If you've started reading about NIST SP 800-171, you've probably hit a confusing fork: there's a Revision 2 and a newer Revision 3, and it's not obvious which one CMMC actually holds you to. The good news is the answer is simple and stable: for CMMC Level 2 today, you build to Revision 2. Revision 3 is real, but it does not yet apply to you.
The short answer
CMMC Level 2 is assessed against NIST SP 800-171 Revision 2 — the familiar 110 controls and the SPRS scoring built on the DoD Assessment Methodology. A May 2024 DoD class deviation directs contractors subject to DFARS 252.204-7012 to keep complying with Revision 2 while the Department and industry prepare for Revision 3. Until that changes through formal rulemaking, Rev 2 is the standard.
Why Rev 2 is still the standard
Revision 3 can't simply "go live." For it to become the CMMC baseline, several things have to happen first, and none of them have:
- DFARS clauses that currently reference Rev 2 have to be updated through rulemaking.
- SPRS has to be updated to score against Rev 3's restructured requirements.
- CMMC assessment criteria, assessor training, and C3PAO procedures all have to be revised to align with Rev 3.
Each of those is a deliberate, public process. Until they're complete, Rev 2 remains in force — and the Department has not announced a transition date.
What actually changed in Rev 3
Revision 3 isn't a tweak — it's a reorganization to align 800-171 more closely with NIST SP 800-53. The headline differences:
| Aspect | Revision 2 (current for CMMC) | Revision 3 (not yet adopted) |
|---|---|---|
| Control count | 110 requirements | ~95 (consolidated, not lowered) |
| New families | — | Planning (PL), System & Services Acquisition (SA), Supply Chain Risk Management (SR) |
| Parameters | Fixed values | Organization-defined parameters (ODPs) |
| Alignment | Earlier 800-53 mapping | Tighter to the latest 800-53 |
The drop from 110 to roughly 95 looks like fewer requirements, but it's mostly consolidation — combining overlapping items — not a relaxation of the standard. Rev 3 also adds genuinely new ground (supply-chain risk, acquisition, planning) that wasn't called out separately before.
Should you prepare for Rev 3 now?
Be aware of it; don't rebuild for it. The right posture for almost every small contractor:
- Benchmark against Rev 2. It's the official CMMC requirement today — build your SSP, score, and remediation plan around it.
- Don't re-architect for Rev 3. There's no transition date, and the move will come through future rulemaking that likely plays out over years.
- Keep good hygiene. Strong fundamentals — MFA, encryption, logging, supply-chain awareness — carry forward to Rev 3 anyway, so solid Rev 2 work is not wasted.
Score against the standard that counts today — free
Our SPRS calculator and SSP generator are built on Revision 2 — the version CMMC assesses now. Get your score and a documented plan in minutes, no signup.
Calculate your SPRS score free →Rev 2 vs Rev 3 — frequently asked
Does CMMC use Rev 2 or Rev 3?
Revision 2. CMMC Level 2 is assessed against 800-171 Rev 2 today; a May 2024 DoD class deviation keeps contractors on Rev 2 while alignment with Rev 3 is worked out.
Why hasn't DoD moved to Rev 3?
Because the DFARS clauses, SPRS scoring, and CMMC assessment/assessor procedures all reference Rev 2 and must be formally updated first. That rulemaking hasn't occurred.
How is Rev 3 different?
It aligns with 800-53, consolidates 110 requirements to ~95, adds Planning, System & Services Acquisition, and Supply Chain Risk Management families, and introduces organization-defined parameters.
Should I prepare for Rev 3 now?
Build to Rev 2 — it's the current requirement. Stay aware of Rev 3, but don't rebuild your program around it before there's a transition date.
Build to what counts
For CMMC in 2026, Revision 2 is the standard your assessor will use. Get your footing there first: calculate your SPRS score, document with the free SSP generator, and see how the broader framework fits together in NIST 800-171 vs CMMC.