The CMMC Rev 2 to Rev 3 Memo: What’s Changed? – Source: securityboulevard.com

The world of cybersecurity is always changing, with rapid evolution in both threat and response creating a continual churn in knowledge, technology, and standards.

Frameworks meant to help protect systems and businesses, especially the government, tend to be comparatively slow. It takes a lot of momentum and effort to get a new framework iteration through the various committees, analysis groups, and other roadblocks necessary to get it approved.

Most of these frameworks, like ISO 27001, FedRAMP, and CMMC, get around this by making their requirements and standards more generic. Rather than specifying a given technology, for example, they specify a certain category of technology. You don’t need to “use AES-256 encryption”, you need to “use an approved encryption algorithm.” That way, as technology evolves, the standards evolve with it.

That doesn’t mean the framework itself doesn’t change, however. In fact, CMMC has recently received its latest update to the underlying NIST document that outlines its standards. This document, NIST Special Publication 800-171, has been updated to Revision 3, and Revision 2 has been withdrawn.

If you’re a business and are looking to become part of the defense industrial base, or if you’re already part of that group and are concerned about the transition from revision two to revision three, what do you need to know? What has changed, what do you need to do differently, and what areas might get you in trouble? Let’s run through what you need to know.

What Changes in CMMC from Rev 2 to Rev 3?

Before digging in, there’s one common misconception we need to clear up. CMMC itself did not update its version. Or, rather, the recent memo and update were not about CMMC’s updated version.

This confusion comes because there are two key documents/systems at play as parts of CMMC. One is the CMMC framework itself, and the other is the NIST publication it uses. CMMC did, in fact, recently update around the end of 2024 to CMMC 2.0. You can read our detailed analysis of the CMMC 2.0 Final Rule in our post here.

The other update we’re discussing today is to the underlying NIST SP 800-171 document. This change, from NIST SP 800-171 Rev 2 to NIST SP 800-171 Rev 3, is actually a little older than the CMMC update, having happened in May of 2024. However, it’s getting to be more relevant, and more and more CMMC-certified contractors reach their annual recertification audits and confront the change in underlying rules.

If you’re interested in looking at the documents yourself, they can (for now) still be found on the NIST site.

• NIST SP 800-171 Revision 2 (Withdrawn May 14, 2024)
• NIST SP 800-171 Revision 3 Final (Published May 14, 2024)

Additionally, NIST provides a spreadsheet outlining the changes from Revision 2 to Revision 3 if you want to analyze it individually. You can find that spreadsheet here. You can also view the draft history through the three drafts of Revision 3, if you’re curious, though there’s no real benefit to doing so.

So, what has changed from Revision 2 to Revision 3?

Outlining the Changes from NIST SP 800-171 Revision 2 to Revision 3

There are a few key points worth knowing about the change in version.

These include:

• 18 security controls did not tangibly change. A few have changed in very slight word choices, but nothing with regard to implementation was affected; it was just for the sake of clarity or updated verbiage.
• 15 security controls have changed in small ways. These changes are generally editorial in nature, but can have small impacts on the level of detail in your documentation or artifacts, or on the required outcomes of a control.
• 46 security controls were more significantly changed. These changes include things like added details, more comprehensive artifacts and proof required, or foundational changes to the requirements.
• 19 security controls were added when they did not exist before. Some of these are new combinations of previous, removed controls. Others are new controls to address new types of technology.
• 33 security controls were removed. Some of these were contradictory, outdated, or unnecessarily confusing. Many of them simply overlapped with other controls and were merged, so the responsibility for those controls still exists, just under a different heading.
• 49 new ODPs, or Organizationally-Defined Parameters, were added. More on those later.

In a practical sense, what does all of this mean?

First, we need to disabuse you of a potentially dangerous notion. While revision 2 had 110 security controls and revision 3 only has 97, that does not mean you have less responsibility and less detail to handle.

The reality is that, while there are fewer individual controls, many of those controls are now broader in scope, meaning each individual control is broader and more encompassing, and thus has more detail and more requirements built into it.

Similarly, while 33 security controls were technically removed, nearly all of them have been merged and rolled into other controls. The responsibilities still exist, just under different names. In practice, this means that you still have to be doing all of the things you’ve been doing, but you will have to reorganize and reevaluate the record-keeping and documentation you’ve done to make sure it’s still accurate.

In fact, one of the biggest changes between revision 2 and revision 3 – at least as far as the practical realities of complying with CMMC and NIST SP 800-171 – is that revision 3 has more determination statements and requirements. It’s a 32% increase in individual artifacts, up from 320 to 422.

Before you panic, however, keep in mind that many of these determination statements are effectively just previous documentation broken apart and published individually rather than in one larger statement. A lot of it is stuff you’ve already been doing, just formatted differently.

The Latest Memo: DoD Guidance on Organizationally Defined Parameters

Organizationally-Defined Parameters are a big sticking point with CMMC. So, adding nearly 50 new ones seems like it could be grounds for a lot of confusion and problems.

In NIST SP 800-171 revision 2, one of the biggest problems was a frustrating level of non-specificity in certain controls. A prime example is that you must “limit unsuccessful log-on attempts” to your systems.

What does that mean?

If one business decides that it will cut off access after five unsuccessful attempts, is that good enough? If another business decides to limit it to three, does that affect the first business or make them less in compliance? Is ten acceptable at all? Is it a daily limit, an hourly limit, or another temporal limit?

None of these questions are answered.

This led to a lot of confusion and a lot of copycat implementations that may not actually be most effective for a given organization. Businesses would take guidance from previously certified businesses, regardless of whether it was the best option.

Revision 3 attempts to do away with some of this confusion with the introduction of ODPs. The revision 3 version of limiting login attempts is now “enforce a limit of [organizationally defined] unsuccessful log-on attempts during [organizationally defined] time periods and take [organizationally defined] actions after the maximum attempts have been made.”

There are three instances of the [organizationally defined] box in this one control, and that means that control has three ODPs. It’s a way that NIST encourages the organization to understand what the control wants of them, set the rules for the best case for the organization, and maintain that specific set of parameters (as reported to CMMC auditors).

Overall, there are 88 total ODPs in revision 3. These are carried in addition to the 422 determination statements you need to make, for a total of 510 items you need to track and report.

The New ODP Memo

One reason we’re focusing on ODPs so much is that in April of 2025, the DoD issued a new memo that provides guidance for ODPs.

If you read the above section and you thought “but this still doesn’t answer my questions”, you’re right. Specifying what variables need to be defined does not actually help all that much when your actual question was what ranges are acceptable for those variables.

The new DoD memo, titled Department of Defense Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3 (found here), says this:

“A key aspect of [NIST SP 800-171 Rev 3] is the inclusion of organization-defined parameters (ODPs), which allow organizations to tailor select security controls to specific security requirements, as determined by unique organization risk management strategies. In preparation to implement [NIST SP 800-171 Rev 3] as the minimum requirement for contractors, the Department of Defense (DoD) has defined as policy the attached values for the ODPs identified in the [NIST SP 800-171 Rev 3] source document.”

It goes on to discuss how the values they settled on were collected from the input from various DoD offices and experts, external governmental agencies, stakeholders from university-affiliated research centers, and others who comply with NIST SP 800-171 in general. It’s effectively a list of values for all 88 ODPs, representing consensus from DoD stakeholders.

The memo is two paragraphs of introduction, followed by 52 pages of description of each security control that contains an ODP, and what the DoD has determined is the ideal for that ODP. A few examples include:

• Access Control, 3.1.1, System Account Management, part g, notifying account managers when accounts are no longer required: ODP, “at most 90 days“
• Access Control, 3.1.11, Session Termination, Terminating user sessions automatically after ODP: “a specified duration (maximum of 24 hours) of inactivity, misbehavior (end the session due to an attempted policy violation), and maintenance (terminate sessions to prevent issues with an upgrade or service outage)“
• Configuration Management, 3.4.8, Software Execution Authorization, part c, Review and update the list of authorized software programs: ODP, “at least quarterly“

The memo as a whole represents a very handy review of all of the ODPs and what an ideal configuration would look like.

Do you need to use the DoD-defined ODPs? Generally speaking, yes. There may be some room to make your own policies stricter than what the DoD has defined, but there’s also no reason to do so outside of extenuating circumstances. The only real flexibility is in a small handful of ODPs where the DoD has given a range rather than a specific value.

How to Transition from NIST SP 800-171 Revision 2 to Revision 3

For now? Don’t.

This is the big trick right now: CMMC V2, the currently-active version of CMMC subject to the Final Rule, and the version you have to comply with to obtain CMMC certification, uses NIST SP 800-171 Revision 2.

It’s a matter of simultaneous development from different groups not lining up nicely. CMMC 2.0 has been in development for years and scheduled their full release, and did so based on NIST SP 800-171 Revision 2. Unfortunately, the groups responsible for NIST SP 800-171 were also working on their own update, and happened to roll it out around the same time. CMMC did not develop its new framework based on the new NIST revision. The CMMC auditors and training courses still rely on Revision 2. Even if CMMC wanted to say “actually, go with Revision 3”, the ecosystem would be utterly unprepared to handle it.

What do you need to do right now? If you are already certified with CMMC 2.0, keep doing what you’re doing, but start looking at what NIST SP 800-171 revision 3 has in store. Learn the ODPs, start building up your documentation for the inevitable shift to revision 3, and prepare for the future. You don’t need to start implementing Revision 3 controls yet, but you can proactively pay attention to what they say and how they need to be implemented.

If you aren’t already certified with CMMC, it depends on your timeline. If you’re planning to join the DIB in the near future, your implementation will still need to be on Revision 2. If you’re considering joining the DIB but don’t have immediate plans to do so, you can start slowly working towards Revision 3 compliance, and be in the first wave of those certified with the rules shift in the future.

Currently, there is no timeline for adopting NIST SP 800-171 Revision 3 into CMMC. However, there’s good reason to think it may be within the next couple of years, so being aware of the rules landscape ahead of time can help when the time comes.

Fortunately, we can help. The Ignyte Platform is made to be framework-agnostic, so it can be helpful for everything from FedRAMP to CMMC to FIPS and DFARS implementations and more. Reach out and book a demo, and you can see how it can be used to both help you comply with CMMC today and prepare you for the CMMC of tomorrow.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/cmmc-rev-2-3/