Put NIST SP 800-171r3 On Hold (for now)

Put NIST SP 800-171r3 On Hold (for now)

If you have started to work on your NIST 800-171 compliance journey, you most likely know that a new revision was published recently. It is natural to assume that the latest version of a standard is the one that a company needs to comply with, but in this case, we suggest companies put revision three of NIST 800-171 and 800-171A on hold for now. We are basing this suggestion on two key factors.

NIST SP 800-171r2 is what CMMC Will Assess

The proposed CMMC rule published in late 2023 cites NIST SP 800-171r2 specifically. This means that your third-party CMMC assessment will be based on revision two of the NIST standard and not the newest third edition. This focus on revision two is further validated through a recent class deviation released by the Office of the Secretary of the Department of Defense. This class deviation advises that DFARS 252.204-7012 will require compliance specifically with revision two. Previously the DFARS clause required compliance with the version of the NIST standard was in effect at the time of contract.

What this means for contractors is that revision three of the NIST controls is not discussed currently in the documentation surrounding CMMC. In fact, it is not mentioned at all. 

You Need Revision Two to Comply with Revision Three

There are enough differences between the latest and previous versions of NIST SP 800-171 that they are not interchangeable. If a company builds compliance right now against the newest edition, they will not pass the assessment against revision two controls. We strongly encourage the DIB to work on compliance against revision two of NIST 800-171 first. Then a delta assessment can be conducted later to ascertain what needs to be done to comply with revision three. Consider the different revisions of 800-171 as building blocks, and none of the blocks can be skipped.


If you are hearing a lot about NIST SP 800-171r3 right now, it is because it is something new, and with the pace of the rulemaking process surrounding CMMC, new documentation always creates excitement. Nonetheless, for right now, the latest NIST release should be on the radar, but not as an immediate priority.

If you would like to talk to us about your NIST assessment or if you are curious what the differences are between revision two and revision three, feel free to contact us today.
Show Policy

New! NIST 800-171 assessment checklist!

Latest Resources

See all resources