FAR & DFARS: Procurement Power
All Episodes

NIST 800-171 Rev 3: Why DoD Is Pausing the Shift

The DoD’s class deviation keeps contractors on Rev 2 for now, but the episode explains why Rev 3 is still looming and how its Organization-Defined Parameters will reshape compliance. It also breaks down the parallel timelines for DFARS and CMMC Level 2, plus the practical steps contractors should take to prepare.


Chapter 1

The Rev 2 to Rev 3 Transition and the ODP Shift

Eric Marquette

So we're looking at this massive pivot point, right? The DoD drops this class deviation—what was it, 2024-O0013? And suddenly, everybody who was scrambling to figure out NIST SP 800-171 Revision 3 is told... wait. Hold on. We are sticking with Revision 2 for now. It's a strategic pause, but it feels like a pressure cooker because Revision 3 isn't actually going away, it's just... hovering.

Paul Netopski

Hovering is a polite way to put it, Eric. It's more like a looming architectural shift. The DoD issued that class deviation, 2024-O0013, back in May, specifically to prevent a situation where contractors would be contractually bound to Rev 3 before the assessment infrastructure was ready. If they hadn't, the moment Rev 3 went final, standard DFARS clauses would have technically required immediate compliance. And let's be honest, nobody was ready for that. But the mistake is thinking this pause means you can just sit on your hands.

Eric Marquette

Right, because Revision 3 is fundamentally different. It's not just a minor patch, like a point release. It completely restructures how the controls work. I mean, they aligned it with NIST SP 800-53 Revision 5, right? And they got rid of the old distinction between basic and derived security requirements. It's all just... security requirements now.

Paul Netopski

Exactly. They collapsed that structural division. In Rev 2, you had basic requirements and derived requirements, which honestly created this weird, artificial hierarchy. Now, it's a flat structure, directly mapped to the 800-53 catalog, which is the catalog federal agencies use. But the real kicker in Rev 3, the thing that is going to give compliance managers nightmares, is the introduction of ODPs. Organization-Defined Parameters.

Eric Marquette

ODPs. Right. I've heard this described as a double-edged sword. On one hand, it gives flexibility, but on the other hand, it means the government has to actually define those parameters, or the contractor has to define them and get them approved. How does that actually play out in a System Security Plan, an SSP?

Paul Netopski

Well, think of an ODP as a fill-in-the-blank. In Rev 2, a control might say, you know, "restrict login attempts." In Rev 3, with ODPs, the control says "restrict login attempts to [Organization-Defined: number] attempts within [Organization-Defined: time period]." Now, if you're a defense contractor, you can't just make those numbers up. The DoD has to issue a memorandum or a guide specifying what those values are. They actually released a draft ODP table, but until that's finalized and contractually binding, you have this state of limbo. If you're updating your SSP today, you have to maintain your current Rev 2 alignment while mapping out where these ODP blanks are going to land in your future Rev 3 state. It's duplicate work, essentially.

Eric Marquette

So you're building a parallel track. You're keeping the Rev 2 SSP active because that's what you're audited against today, but you're basically pre-formatting your Rev 3 SSP with these ODP placeholders. That sounds incredibly resource-intensive for smaller shops in the Defense Industrial Base, the DIB.

Paul Netopski

It is. It's a heavy lift. If you're a fifty-person machine shop, you likely don't have a dedicated cybersecurity team to run parallel compliance tracks. But if you don't start mapping this out now, the transition window, when the DoD eventually lifts that class deviation and points to Rev 3, is going to feel like trying to drink from a firehose. The gap analysis between Rev 2 and Rev 3 is not trivial. Some controls are split, some are combined, and some are entirely new, especially around supply chain risk management.

Chapter 2

The Rulemaking Timeline and the CMMC Connection

Eric Marquette

Which leads us right into the whole rulemaking mess. In our earlier episode, "Demystifying the Federal Rulemaking Process," we talked about how agonizingly slow this whole machinery is. You've got initiation, notice and comment, finalization... and then in "Pentagon Cyber Rules Reset," we looked at how CMMC Level 2 is directly tied to this. If CMMC Level 2 requires compliance with NIST SP 800-171, but the version of 171 is in this weird transition state, how does a contractor project their timeline? What's the intersection here?

Paul Netopski

So the key thing to understand is that CMMC is a vehicle for assessment, right? It doesn't actually write the security standards; it verifies them. CMMC Level 2 is explicitly tied to 800-171. Because of that class deviation, 2024-O0013, the baseline for CMMC Level 2 remains Revision 2. For now. The final CMMC rule, which we've been tracking in the 'CMMC Unlocked' series, is moving through its own federal rulemaking process. Even when that CMMC rule goes final and starts showing up in contracts, it's going to point to Rev 2 initially. But the DFARS rulemaking to update the standard reference to Rev 3 is running on a parallel track. It's like two trains running next to each other, and at some point, they have to merge.

Eric Marquette

Wait, so if I'm a contractor, I could get certified under CMMC Level 2 using Rev 2, but then six months later, the DFARS rule updates to Rev 3, and suddenly my compliance target shifts? Is that what we're looking at?

Paul Netopski

Potentially, yes. Though the DoD has indicated there will be a phase-in period. They aren't going to pull the rug out overnight. But this is why the strategic pause on Rev 3 is so deceptive. It's not a pass to do nothing. It's a window of preparation. If you get certified under Rev 2, your three-year certification cycle starts. But during those three years, you will almost certainly have to transition your internal systems to meet Rev 3 requirements as new contracts get awarded with the updated DFARS clauses. You have to design your systems today with the flexibility to adopt those Rev 3 ODPs without tearing down your whole infrastructure.

Eric Marquette

So what are the concrete next steps? If you're advising a defense contractor right now who is caught in this interim phase, what do they actually do tomorrow morning?

Paul Netopski

First, do not halt your Rev 2 implementation. If you aren't fully compliant with Rev 2 today, you have zero chance of surviving the transition to Rev 3, let alone a CMMC assessment. Get your Rev 2 SSP solid. Second, conduct a preliminary gap analysis against the final draft of Rev 3. Focus heavily on those Organization-Defined Parameters. Look at the draft ODP values the DoD released and test your current configurations against them. If the DoD draft says "multifactor authentication session termination after ," and your current policy is eight hours, look at what it takes to change that. Start testing those tighter configurations now, in a non-production environment, so you know what breaks.

Eric Marquette

That makes sense. It's about treating compliance as an engineering challenge, not a paperwork exercise. Test the technical limits before the rule makes them mandatory. Well, that's a very practical place to leave it. We'll keep tracking these parallel rulemaking tracks. Thanks, Paul.

Paul Netopski

Always a pleasure, Eric. Stay secure out there.