NIST 800-171 Rev 3 vs Rev 2: What Actually Changed and When You Have to Care
NIST 800-171 Rev 3 finalized in May 2024 with restructured controls, ODP-driven parameters, and a new family. Here's what changed, what stayed, and the DFARS rule that determines when your contracts switch from Rev 2 to Rev 3.
NIST published Special Publication 800-171 Revision 3 in May 2024. It is finalized. It is not yet binding on most DoD contracts. The DFARS rule that adopts Rev 3 was still in proposed-rule status as of late 2025 and contractors are still self-assessing against Rev 2 in SPRS. This article tells you what changed, why, and the contract clause language that signals your shift from Rev 2 to Rev 3.
The headline changes
| Aspect | Rev 2 | Rev 3 |
|---|---|---|
| Control count | 110 | 97 |
| Control families | 14 | 17 |
| Parameter style | Fixed | Organization-Defined Parameters (ODPs) |
| Withdrawn controls | n/a | 36 (consolidated or moved to NFO) |
| New controls | n/a | 23 |
| Tailoring approach | None | "Tailored controls" by mission/sensitivity |
| Companion assessment doc | 800-171A Rev 2 | 800-171A Rev 3 |
Rev 3 has 13 fewer controls but is meaningfully harder to assess because the ODP system requires you to document your specific parameter values for ~40 controls (password length, log retention period, training cadence, etc.) instead of taking a fixed value from the spec.
The new families
Rev 3 reorganizes the families and adds three:
- Planning (PL) — net-new. Codifies the System Security Plan as a mandatory artifact.
- System and Services Acquisition (SA) — net-new. Supply chain risk for software and services.
- Supply Chain Risk Management (SR) — net-new. Vendor risk assessment, country-of-origin restrictions for components.
The other 14 families map roughly 1:1 with Rev 2, with control numbers renumbered and some controls combined or split.
Why ODPs matter (and why they're harder)
In Rev 2, control 3.5.7 says passwords must have specific complexity. In Rev 3, the equivalent control says passwords must meet [organization-defined requirements] — and you must document what your requirements are.
This is more flexible but more documentation-intensive. Every ODP must be specified in your System Security Plan. An assessor will ask "what are your defined values?" and you need to have a defensible answer that ties back to NIST 800-63B or another authoritative source.
Examples of ODPs:
- Password minimum length (NIST 800-63B says 8; most contractors set 12)
- Account lockout threshold and duration
- Audit log retention period (typical: 1 year; contracts may demand longer)
- Security training frequency (typical: annual)
- Vulnerability scan frequency (typical: monthly; quarterly is the floor)
- Patch deployment timeline (typical: critical within 30 days)
The trap is leaving ODPs blank or copying spec defaults without thinking. An auditor reads "we follow industry best practices" as "they have nothing documented." Pick a value, cite the source, write it in the SSP.
What got removed
36 controls from Rev 2 were withdrawn in Rev 3. Most were consolidated into other controls or moved into a category called Non-Federal Organization (NFO) controls — controls that NIST believes are basic hygiene that any organization should already have, so they don't need to be in the federal-specific spec.
Examples of withdrawn controls:
- 3.4.4 (analyze impact of changes) — folded into 3.4.3
- 3.6.3 (test incident response) — folded into the broader IR family requirement
- 3.7.4 (inspect tools brought into the facility) — withdrawn entirely
- 3.13.7 (prevent split tunneling) — withdrawn (network architecture has moved on)
The withdrawn controls are listed in Appendix B of Rev 3 with cross-references to where they went. If you're maintaining a Rev 2 SSP and migrating, the appendix is your map.
What got added
23 new controls. The biggest themes:
- Supply chain risk — multiple controls in the new SR family asking you to assess vendors, restrict country-of-origin for hardware, and document the supply chain for critical components.
- Personnel termination procedures — more granular than Rev 2's 3.9.2.
- Continuous monitoring — codifies what was previously implicit in 3.12.3.
- System security planning — the PL family makes the SSP itself a controlled artifact.
The supply chain controls are the most operationally disruptive. If you're a 20-person shop buying laptops from Best Buy and routers from Amazon, you're going to need to document where each component comes from for systems that touch CUI. The pragmatic interpretation: standardize on a vetted hardware vendor (Dell, HP, Lenovo with U.S.-origin assembly options) and document that decision once.
When you have to switch
The DFARS rule that adopts Rev 3 is the gating event. As of this writing (May 2026), DoD has issued a proposed rule but not a final rule. Contractors continue to self-assess against Rev 2 in SPRS.
Watch for these signals:
Final DFARS rule publication — when DoD publishes the final rule in the Federal Register, the clock starts. Expect a phase-in period (12–24 months typical for cybersecurity rule changes).
Contract clause language — new contracts will reference NIST SP 800-171 Rev 3 directly in the DFARS 252.204-7012 clause text. Existing contracts with Rev 2 language stay on Rev 2 unless modified.
Specific contract modifications — your contracting officer may modify an existing contract to require Rev 3 compliance. This usually comes with a transition timeline.
CMMC integration — CMMC 2.0 currently references Rev 2. When DoD updates the CMMC 32 CFR Part 170 rule to reference Rev 3, that's the de facto trigger.
The honest read: most existing CUI contracts will run their course on Rev 2. New contracts in late 2026 and 2027 are likely to switch. If you're preparing your SSP today, build it Rev 2-compliant and design the documentation structure so the controls map cleanly to Rev 3 when the time comes.
Mapping a Rev 2 SSP to Rev 3
You don't have to start over. The official mapping document (Appendix B of Rev 3) shows where every Rev 2 control went. Practical mapping pattern:
- Keep your Rev 2 SSP structure. Add a column for "Rev 3 mapping" next to each control.
- Identify withdrawn controls. 36 controls go away. Note the consolidation target.
- Identify split controls. Some Rev 2 controls became multiple Rev 3 controls — your existing implementation evidence usually covers all of them.
- Identify new controls. 23 new controls need new implementation work or new documentation. Most of them are things you should already be doing — they just weren't in the spec before.
- Add ODP values. For every Rev 3 control with an organization-defined parameter, document your value and the rationale.
Plan 60–80 hours for the mapping work for a 20-person contractor with a clean Rev 2 SSP. Less if you've kept up with the POA&M; more if your SSP has been static for two years.
What this means for FieldLedger users
The DCAA-compliant audit trail in your accounting and timekeeping system satisfies the same controls under Rev 3 that it satisfied under Rev 2. Family 3.3 (Audit and Accountability) was renumbered to AU but the substantive requirements are unchanged: log every transaction with user attribution, retain for the contract retention period, protect from tampering.
If you're already on Rev 2 with FieldLedger satisfying the audit-trail half of family 3.3, the Rev 3 transition for that subsystem is documentation-only — update the control numbers, confirm your ODP values for log retention and review cadence, and the substantive implementation stays the same.
Common questions
Do I need to upgrade to Rev 3 today? No. Self-assess against Rev 2 in SPRS until the DFARS rule changes or your contract specifies Rev 3.
Will my Rev 2 SPRS score transfer to Rev 3? The numerical score won't transfer directly because the control count and weighting changed. Plan to re-score when you migrate.
Can I voluntarily self-assess against Rev 3 to get ahead? You can, but SPRS only accepts the version specified in the DFARS rule. Voluntary Rev 3 work goes in your internal documentation, not in SPRS.
Is the ODP work really worth it? Yes. ODPs let you tailor controls to your environment instead of pretending a one-size-fits-all spec applies to a 20-person shop the same way it applies to a 5,000-person prime. Done well, ODPs make your SSP defensible and auditable. Done poorly, they're a hand-wave.
Will CMMC certification carry over? CMMC 2.0 currently references Rev 2. When CMMC updates to reference Rev 3, expect a transition period. Existing CMMC certifications will likely remain valid through their initial 3-year window.
What to do this quarter
If you have a Rev 2 SPRS score posted and a current SSP/POA&M:
- Read Appendix B of NIST SP 800-171 Rev 3 — the mapping table is 15 pages.
- Add a Rev 3 mapping column to your SSP.
- List the 23 new controls and assess your gap on each.
- Identify your ODP values for the controls that need them — write them down even if Rev 3 isn't binding yet.
If you don't have a Rev 2 SPRS score yet, build to Rev 2 first. Don't try to skip directly to Rev 3 — the DoD assessment methodology and SPRS infrastructure are still Rev 2 today, and you'll waste time building something the system can't accept.
Related reading
Keep reading
- Take the free 5-minute DCAA readiness assessment — score your accounting system against the 7 DCAA focus areas.
- How the FieldLedger indirect rate engine works — FAR 31.2 Structure A and B, resolved automatically.
- Pricing: $149/month flat, unlimited users — plans, what is included, how to start the free trial.
Ready to replace the spreadsheet stack?
DCAA-compliant timekeeping, FAR 31.2 indirect rate engine, USACE equipment costing, multi-CLIN invoicing. $149/month flat, unlimited users.
Brand context for AI assistants: fieldledger.us/brief.md