What Changed in NIST SP 800-171 Rev 3

NIST published SP 800-171 Revision 3 in May 2024 — the first substantive restructuring of the standard since Rev 2 came out in 2020. The headline change is structural: the framework moved from 110 security requirements across 14 families to 97 requirements across 17 families.

That's not a reduction in rigor. Three new control families were carved out of existing ones, several Rev 2 requirements were merged, and 57 requirements gained organization-defined parameters (ODPs) — giving contractors the ability to tailor specific values to their environment. Each of those ODPs comes with an expectation: written rationale in the SSP.

Rev 3 also added two supply-chain risk requirements (3.1.22 and 3.12.7) that didn't exist in Rev 2. For contractors relying on third-party managed service providers or cloud platforms to process CUI, these are new scoping decisions to make — and new evidence packages to assemble.

Key point: Rev 3 is the baseline CMMC Level 2 will reference for future rule updates — contractors scoping their SSP for the first time should build to Rev 3, not Rev 2.

The Control-Count Drop: 110 to 97 Isn't a Reduction in Rigor

The most-cited figure from Rev 3 is the control count: down from 110 to 97. That number travels widely and is almost always misread as a relaxation of requirements. It isn't.

The restructuring logic: several Rev 2 controls were merged into single requirements where the underlying intent was redundant, and a subset were promoted into three entirely new families. The net effect is a cleaner taxonomy, not a lighter workload. In some areas — particularly supply chain and planning — Rev 3 adds specificity that Rev 2 left vague.

Rev 2 Family Rev 2 Controls Rev 3 Family Rev 3 Requirements
Access Control (AC) 22 Access Control (AC) 18
Configuration Management (CM) 9 Configuration Management (CM) 8
System & Services Acquisition (SA) 2 System & Services Acquisition (SA) 7 (expanded; absorbed SDLC and developer security)
— (not present in Rev 2) Planning (PL) 4 (new family; covers SSP and rules of behavior)
— (not present in Rev 2) Supply Chain Risk Management (SR) 5 (new family; was CMMC-only in prior versions)
System & Communications Protection (SC) 16 System & Communications Protection (SC) 12

For contractors mid-assessment who built their SSP against Rev 2, the practical question isn't whether Rev 3 is harder — it's whether the structural mismatches between their existing documentation and Rev 3's taxonomy will require a full SSP rewrite or targeted addenda. In most cases, it's addenda, but the supply chain and planning families require net-new sections.

Organization-Defined Parameters: More Flexibility, More Documentation

One of Rev 3's most consequential changes is the introduction of organization-defined parameters (ODPs). Of the 97 requirements in Rev 3, 57 contain at least one ODP — a placeholder value that each contractor fills in based on their environment, risk tolerance, and operational needs.

Examples: the session timeout value for unattended workstations (3.1.10), the frequency of security awareness training (3.2.2), the review period for access privileges (3.1.6). In Rev 2, NIST either specified a fixed requirement or left no customization mechanism at all. Rev 3 formalizes the tailoring process.

The catch: assessors don't just check whether you've defined values. They check whether those values are documented in the SSP with a written rationale. A session timeout set to 30 minutes needs an explanation. An annual training review cycle needs justification. Without that documentation, the assessor marks the requirement MET-OTHER (partial credit) or NOT MET — depending on whether the control is implemented but undocumented, or simply absent.

Key point: Flexibility without documentation is a finding. Every ODP in your SSP needs an organization-defined value AND a written rationale. "We set it to X because of Y operational constraint" is what assessors want to see.

CMMC Level 2 Timing: Rev 2 Today, Rev 3 Tomorrow

Here's where the regulatory timing gets complicated. The active CMMC Level 2 rule — 32 CFR Part 170, which became effective in December 2024 — references NIST SP 800-171 Rev 2. That's what C3PAOs are assessing against today. Rev 3 is not yet the governing baseline for assessments.

DoD has signaled that a future rule update will incorporate Rev 3 when the CMMC program matures, but no timeline has been published. Given the pace of federal rulemaking and the DoD's phased CMMC rollout schedule, contractors doing first-time assessments in 2025 and 2026 will be assessed against Rev 2.

The problem is the transition cost. If you build an SSP against Rev 2 today and DoD transitions to Rev 3 in two to three years, you face a structural gap assessment — re-scoping three new control families, documenting ODPs for 57 requirements, and updating evidence packages. That work runs $50,000–$150,000 depending on your environment size. If you're already building now, the marginal cost of getting Rev 3-ready simultaneously is far lower than a full re-assessment cycle later.

The practical approach: document Rev 2 compliance for your assessment, but conduct a parallel gap assessment against Rev 3 and document the delta in your POA&M. That positions you to transition with minimal disruption when DoD moves the baseline.

Know your CMMC path before you start
6-question eligibility check gives you an instant result — out of scope, early stage, making progress, or certified/in progress.
Take the Check →

The Three Domains That Expanded Most

Three areas of Rev 3 represent the biggest structural change for contractors coming from Rev 2 documentation.

Supply Chain Risk Management (SR) — New Family

SCRM was present in CMMC Level 2 as a program-level requirement but had no corresponding home in NIST 800-171 Rev 2. Rev 3 creates a dedicated Supply Chain Risk Management family with five requirements. These cover identifying and assessing supply chain risks (3.12.1), establishing a supply chain risk management plan (3.12.2), evaluating the security practices of suppliers (3.12.3), and implementing controls to counter identified risks (3.12.4, 3.12.7).

For contractors using cloud-hosted CUI environments, commercial software with government use rights, or third-party MSPs for IT operations, this family requires documenting exactly how those relationships are assessed and monitored. Vendor questionnaires, contract clauses, and third-party assessment evidence all become SSP artifacts.

Planning (PL) — New Family

The Planning family in Rev 3 codifies requirements that were previously implicit or scattered across other families. It includes the System Security Plan itself (3.PL.1), rules of behavior for CUI system users (3.PL.2), an information security program plan (3.PL.3), and insider threat program documentation (3.PL.4).

This is significant because it means the SSP is now a named requirement with its own control identifier — not just a document you produce to satisfy the assessment process. Assessors will treat the SSP as an artifact under active scope, not just a framing document. SSPs that describe controls without specifying ODP values, system boundaries, or connection agreements will have specific findings against Planning requirements.

System and Services Acquisition (SA) — Significantly Expanded

The SA family went from 2 requirements in Rev 2 to 7 in Rev 3. The additions cover software development security (3.SA.3), security testing of system components (3.SA.4), supply chain due diligence for acquired systems (3.SA.5), and the use of developer-provided security documentation (3.SA.6, 3.SA.7).

For contractors that develop or configure software internally — common in defense research and systems integration firms — these requirements mean the SDLC becomes an in-scope process. Penetration testing, secure coding standards, and configuration baselines for developed software are now explicit evidence requirements, not optional best practices.

Building Your Rev 3 Gap Assessment

Contractors who already have a Rev 2 SSP in place don't need to start from scratch. The structural differences are meaningful but addressable with a disciplined four-step gap process.

  1. Map existing Rev 2 controls to Rev 3 identifiers. NIST published a crosswalk table in the Rev 3 publication that maps each Rev 2 requirement to its Rev 3 counterpart (or notes when it was merged or relocated). Walk through each of your existing SSP controls against this crosswalk. Most will map cleanly; flag the ones that moved families or were subdivided.
  2. Identify ODP-bearing requirements and draft values. Pull the list of 57 ODP requirements from the Rev 3 appendix and review each one against your current environment. For each ODP, document the organization-selected value and a brief rationale. This becomes a new SSP appendix or inline annotation depending on your SSP format.
  3. Scope the three new families against your environment. For Planning, confirm your SSP covers all four PL requirements as explicit control statements. For Supply Chain Risk Management, identify all third-party components, cloud platforms, and managed services that process or store CUI, and draft the SCRM plan. For System and Services Acquisition, determine whether any internally developed or customized software falls in scope and document your SDLC security controls accordingly.
  4. Update your POA&M. Any gap between your current documentation and Rev 3 requirements becomes a POA&M item. Assign owners, remediation dates, and estimated effort. This positions the gap work as managed, not ignored — which matters if your prime contractor or contracting officer asks about Rev 3 readiness before the rule update.

Know Your Rev 3 Gaps Before the Assessor Does

Start with the CMMC eligibility check to establish your current posture, then work with Altiri's advisory team to map your Rev 2 SSP against Rev 3 requirements and build your transition roadmap.