Rev. 3 Is Coming – Start Preparing for the Next CMMC Requirement

The Defense Department’s CMMC program has become a gatekeeper for any firm seeking to win or retain contracts in the defense industrial base. While most companies are still racing to meet the current NIST SP 800‑171 Rev 2 requirements, the DoD is already charting a path toward the next iteration, Rev 3. This upcoming version aligns more closely with NIST SP 800‑53 Rev 5, introduces three new control families—supply‑chain security, incident response, and advanced threat mitigation—and consolidates the control count to 97. Although the headline number of controls shrinks, the real workload grows because many legacy controls are merged and new organization‑defined parameters (ODPs) must be precisely set, a shift that tightens the compliance landscape.

For defense contractors, the practical implications are significant. Rev 3’s 88 ODPs cover specifics such as password length, session‑timeout values, and encryption thresholds, and the DoD will prescribe exact values, removing the flexibility organizations previously enjoyed. Additionally, the formerly optional non‑federal organization controls (NFOs) from Rev 2 become core requirements, expanding the scope of mandatory safeguards. Companies still on the road to initial CMMC certification must now juggle two standards: continue preparing for Rev 2 assessments while laying the groundwork for Rev 3. The looming 12‑ to 18‑month window before formal rulemaking means that firms that delay risk falling behind competitors who adopt a proactive migration strategy.

Strategically, firms should begin incremental upgrades that avoid triggering a “major change” under DoD policy, which would force a costly re‑certification. Leveraging the NIST SP 800‑171A assessment guide can help map existing controls to the new ODPs and NFOs, while voluntary implementation of Rev 3 elements—especially the new control families—provides a safety net against future compliance surprises. Continuous monitoring of DoD announcements, coupled with a phased migration plan, will enable organizations to protect their contract eligibility, reduce the likelihood of disruptive audits, and demonstrate a forward‑looking cyber‑resilience posture essential for modern defense supply chains.