Before you reorganize a single System Security Plan, keep that in mind.

What is NIST 800-171 Revision 3?

NIST 800-171 Revision 3 is the updated version of the federal standard for protecting Controlled Unclassified Information, and it is the standard CMMC is preparing to adopt in place of Revision 2. In practice, it consolidates requirements, adds three new control families, and replaces vague language with centrally defined parameters. It is not a lighter standard. It is more specific.

Why the Interim Final Rule matters

The transition is slated as an Interim Final Rule (IFR), not a proposed rule, and that distinction changes your timeline. An IFR can take effect upon publication, with public comment collected afterward. The original CMMC program rule, by contrast, went through the full proposed-then-final path. Running the Rev. 3 transition as an IFR compresses the runway between publication and effect. As a result, the only window to influence details such as the length of the transition period opens after the rule is already live. For an organization with a functioning CUI enclave, that shortens your reaction time considerably.

What actually changes in Revision 3

Every compliance framework drifts toward entropy over time: vague verbs, inconsistent interpretations, and gaps that quietly widen. Revision 3 is NIST’s effort to restore order to the system. Here is what shifts:

  • Requirements were consolidated from 110 to roughly 97. Most “withdrawn” controls were folded into others, not eliminated.
  • Three new families appear: Planning, System and Services Acquisition, and Supply Chain Risk Management.
  • Vague language gives way to 88 Organization-Defined Parameters (ODPs) across roughly half of the requirements.
  • Assessment determination statements increase by about 32%, so the evidence burden grows even as the control count falls.

The ODPs deserve special attention. For CMMC, the DoW sets the parameter values centrally rather than leaving each contractor to define them. Consequently, this changes how you author SSP language: you will document against DoW-defined values rather than your own interpretation of “periodically” or “limit.”

How the transition timing collides with CMMC Phase 2

It is important to note that this transition rule is still set to land in mid-2026. You may have seen the news that the Department of War announced an immediate suspension of CMMC Phase II requirements on July 13, 2026. The mandatory third-party certification requirement, scheduled to take effect on November 10, 2026, requires Level 2 contracts to be verified by a C3PAO. The Department cited a capacity shortfall as the reason, with roughly 100 authorized assessors against well over 100,000 businesses that still needed a third-party assessment. A CMMC Reform Task Force now has 60 days to recommend a revised program structure.

What to do now, in order

  1. Stay on Revision 2. It is the baseline for every assessment today, and throughout the transition period, the rule will be defined. Nothing you have built is wasted, because Rev. 3 is built on Rev. 2.
  2. Start a crosswalk from Rev. 2 to Rev. 3. Prioritize the three new families and the previously assumed NFO controls that Rev. 3 makes explicit, since that is where most organizations have the least existing evidence.
  3. Prepare for ODPs. Identify where DoW-defined parameters will replace your current SSP language, and structure documentation so those values drop in seamlessly.
  4. Set a Federal Register watch on RIN 0790-AM01 and the DoW’s published ODP values. When the IFR is published, the comment window opens at the same time, so plan to weigh in early if the transition timeline affects you.

Success in this transition will come to the organizations that calmly mapped the delta, kept their Rev. 2 posture solid, and stood ready to reorganize the moment the rule requires it.

What is NIST 800-171 Revision 3?

NIST 800-171 Revision 3 is the updated federal standard for protecting Controlled Unclassified Information, and CMMC is preparing to adopt it in place of Revision 2. Tego notes that it consolidates requirements from 110 to roughly 97, adds three new control families, and introduces 88 Organization-Defined Parameters. It is more specific than Rev. 2, not lighter.

Is NIST 800-171 Revision 3 in effect for CMMC yet?

No. Revision 3 is not yet in effect, and Revision 2 remains the standard against which every CMMC assessment is measured today. The DoD’s 2024 class deviation pins the program to Rev. 2. Tego advises contractors to continue building to Rev. 2 until the transition rule is published and takes effect.

What is RIN 0790-AM01?

RIN 0790-AM01 is the Department of War rulemaking that amends 32 CFR Part 170 to move CMMC from NIST 800-171 Revision 2 to Revision 3. It first appeared in the Fall 2025 Unified Agenda, published in early July 2026, and targets an Interim Final Rule in July 2026.

What changes between NIST 800-171 Rev. 2 and Rev. 3?

Revision 3 consolidates requirements from 110 to about 97, adds three families (Planning, System and Services Acquisition, and Supply Chain Risk Management), and replaces vague language with 88 Organization-Defined Parameters. Tego notes that assessment determination statements rise by about 32%, so the evidence burden grows even as the control count falls.

What are Organization-Defined Parameters (ODPs) in CMMC?

Organization-Defined Parameters are specific values that clarify previously vague requirement language, such as how often a control runs. For CMMC, the DoW sets these values centrally rather than allowing each contractor to define them, so Tego recommends authoring SSP language based on DoW-defined values rather than on your own interpretation.

What is an Interim Final Rule, and why does it matter here?

An Interim Final Rule can take effect upon publication, with public comment collected afterward. Running the Rev. 3 transition as an IFR compresses the time between publication and the rule’s effective date, so the window to influence details such as the transition period opens only after the rule is live. Tego warns that this shortens contractor reaction time.

When does CMMC Phase 2 begin?

CMMC Phase 2 begins on November 10, 2026, when Level 2 third-party (C3PAO) assessments start appearing in solicitations. Because the Rev. 3 transition is slated for mid-2026, Tego stresses the need to watch for the rule text and how its transition period treats in-flight and newly triggered assessments.

How should DIB contractors prepare for NIST 800-171 Revision 3 now?

Stay on Rev. 2, start a Rev. 2-to-Rev. 3 crosswalk focused on the three new families and NFO controls, prepare documentation for DoW-defined ODP values, and set a Federal Register watch for RIN 0790-AM01. Tego’s Advisory Services team can scope a crosswalk for your specific CUI environment.

Why work with Tego on your Rev. 3 crosswalk

As a Registered Practitioner Organization (RPO), Tego’s Advisory Services team delivers CMMC and NIST 800-171 every day, including GCC High and GovCloud enclave architectures for the most sensitive CUI environments. Because we live inside these assessments, we can map your delta before the rule forces the question.

Want a Rev. 2-to-Rev. 3 crosswalk scoped for your environment? Contact Tego’s Advisory Services team at info@tegodata.com, and we will map exactly where you stand before the IFR lands.

Disclaimer: This alert is for informational purposes and reflects a regulatory agenda item that may change. It is not legal advice.