In this blog, Rob Teague, Senior Manager of Cybersecurity Maturity Model Certification (CMMC) Services, and Certified Assessor, and Dr. Thomas Graham, Vice President and Lead CMMC Assessor for Redspin, dive into the latest draft announcement of NIST 800-171 Revision 3, (NIST 800-171 r3) which is currently in the 60-day public comment period. This blog will highlight the key updates and impacts to Organizations Seeking Certification (OSCs).

NFO Controls and Organizational Parameters:

One of the significant changes in r3 is the inclusion of most of the NFO (nonfederal organization) controls into the body of the NIST 800-171 practices. These controls, which were previously discussed under r2 in Appendix E, have now been incorporated into the content of NIST 800-171 r3. This change brings more focus and clarity to the requirements. Additionally, the document introduces ODPs (Organizationally Defined Parameters), which provide agencies with the flexibility to specify requirements for organizations implementing NIST 800-171 r3. It is important to note that the ODPs refer to federal agencies and not commercial organizations, allowing agencies to tailor the requirements based on their needs.

Impact on DoD Organizations:

For Department of Defense (DoD) organizations, the concern about the removal of FIPS 140-2 validation can be alleviated. Although specific references to FIPS 140-2 are removed, the requirements for cryptography in r3 can still be based on FIPS or NSA standards. Therefore, DoD organizations will likely continue to require FIPS 140-2 validation for cryptographic solutions.

Objectives and Assessments:

One notable change in the way NIST 800-171 r3 is structured compared to r2 is the absence of objectives in each practice. In r2, organizations had to meet 320 objectives, but Revision 3 does not explicitly list objectives for all practices. This change may impact Cybersecurity Maturity Model Certification (CMMC) assessments, where organizations must meet specific objectives. As the document progresses to its final version, the assessment methodology in CMMC 2.0 will need updating to align with the new requirements. The impact on the number of objectives is yet to be determined.

Preparing for Revision 3:

While r3 is not an immediate concern, it is advisable to review the document during the public comment period and provide feedback to clarify any confusing or obscurities.

Organizations should not wait to start their CMMC journey. For those ready, the Joint Surveillance Assessment Program (JSVAP) is recommended, providing time to address roadblocks, and a competitive advantage to gaining certification early.

Language Shift and Expansion to Other Agencies:

R3 reflects a shift in language, moving away from a DoD-centric focus towards a more standardized government document. This change may indicate the potential expansion of CMMC and NIST 800-171 into other federal departments such as the Department of Energy (DOE) and Health and Human Services (HHS). The objective is to establish a consistent categorization and protection of Controlled Unclassified Information (CUI) across government entities.


The release of NIST 800-171 r3 brings significant updates that will impact the CMMC program. Organizations are encouraged to review the document and provide comments during the public comment period to address any concerns or seek clarification. While r3 is not an immediate requirement, organizations should continue their progress toward r2 and consider participating in the JSVAP. The evolving landscape of cybersecurity and compliance requires proactive engagement and collaboration within the CMMC ecosystem.

How Redspin can help >>

If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.


Book a meeting to start your CMMC journey by filling out the form below