NIST SP 800-171 Rev 3
Accuracy commitment
Every regulatory reference on this page links to the official source document. If you find an error, email [email protected].
What changed in Rev 3
NIST SP 800-171 Rev 3 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) was published in May 2024. It replaces the 110 requirements of Rev 2 with 98 active requirements — a restructuring, not a relaxation.
- Published: May 2024
- Active requirements: 98 (down from 110 in Rev 2)
- ODPs (Organization-Defined Parameters): 88 parameters that organizations must define with specific values
- CMMC alignment: CMMC Level 2 is currently anchored to Rev 2; DoD has not yet published a CMMC rulemaking mandating Rev 3
The reduction from 110 to 98 requirements reflects consolidation, not removal of security obligations. Several Rev 2 requirements were merged, reorganized across families, or elevated into ODPs that allow organizations to define implementation parameters.
Organization-Defined Parameters (ODPs)
The most significant structural change in Rev 3 is the introduction of ODPs. Rev 3 contains 88 ODPs — specific values that each organization must define to make requirements concrete and measurable.
Examples of DoD-defined ODP values (from the DoD ODP Annex):
| ODP | Rev 3 Requirement | DoD-Defined Value |
|---|---|---|
| Audit log retention | AU-11 | 3 years for active programs |
| Penetration testing frequency | CA-8 | Annually minimum |
| Vulnerability scan frequency | RA-5 | Weekly for internet-facing systems |
| Session timeout | AC-11 | 15 minutes of inactivity |
| Privileged account review | AC-2 | Quarterly |
| Backup frequency | CP-9 | Daily for CUI |
Organizations can use DoD-defined values or define their own — but they must document their choices, and assessors will evaluate compliance against the defined values.
REAEGIS stores ODP definitions per program in the ODP editor, generating the 88 ODP values as part of the SSP and assessment records.
Key structural changes from Rev 2
Requirements reorganized
| Rev 2 Family | Rev 3 Changes |
|---|---|
| AC (22 req) | Reduced to 20; AC-3 and AC-6 consolidated |
| AT (3 req) | Reduced to 2; AT-2 and AT-3 merged |
| AU (9 req) | Reduced to 8; AU-6 and AU-7 consolidated |
| CA (4 req) | Unchanged at 4; renamed to Assessment, Authorization, and Monitoring |
| CM (9 req) | Reduced to 8; CM-4 and CM-6 work product consolidated |
| IA (11 req) | Unchanged at 11; expanded MFA requirements |
| IR (3 req) | Unchanged at 3 |
| MA (6 req) | Unchanged at 6 |
| MP (9 req) | Unchanged at 9 |
| PE (6 req) | Unchanged at 6 |
| PS (2 req) | Unchanged at 2 |
| RA (3 req) | Expanded to 5; RA-3 risk response and RA-7 risk response added |
| SA | New family — System and Services Acquisition (4 req) |
| SC (16 req) | Reduced to 14; SC-19 and SC-20 consolidated |
| SI (7 req) | Unchanged at 7 |
| Total | 98 |
New SA family
Rev 3 introduces a System and Services Acquisition (SA) family that did not exist in Rev 2. SA requirements address:
- Developer security testing (SA-11)
- Supply chain risk management (SA-12)
- Developer-provided security documentation (SA-15)
- Unsupported system components (SA-22)
These requirements reflect the DoD's increased focus on software supply chain security — aligning with SLSA provenance requirements and the SBOM mandate.
Elevated supply chain requirements
Rev 3 significantly strengthens supply chain risk management. The SR family now includes:
- SR-3: Supply chain controls and plans (now mandatory, was informational in Rev 2)
- SR-4: Provenance — organizations must track software provenance for CUI systems
- SR-11: Component authenticity — requires verification of software component integrity
RAMPART's SBOM_ATTESTATION and SLSA_PROVENANCE gates directly address these Rev 3 SR requirements.
DoD transition timeline
As of June 2026, CMMC Level 2 remains anchored to NIST SP 800-171 Rev 2. The DoD has not published a final rule updating CMMC to require Rev 3. The expected timeline:
- DoD publishes CMMC Rev 3 NPRM (expected 2026–2027)
- Public comment period (60–90 days)
- Final rule publication (12–24 months after NPRM)
- Phase-in period before Rev 3 becomes required
Contractor action now: Organizations should complete Rev 2 compliance (required) and begin a gap analysis against Rev 3 (preparation). Do not delay Rev 2 compliance while waiting for Rev 3 requirements.
Rev 2 compliance is required now. Rev 3 readiness is prudent planning. REAEGIS tracks both simultaneously — your Rev 2 SPRS score and your Rev 3 readiness score are maintained independently.
Delta analysis: Rev 2 to Rev 3
The REAEGIS delta engine computes the gap between your current Rev 2 implementation and Rev 3 requirements. Key gaps for most organizations:
Net-new requirements in Rev 3 (no Rev 2 equivalent):
- SA-11 (Developer security testing)
- SA-12 (Supply chain risk management plan)
- RA-3 (Risk response)
- RA-7 (Risk response updates)
Requirements with expanded scope:
- IA-5 (Authenticator management) — Rev 3 adds passwordless authenticator requirements
- SC-8 (Transmission confidentiality) — Rev 3 specifies quantum-resistant algorithm readiness
- CM-7 (Least functionality) — Rev 3 adds AI model and AI tool restrictions
Requirements consolidated (count reduction, not less work):
- AU-6/AU-7 merged — organizations still need both logging review and log reduction; single requirement, same workload
- AC-3/AC-6 partially merged — access control enforcement and least privilege combined in some contexts
ODP management in REAEGIS
The 88 ODPs in Rev 3 require organizational decisions that must be documented. REAEGIS provides:
ODP Editor: For each of the 88 ODPs, the editor presents:
- The requirement text with the ODP placeholder
- The DoD-recommended value (for DoD-aligned programs)
- A field to enter the organization's defined value
- The resulting requirement text with the value substituted
ODP inheritance: For organizations running multiple programs, ODP values defined at the organization level propagate to all programs by default, with program-level overrides allowed.
ODP evidence linking: Each ODP value must be backed by evidence that the defined value is actually implemented. REAEGIS links ODP values to scanner output — for example, linking the session timeout ODP to configuration management evidence.
SPRS and Rev 3
NIST SP 800-171 Rev 3 does not currently have an official DoD Assessment Methodology with point weights. The current SPRS scoring methodology is Rev 2-specific.
When DoD publishes a Rev 3 assessment methodology, REAEGIS will update the SPRS calculator to support both versions simultaneously.
How REAEGIS Supports NIST 800-171 Rev 3
| Capability | Description |
|---|---|
| 98 active requirement catalog | Full Rev 3 catalog with implementation status and evidence per requirement |
| ODP editor | All 88 ODPs with DoD-defined defaults; program-level overrides |
| Delta engine | Automated gap analysis between your Rev 2 implementation and Rev 3 requirements |
| Rev 3 readiness score | Percentage of Rev 3 requirements currently met; gap-to-compliant count |
| SA family tracking | New supply chain and acquisition requirements from the SA family |
| RAMPART mapping | RAMPART gates mapped to Rev 3 requirement IDs |
| Readiness PDF | Exportable readiness report for C3PAO or AO review |
| Side-by-side crosswalk | Rev 2 ↔ Rev 3 crosswalk with delta highlighting |
Related guides
- NIST 800-171 Rev 2 — Current required standard for CUI protection
- CMMC Guide — CMMC Level 2 requirements (currently Rev 2-based)
- RAMPART Engine — How RAMPART gates map to both Rev 2 and Rev 3