CMMC Updates: What You Need to Know About the NIST SP 800-171 Revision 3 Draft

NIST SP 800-171 Revision 3 draft was released on May 10, 2023, for review and public comment. This draft revision brings significant updates to the framework that serves as the foundation for the Cybersecurity Maturity Model Certification (CMMC). As a result, it is expected to have an impact on both the CMMC and existing DFARS requirements. Let’s take a quick glance at the updates and potential impacts.

What you need to know

  • Three New Domains: Revision 3 expands from 14 security control domains to 17. The new domains introduced are 3.15 Planning, 3.16 System and Services Acquisitions, and 3.17 Supply Chain Risk Management. These additions reflect the evolving landscape of cybersecurity threats and the need for enhanced protection in these areas.
  • Merged Controls: Despite the addition of new domains, the total control requirement count remains at 110. This has been achieved through the merging of several controls to eliminate redundancy and streamline the framework. Controls that have been merged are labeled as “withdrawn” and are now incorporated into associated controls. This consolidation simplifies the compliance process without compromising security.
  • New Controls: Revision 3 introduces additional controls to address emerging security challenges. These include requirements for email and instant messaging security, system and information integrity, and supply chain risk management. These new controls enhance the overall security posture and adapt the framework to changing technological landscapes.
  • Clarification of Language: One of the key improvements in Revision 3 is the clarity of language used throughout the document. The update aims to make the framework easier to read and understand compared to previous iterations. The revised version provides clearer guidance on compliance requirements, making implementation more straightforward for organizations.
  • Framework Alignment: The draft revision of NIST SP 800-171 aligns more closely with NIST 800-53 Rev 5. This alignment is intended to help businesses better understand how to implement safeguards effectively. By aligning with another recognized cybersecurity framework, Revision 3 facilitates a more coherent and comprehensive approach to cybersecurity.

For more information on NIST SP 800-171 Revision 3, the full draft can be accessed through the following link: Click Here

How this impacts you

So, what does all this mean for your business and when should you take action?

Firstly, if your business needs to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) requirements, it will be essential to assess your cybersecurity practices against the finalized NIST SP 800-171 Revision 3 once it is released. Ensuring compliance with the updated framework will help you meet the necessary security standards.

Secondly, as the CMMC is being finalized, it is expected to align with the new Revision 3. Consequently, the controls outlined in Revision 3 will become the prevailing requirements for achieving CMMC certification. Therefore, familiarizing yourself with the updated framework and understanding its implications is crucial for preparing your business for CMMC compliance.

It is estimated that the revision will be finalized in early 2024. This provides organizations with a window of time to review and understand the changes, evaluate their current cybersecurity practices, and implement any necessary updates.

To get started, we recommend familiarizing yourself with the updated framework by accessing the full draft of NIST SP 800-171 Revision 3 in addition to reviewing our article on Planning for CMMC Certification. 

Still have questions?

Reach out to our experts. 

Articles & News

Contact Us


Fill out the form below to access our checklist that will ensure your project's success!