NIST issued Special Publication 800-171 Revision 3, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," as a final publication on May 14, 2024. Twelve days earlier, on May 2, 2024, the Department of Defense issued Class Deviation 2024-O0013, directing contracting officers to require compliance with Revision 2 in DFARS clauses 252.204-7012, 7019, 7020, and 7021. As of late 2025, the deviation remains in effect. The CMMC final rule (32 CFR Part 170) explicitly maps to Rev. 2. The April 2025 publication of Organization-Defined Parameters (ODPs) for Rev. 3 hints at the transition path, but no DFARS amendment to incorporate Rev. 3 has been published or proposed. The result is a regulatory state where the latest control catalog is sitting on the shelf while contractors continue to invest against the older one.
What changed between Revision 2 and Revision 3?
Three structural changes and a long list of substantive ones. Structurally, Rev. 3 consolidates control families (from 14 to 17), introduces Organization-Defined Parameters (ODPs) that let acquiring agencies tune specific values like password lengths and reauthentication intervals, and removes the distinction between basic and derived security requirements. Substantively, Rev. 3 strengthens supply chain risk management (new family SR), adds Planning (PL), expands System and Services Acquisition (SA), and rewrites Identification and Authentication (IA) to align with NIST SP 800-63-3 digital identity guidelines. The total count moves from 110 controls to 145 controls and a substantially expanded set of assessment objectives.
Why did DoD freeze DFARS at Revision 2?
The Class Deviation memorandum explicitly cites three reasons. First, alignment with the CMMC program rule (32 CFR Part 170) which was finalized referencing Rev. 2's 110 controls. Reverting that mapping would have required reopening the CMMC rule. Second, assessor readiness. The Defense Contract Management Agency's DIBCAC and accredited C3PAOs had built training and assessment objective tables against Rev. 2. Third, ODP supporting frameworks were not ready. Rev. 3 requires acquiring agencies to define dozens of parameters; without DoD-published values, contractors and assessors would face inconsistent interpretation. The deviation memorandum committed to lifting the freeze "once supporting CMMC frameworks have been updated."
What did the April 2025 ODP publication change?
On April 17, 2025, DoD published draft Organization-Defined Parameters for SP 800-171 Rev. 3, providing parameter values across the 17 control families. Notable ODPs include 14-character minimum passwords (AC-7), 90-day session reauthentication for non-privileged users and 30 days for privileged users (AC-12), 60-day patch installation for high-severity vulnerabilities and 30 days for critical (SI-2), and three-year retention of audit records (AU-11). The publication did not amend DFARS or rescind the class deviation; it provides contractors a forward-looking view of what Rev. 3 compliance will require when transition eventually occurs.
NIST 800-171 Rev. 2 to Rev. 3 family mapping (selected)
+-----------------------------+------+---------------------------+
| Rev. 2 Family | Code | Rev. 3 Successor |
+-----------------------------+------+---------------------------+
| Access Control | AC | Access Control (expanded) |
| Awareness and Training | AT | Awareness and Training |
| Audit and Accountability | AU | Audit and Accountability |
| (new) | PL | Planning (new family) |
| (was in SC) | SR | Supply Chain Risk Mgmt |
| Identification and Auth | IA | I&A (aligned to 800-63-3) |
+-----------------------------+------+---------------------------+
Total controls: 110 (Rev. 2) -> 145 (Rev. 3)
How should contractors approach the dual-track status?
Two operational approaches are working in practice. The first is "Rev. 2 floor, Rev. 3 ceiling": build the System Security Plan against Rev. 2's 110 controls (because that is what an assessor will score), and document Rev. 3 control implementations in a parallel Plan of Action that targets the eventual transition. The second is "Rev. 3 native, Rev. 2 crosswalk": implement Rev. 3 controls directly using the April 2025 ODPs and produce a Rev. 2 mapping document for assessments. The first approach is lower implementation cost today; the second produces less rework when the DFARS amendment finally lands. Either way, the SP 800-171 Rev. 3 Plan of Action and Milestones (POA&M) template published by NIST in October 2024 is becoming the de facto interchange format.
What about CMMC Level 3?
CMMC Level 3 sits in a different regulatory regime. It derives from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information), not 800-171. SP 800-172 was updated to Rev. 1 in May 2024 alongside 800-171 Rev. 3, but DoD has not issued a parallel class deviation for Level 3 because the CMMC program rule explicitly maps to specific 800-172 enhanced requirements rather than the entire publication. Level 3 contractors handling the most sensitive CUI should plan against the 24 enhanced controls codified in 32 CFR 170.14(c)(3), with DIBCAC as the assessor rather than C3PAO.
What happens to the deviation in 2026?
Three scenarios are credible. First, the DoD lifts the class deviation in mid-2026 once the CMMC rollout reaches Phase 2 and the C3PAO assessor population can absorb the Rev. 3 transition. Second, the deviation is extended into 2027 because Rev. 3 ODPs and assessment objectives prove too contentious to finalize during the rollout window. Third, the DoD bypasses the deviation by amending DFARS 252.204-7012 directly with Rev. 3-aligned language and a longer transition runway. The April 2025 ODP draft was the strongest signal that scenario one or three is the active plan; an extension memorandum would be the indicator of scenario two. As of late 2025, no extension or rescission has been announced.
What is the practical timeline for Rev. 3 readiness?
A reasonable contractor working today would target 18 months of preparation. Months 1-3: gap analysis between current SSP and Rev. 3 control catalog using the April 2025 ODP table. Months 4-9: remediation of identified gaps, focused on the new SR family (supply chain risk management) and the expanded I&A controls. Months 10-12: tooling implementation, particularly for the AU-11 three-year audit retention requirement and the SR-3 control for managing the supply chain. Months 13-18: internal assessment using the SP 800-171A Rev. 3 assessment objectives, validation by a third party if practical, and refresh of the System Security Plan to the Rev. 3 structure. Contractors who start in early 2026 will be well-positioned for whatever DFARS amendment lands in the second half of the year.
How Safeguard Helps
Safeguard maintains parallel evidence maps for NIST SP 800-171 Rev. 2 and Rev. 3, with automatic crosswalk between the two so a single set of underlying controls produces both a Rev. 2 SSP for current DFARS compliance and a Rev. 3 Plan of Action for transition readiness. Griffin AI ingests the April 2025 ODP table and validates that organization-defined values in configurations match the parameter table. The platform's SBOM-driven scanning continuously feeds the new SR family controls with supply chain visibility — components, provenance, license posture, and vulnerability state for every artifact entering CUI environments. For contractors managing flow-down to subcontractors, TPRM scoring tracks subcontractor 800-171 attestation freshness in SPRS and flags drift before a contracting officer's review.