New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
CMMC
4 min read

NIST SP 800-171: You're Assessed on Rev 2. Stop Studying Rev 3 (For Now)

Rev 3 has been out for a year, the DoD just published its parameter choices, and CMMC still points squarely at Rev 2. How to plan controls, training, and evidence without chasing the wrong revision.

Christina Arcane

A confusion we keep meeting in defence-supply-chain engagements, on both sides of the Pacific: NIST released SP 800-171 Revision 3 ages ago – should we be building to it?

Short answer: no. Longer answer: no, but the clock has visibly started, and there's a right way to spend the interval. Here's the state of play as of mid-2025.

The state of play, in four factsLink to this section

  1. Rev 3 is final. NIST published SP 800-171 Rev 3 in May 2024, with its companion assessment guide. It reorganises requirements, tightens some controls, and introduces organisation-defined parameters (ODPs) – blanks that an authority fills in with specific values.
  2. The DoD immediately said "not yet." A class deviation keeps DFARS contracts pointed at Rev 2 until further notice.
  3. CMMC assesses Rev 2. CMMC Level 2 is the 110 requirements of Rev 2, full stop. The program rule that took effect in December locked that in. No assessor will mark you against Rev 3.
  4. The transition signal just fired. In April, the DoD published its proposed ODP values for Rev 3 – the homework a regulator does before adopting a standard. Adoption will come through future rulemaking, with notice, not as a surprise memo.

So: assessed reality is Rev 2, the future is Rev 3, and the gap between them is now officially on the calendar – even if the date isn't.

Why "build to Rev 3 now" backfiresLink to this section

The ambitious instinct – skip ahead, future-proof – sounds prudent and usually isn't:

  • Your assessment is against Rev 2. Evidence organised around Rev 3's structure makes an assessor's job harder, and a confused assessor is never money in the bank.
  • The ODPs aren't final. Build to parameter values today and you're guessing; guess wrong and you've bought rework twice.
  • Effort is finite. Every hour spent restructuring for a future standard is an hour not spent closing the Rev 2 gaps that show up in your actual SPRS score.

The right posture is Rev 2 compliant, Rev 3 aware: satisfy today's requirements in full, and when you make new investments – tooling, documentation structures, training programmes – avoid choices that Rev 3 will obviously strand.

The awareness and training family, concretelyLink to this section

Since workforce training is our corner of this world, here's how the posture cashes out for the AT family – the same logic applies elsewhere.

Under Rev 2, you're on the hook for three things: security awareness for everyone (3.2.1), role-based training for people with security-relevant duties (3.2.2), and insider-threat awareness (3.2.3). What an assessor actually asks is disarmingly concrete:

Who was trained? On what content? When? Show me the records.

Two habits make that question boring to answer, and both happen to be Rev 3-proof:

  • Keep training records like evidence, because they are. Per-person completions, dates, and – the one everyone skips – which version of the content. When material changes, you need to know who's stale.
  • Keep content current with the threat. Rev 3's drafting is more explicit about training that reflects current risks and gets refreshed, but assessors already frown at 2019 slideware. AI-enabled phishing and data leakage through AI tools belong in this year's awareness content on merit, whichever revision you're assessed under.

Do that, and the eventual Rev 3 transition becomes a content-mapping exercise rather than a rebuild.

What to actually do this quarterLink to this section

  1. Close Rev 2 gaps first. Your SPRS score reflects Rev 2. Honest score, shrinking POA&M, evidence on file.
  2. Read the DoD's ODP publication once. Not to implement – to know which of your controls sit near a parameter that may tighten.
  3. Version and date your training programme. Cheap now, priceless in an assessment room.
  4. Put the Rev 3 transition on the risk register with a review date. That's all a "watch item" needs – a line and an owner, not a project.

The meta-lessonLink to this section

Standards overlap. There is always a newer revision, a fresher framework, a pending rule – and always a temptation to either chase the newest thing or freeze until the dust settles. Both waste the interval. The compounding move is to run the current requirement well and produce durable evidence while doing it, because provable, versioned, current records are the one asset every revision of every framework ends up asking for.

Rev 2 today. Records forever.