If you are preparing for a CMMC Level 2 assessment, one question matters more than most: Which version of NIST SP 800-171 counts right now?
The current answer is straightforward. CMMC Level 2 is aligned to NIST SP 800-171 Revision 2. The current CMMC rule states that Level 2 uses NIST SP 800-171 R2.
That means your controls, policies, procedures, SSP, POA&M strategy, and assessment evidence should all stay aligned to Rev. 2 if your goal is to pass a Level 2 assessment today.
While Rev. 3 is accessible, it is not the current CMMC Level 2 baseline.
NIST published SP 800-171 Rev. 3 in May 2024, and that publication officially supersedes Rev. 2 within NIST’s publication history. Even so, the current DoD CMMC rule still maps Level 2 to NIST SP 800-171 R2. Those are two different realities, and compliance teams need to pay attention to the one that governs the assessment in front of them.
This is where organizations can lose focus. Security leadership may look at Rev. 3 and see the future direction of federal cybersecurity expectations. Assessment teams need to look at the current CMMC rule and build toward the baseline assessors are using now.
For teams that want a stronger grounding in the framework itself, start with our What is NIST 800-171? Overview.
Should You Update Your Program to Rev. 3 Right Now?
For current CMMC compliance purposes, the smart move is to stay aligned to Rev. 2.
That decision supports organizations that are focused on:
- passing a CMMC Level 2 assessment
- maintaining current assessment readiness
- supporting obligations tied to current DFARS contract clauses related to CMMC
- keeping documentation and evidence clean, stable, and assessor-ready
A rushed move to Rev. 3 can introduce avoidable problems:
- unnecessary cost
- scope confusion
- documentation drift
- extra remediation work
- scoring and evidence alignment issues
- rework when DoD eventually issues formal transition guidance
What If Leadership Tells You to “Move to Rev. 3”?
This happens more often now because Rev. 3 sounds like progress, and leadership usually wants the organization to stay ahead. That instinct can be valuable when the goal is broader security maturity. It can also create confusion when the immediate goal is a current CMMC Level 2 assessment.
A better response starts with clarity.
Clarify the objective
Ask whether the priority is current CMMC certification readiness or a longer-term modernization effort.
Explain the current compliance baseline
Show that the current CMMC rule still maps Level 2 to NIST SP 800-171 R2.
Propose a two-track roadmap
Keep your compliance documentation aligned to Rev. 2 while tracking Rev. 3 deltas in a separate planning effort.
That approach gives leadership a path forward without destabilizing the documentation package your assessors will actually review.
What are the Biggest Differences Between Rev. 2 And Rev. 3?
At a high level, Rev. 3 introduces meaningful structural and organizational change. NIST identifies Rev. 3 as the current final publication and notes that it supersedes Rev. 2. (NIST Computer Security Resource Center)
Teams comparing the two versions will quickly notice:
- reorganization of requirements and structure
- some new or updated requirements
- broader alignment with federal cybersecurity concepts and frameworks
- removal of the older “basic” and “derived” distinction that shaped many Rev. 2 discussions
Those changes matter. They also increase the chance of confusion if an organization rewrites its documentation now while the assessment baseline remains tied to Rev. 2.
What Risk Do You Face If You Switch Too Early?
The main risk is misalignment.
Your team could build policies, evidence folders, and control narratives around a structure that does not match the current CMMC Level 2 assessment framework. Since Level 2 assessments and self-assessments are still scored under the current CMMC scoring methodology, organizations need their implementation story to map cleanly to that framework.
That risk can show up in practical ways:
- an SSP that no longer maps neatly to the current assessment baseline
- internal review checklists that drift from current evidence expectations
- remediation priorities that chase a future structure instead of current requirements
- duplicated effort across policies, procedures, and technical narratives
A focused readiness strategy saves effort. A premature overhaul creates extra work.
What Should Contractors Do Now?
For organizations handling CUI and preparing for CMMC Level 2, the best path today is simple:
Keep your compliance program aligned to NIST SP 800-171 Rev. 2.
That includes your:
- policies
- procedures
- SSP
- scoping decisions
- evidence collection
- internal readiness reviews
- assessment preparation workflow
At the same time, reviewing Rev. 3 as a future-planning exercise can still be worthwhile. A side-by-side gap analysis can help your team anticipate change without creating disruption in the current assessment cycle.
For additional direction, readers can explore The 6 Biggest CMMC Questions Everyone’s Asking for practical guidance on common CMMC concerns.
A Final Note on Rumors
There is plenty of discussion in the market about what DoD might do next. Rumors do not change the current rule. The strongest compliance position is built on published requirements, current assessment criteria, and documented evidence that matches the framework in force today. Right now, that framework still points Level 2 organizations to NIST SP 800-171 Rev. 2.
Bottom Line
If your goal is to pass a CMMC Level 2 assessment, keep your documentation and compliance program aligned to NIST SP 800-171 Rev. 2.
Rev. 3 belongs in your planning conversations. Rev. 2 belongs in your assessment package today.
