CMMC Level 2 vs NIST 800-171 Rev 3: Contractor Essentials

CMMC Level 2. You keep hearing two messages at once:

• “CMMC Level 2 is built on NIST 800-171.”
  
• “NIST 800-171 Rev 3 is out now.”
  

At the same time, the CMMC final rule is in place and showing up in real solicitations with award and assessment requirements for Level 2.

No surprise that many defense contractors are asking a simple but urgent question:

“Are we supposed to follow NIST 800-171 Rev 2 or Rev 3 for CMMC Level 2 right now?”

If you guess wrong, you can end up with gaps in the version that assessors actually use, which can hurt both your SPRS score and your CMMC award eligibility.

This post gives you a clear answer and a practical way forward.

The confusion: two versions, one set of contracts

Here is the situation in plain language:

• NIST SP 800-171 Rev 2 has been the long time baseline for protecting CUI, with 110 requirements across 14 control families.
  
• NIST SP 800-171 Rev 3 is now final. It trims the list to 97 requirements and reorganizes them to reduce overlap and sharpen focus.
  
• CMMC Level 2 was designed to match the 110 requirements in Rev 2, and that is still how most guidance and mappings describe it.
  

Recent articles aimed at defense contractors spell it out:

• “CMMC Level 2 assessments still benchmark against NIST 800-171 Rev 2, but Rev 3 is on the horizon.”
  
• “As of mid-2025, CMMC still requires Rev 2 of NIST SP 800-171. You should get familiar with Rev 3 for future planning, but focus your implementation on Rev 2 for now.”
  

So right away you can see the split:

• Rev 3 is the newer NIST standard.
  
• Rev 2 is still the CMMC Level 2 assessment baseline.
  

That is the source of the headache.

What NIST 800-171 Rev 3 really changed

NIST did not scrap Rev 2. It cleaned it up.

Key points from NIST and expert explainers:

• The number of requirements went from 110 to 97.
  
• Some overlapping requirements were merged and reworded.
  
• The focus on outcome based, threat driven protection of CUI is stronger.
  
• The companion assessment guide, NIST SP 800-171A, now has more detailed determination statements so assessments dig deeper.
  

DoD has also published Organization Defined Parameters (ODPs) for Rev 3 controls. These give concrete values for things like log retention, lockout thresholds, and other “tunable” settings in the new version.

In other words, Rev 3 is the direction of travel for federal CUI protection, and DoD is already shaping how it will be used. But that still does not mean it is the CMMC Level 2 scoring baseline today.

What CMMC Level 2 really checks today

The CMMC final rule and most public mappings are still clear:

• CMMC Level 2 maps to all 110 requirements in NIST SP 800-171 Rev 2.
  
• Level 3 adds selected enhanced requirements from NIST SP 800-172 on top of that.
  

Current guidance for contractors and MSPs still says:

• “Align with NIST SP 800-171 Rev 2 requirements as your CMMC baseline.”
  
• “Assessors will benchmark against Rev 2 controls, not Rev 3, for CMMC Level 2 audits at this stage.”
  

So if a C3PAO comes in to do a Level 2 assessment on a CMMC tagged contract:

• They will expect you to show implementation and evidence for the Rev 2 control set.
  
• Your SPRS score and CMMC status will be judged against those 110 requirements.
  

This is the part that “defense contractors must follow right now” for contract and award purposes.

What defense contractors must follow right now

Putting it together:

1. For CMMC Level 2 today, your required baseline is NIST 800-171 Rev 2.
   
   • That is what Level 2 maps to.
     
   • That is what assessors are trained on.
     
2. Ignoring Rev 2 and jumping to Rev 3 can backfire.
   
   • If you only implement Rev 3 language, you may miss specific Rev 2 requirements that still appear as separate items.
     
   • That can show up as “unmet” controls in a Level 2 assessment and hurt eligibility.
     
3. Rev 3 still matters, but as a planning and alignment topic.
   
   • NIST and DoD are moving the CUI protection story in that direction, with updated requirements and ODPs.
     
   • It is the likely future anchor when CMMC updates its references in a later phase.
     

So the practical answer:

Right now, if you want to pass CMMC Level 2 and protect your DoD contract eligibility, you must be able to show a solid, evidence backed implementation of NIST 800-171 Rev 2 across your in scope systems.

Rev 3 is “next”, not “instead of” Rev 2.

How to use Rev 3 without breaking your CMMC audit

You do not have to choose Rev 2 or Rev 3. The smart move is to use both in a controlled way.

Step 1 – Lock in Rev 2 as your scored baseline

• Keep the 110 Rev 2 requirements as the master checklist for CMMC Level 2.
  
• Make sure each requirement has:
  
  • A clear implementation in your environment
    
  • Evidence (screenshots, logs, tickets, configs, diagrams)
    
  • Links to your SSP, procedures, and POA&Ms
    

This is the version that controls your SPRS score, DFARS 7012/7020/7021 posture, and CMMC assessment results today.

Step 2 – Build a simple Rev 3 “overlay” instead of a rewrite

For Rev 3:

• Grab a trusted comparison or mapping where someone has lined up Rev 2 vs Rev 3.
  
• For each Rev 3 requirement:
  
  • Note which Rev 2 requirements it came from (merged or updated).
    
  • Mark any new emphasis areas that are not obvious in your current controls.
    

Then add a short overlay column to your internal tracking:

• “Rev 3 impact: none / clarify / add evidence / add small control change.”
  

This lets you prepare for the shift without throwing away the Rev 2 structure that CMMC Level 2 still uses.

Step 3 – Use DoD’s ODP memo to tune settings, not to change your baseline

DoD’s April 2025 memo sets Organization Defined Parameters for Rev 3. That gives you clear numbers for things like:

• Log retention periods
  
• Session timeouts
  
• Lockout thresholds
  

You can borrow those values to sharpen your own settings even while your audit baseline is still Rev 2.

This is a safe way to “future proof” your environment without stepping outside CMMC’s current scoring model.

What this means for your next 12 months

In the next year, most defense contractors will juggle three things at once:

1. CMMC Level 2 assessments and self assessments based on Rev 2.
   
2. DFARS clauses and SPRS updates that gate award eligibility.
   
3. Gradual adoption of Rev 3 thinking and ODP values for CUI protection.
   

A simple way to talk about this with leadership:

• “We will treat NIST 800-171 Rev 2 as our hard audit and award baseline for CMMC Level 2.”
  
• “We will use Rev 3 and DoD ODP guidance to tighten our environment where it makes sense, but without breaking our Rev 2 evidence and scoring.”
  
• “When DoD formally moves CMMC Level 2 to Rev 3, we will already have the mapping and improvements in place.”
  

That is a very different message than “we have to start over for Rev 3.”

Turning version confusion into a CMMC strength

CMMC, NIST 800-171, and DFARS are not going to get simpler on their own. But this part can be clear:

• Today: CMMC Level 2 and SPRS scoring still look at NIST 800-171 Rev 2.
  
• Tomorrow: NIST 800-171 Rev 3 and DoD’s Rev 3 ODPs will shape what “good” looks like for CUI protection across the government.
  

The contractors who stay ahead will be able to say:

• “We can pass a Rev 2 based Level 2 assessment today.”
  
• “We already know how our controls line up with Rev 3.”
  
• “When CMMC updates its mapping, we adjust, not restart.”
  

That is a strong, calm story to bring into both capture meetings and assessments.

How Centrend can help your team right now

Centrend can help defense contractors:

• Map current CMMC Level 2 posture clearly to NIST 800-171 Rev 2.
  
• Build a simple Rev 3 overlay so you see what changes without losing control of Rev 2 scoring.
  
• Use DoD’s Rev 3 ODP guidance to tune logging, access, and monitoring in ways that help both today’s audits and tomorrow’s expectations.
  

If you want a focused working session, we can walk your team through a short Rev 2 vs Rev 3 CMMC Readiness Review and leave you with a practical action list for the next 90 days.

Learn more about how Centrend’s Cybersecurity Services help defense contractors stay secure and CMMC ready.