The entire DIB must remember that CMMC compliance is a continual journey that is necessary to protect our warfighters and our nation.
Compliance with the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program is now mandatory for any defense industrial base (DIB) organization that wants to maintain or win DoD contracts. CMMC is based on the 110 security controls documented in the National Institute of Standards and Technology’s (NIST) Special Publication 800-171, Revision 2, or Rev. 2. Even while many DIB companies are still hurrying to get their businesses compliant with this standard, the DoD is preparing to update requirements to align with the next version of SP 800-171: Rev 3.
A snapshot of NIST’s Rev. 3
Published in May 2024, Rev. 3 updates the security requirements for protecting controlled unclassified information (CUI) in non-federal systems. It adds three new security control “families” to the 11 included in Rev. 2, emphasizing supply chain security, incident response and countering advanced threats. Rev. 3 also aligns more closely with the control structure and terminology of the widely adopted NIST SP 800-53 Rev. 5 standard that details requirements for protecting information systems’ confidentiality, integrity and availability.
Technically, Rev. 3 has 13 fewer requirements than the 110 in Rev. 2, but that does not in practice mean there are fewer things on the check list. In fact, there are more. Many of the withdrawn Rev. 2 requirements were simply merged into other requirements, so still must be met. Additionally, Rev. 3 includes 88 organization-defined parameters (ODPs) — specific controls, such as password length or session timeout duration, for which agencies must set values or thresholds. While NIST allows for organizational flexibility in deciding those values, the DoD instead defined exactly what they must be for CMMC compliance.
Another big change in Rev. 3 is the formal inclusion of basic security requirements known as non-federal organization controls (NFOs). Rev. 2 Appendix E listed 61 of these, but NIST erroneously assumed that organizations would routinely satisfy them, so did not explicitly require them for compliance with the standard. Now, nearly all Rev. 2 NFO controls are core to Rev. 3, and represent the bulk of Rev. 3’s net new requirements.
Balancing focused and dynamic planning
While the DoD has not yet disclosed the specific timeframe for requiring Rev. 3 compliance, published memoranda indicate it is expected in future rule-making, and could likely be in the next 12-18 months. How that impacts DIB members depends on where they are in their CMMC journey. A growing number of DIB companies achieved CMMC certification or are preparing for their certification assessment, but many others are still quite far behind. How each group approaches their preparation, and how they address both Rev. 2 and Rev. 3, depends on the timeline around when they intend to certify.
Even organizations that are already CMMC compliant will need time to implement this next standard. The migration requires planning, but with an important caveat. One of the biggest challenges will be migrating in a way that does not introduce what the DoD considers a “major change” to an information technology environment, as that would trigger a costly and time-consuming CMMC re-certification requirement. Unfortunately, the DoD to date has not defined what constitutes a major change, leading to rumor and speculation ― two practices that just aren’t helpful.
So how can organizations start migrating toward Rev. 3 without triggering a re-assessment? Flexibility is key. Although we can’t know with certainty until the DoD officially defines a major change, it is unlikely that taking some foundational steps will impose a re-assessment requirement.
All DIB companies currently pursuing CMMC certification should base their preparation on Rev. 2 until the DoD formally announces a firm Rev. 3 requirement. Companies should follow the NIST SP 800‑171A assessment guide. Each requirement in Rev. 2 has corresponding assessment objectives that must be satisfied to consider the requirement implemented. While 800‑171A doesn’t explicitly label ODPs, it includes objectives known as “defines” and “specifies” that can be used to set parameters such as password length or session timeout duration.
Then, start on a Rev. 3 migration plan, and even start voluntarily moving to Rev. 3 before the DoD’s rule-making is complete. Implementing the NFOs outlined in Rev. 2 Appendix E will also provide a head start on addressing many of the new Rev. 3 objectives. These steps will take time and allow DIB members to keep moving as precise official guidance is being developed. Throughout, all DIB members should continue monitoring for updates and keeping track of official DoD rule-making around Rev. 3 adoption.
While DIB members need to navigate some uncertainty, cyber threats have always been a moving target, and addressing them through proper cyber defense is a reality of modern business. The entire DIB must remember that CMMC compliance is a continual journey that is necessary to protect our warfighters and our nation.
Ned Butler is lead CMMC certified assessor at Redspin.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
