CMMCDocs.comThe CMMC program is built on NIST SP 800-171 Revision 2, which defines the 110 security requirements for Level 2 certification. NIST published the final version of Revision 3 in May 2024, creating a gap between the current CMMC baseline and the latest NIST standard. The DoD has acknowledged that a transition from Rev 2 to Rev 3 will happen, but the timeline and mechanics remain under development.
What Rev 3 Changes
Revision 3 is a significant update. The control structure was reorganized to align more closely with NIST SP 800-53 Rev 5. The total number of requirements changed, with some Rev 2 requirements consolidated, others split, and new requirements added. Key additions include enhanced supply chain risk management controls, more specific planning and governance requirements, and updated system and information integrity controls.
The requirement numbering system changed entirely, which means every reference in your SSP, POA&M, evidence mapping, and compliance tools will need to be updated when the transition occurs.
Current DoD Position
The DoD has been clear: CMMC Level 2 assessments use NIST SP 800-171 Rev 2 as the baseline. This is codified in the CMMC final rule (32 CFR Part 170). Any transition to Rev 3 will require a rulemaking process — the DoD cannot simply switch baselines without a regulatory update. This means the transition will be announced well in advance and will include an implementation period.
Current estimates suggest the transition could begin in 2026 or 2027, but no official timeline has been published. The DoD is likely waiting for the CMMC assessment ecosystem to stabilize under Rev 2 before introducing the complexity of a baseline change.
How to Prepare Without Overcomplicating
Do not skip Rev 2. Your immediate obligation is NIST 800-171 Rev 2 compliance. Do not try to implement Rev 3 requirements now — you will confuse your assessment and may miss Rev 2 requirements that were restructured in Rev 3.
Build for adaptability. Design your compliance program to handle change. Use tools and processes that can remap evidence and documentation to new control sets. If your SSP is a monolithic Word document, consider migrating to a structured compliance platform that can accommodate control framework updates.
Conduct a preliminary gap analysis. Once your Rev 2 compliance is solid, review the Rev 3 requirements to identify net-new controls that your current program does not address. Start planning for these additions so you are not surprised when the transition happens. Common new areas include supply chain risk management planning and enhanced system integrity monitoring.
Monitor DoD announcements. The transition timeline will be announced through official channels — Federal Register notices, DoD CIO communications, and Cyber AB updates. Do not rely on industry rumors or consultant speculation for transition planning.
The Bottom Line
Focus on Rev 2 today. Be aware of Rev 3. Build a program that can adapt. The contractors who build robust, well-documented compliance programs against Rev 2 will transition to Rev 3 with a manageable gap analysis and targeted updates. Those who built paper-only compliance will face a second painful implementation cycle.