Go Back Up

CMMC Rev. 3 Is Coming: What the New Rule Means for Defense Contractors

Jul 10, 2026 3:47:55 PM Wesley Reinhart 7 min read

The federal government recently released its regulatory agenda for all agencies, including the Department of Defense. Within that agenda is a rule that would implement Revision 3 of NIST SP 800-171 for CMMC Level 2. As the rulemaking describes, there will be a phase-in period, but the change is imminent, with the rule expected this month.

If you handle Controlled Unclassified Information (CUI) for the Department of Defense, here is what is happening, what it means for your organization, and the practical steps to take now. If you are newer to these requirements, our small manufacturer's guide to CMMC 2.0 and defense contracts is a helpful place to start.

Author’s Note: Throughout this article, we use the commonly accepted shorthand “CMMC Rev. 3” to describe the Department of Defense’s planned transition of CMMC Level 2 from NIST SP 800-171 Revision 2 to Revision 3.

What Is the New Update, and When Does It Go Into Effect?

The easiest way to understand CMMC Rev. 3 is this: CMMC is not going away, it’s evolving.

The current version of CMMC Level 2 is based on NIST SP 800-171 Revision 2, which contains the 110 cybersecurity requirements that defense contractors are currently working to implement and be assessed against. NIST has since released a newer version of that cybersecurity standard called NIST SP 800-171 Revision 3. The Department of Defense is expected to eventually update CMMC to align with this newer standard.

The timeline just became much more concrete. The government's newly published Unified Agenda signals that the Department intends to move this month on rulemaking that sets the deadline for shifting CMMC assessments from Revision 2 to Revision 3. Today, assessments are tied to Revision 2, and the update introduces added specificity in the security requirements while bringing in organization-defined parameters (ODPs) that contractors will need to address. You can track the program directly on the official Department of War CIO CMMC page, where the Department posts current program documentation and guidance.

What changes?

Revision 3 is not simply a few new cybersecurity controls added to the current CMMC checklist. It is a modernization of the standard. The new version updates the requirements to better address today's cybersecurity threats, technologies, cloud environments, and ways of doing business. It also places more emphasis on organizations being able to clearly define how security requirements apply to their specific environment. In simple terms, the focus continues to shift away from asking "Do you have this security control?" and toward asking "How does this security control work in your environment, who is responsible for it, how is it configured, and can you prove that it is working?"

Because the rule includes a phase-in period, contractors will not be expected to meet the new standard overnight. But with the rule expected this month, now is the time to understand what is coming and position your program to adapt.

Copy of Stats - Blog (8)

What Does This Mean for Defense Contractors?

Does this mean companies should stop preparing for the current version of CMMC?

No. Absolutely not. Companies should continue preparing for and pursuing CMMC under the requirements that apply today. The current CMMC program remains the requirement companies must meet for contracts that include CMMC. The work being done today is not wasted. Strong cybersecurity fundamentals, proper scoping, policies, technical controls, documentation, evidence collection, and continuous compliance will remain important under the next version.

So what should defense contractors do now?

Do not stop your current CMMC efforts, but build your program in a way that can evolve. Companies that treat CMMC as a one-time project or a checklist may have more work to do when the requirements change. Companies that build a sustainable cybersecurity and compliance program will be in a much better position to adapt.

Do not stop your current CMMC efforts, but build your program in a way that can evolve.

This matters more than ever as CMMC enforcement ramps up. Third-party (C3PAO) certification requirements are already moving from optional to mandatory for many CUI-handling contracts, and self-attestation alone will not be enough for those contracts going forward. Whether you are aligning to Revision 2 today or Revision 3 tomorrow, the underlying expectation is the same, because both demand real, provable, continuously maintained security.

Related Article: How to choose the right C3PAO

What If I Am Already CMMC Certified?

First, the good news is that a certification you have already earned does not disappear. CMMC certifications remain valid, and Revision 3 does not erase the work you have already done. The requirements that applied when you were assessed are the requirements you were held to.

Your job now is to protect that investment and stay ready for the transition:

  • Maintain continuous compliance. Certification is not a finish line. You are still responsible for annual affirmation of continued compliance and for keeping your controls, documentation, and evidence current between assessments.

  • Build a Revision 3 crosswalk. Map your existing Revision 2 controls to their Revision 3 equivalents so you can see, in advance, where the new standard adds specificity, introduces organization-defined parameters, or raises the bar. This turns the future transition into a planned project instead of a scramble.

Prioritize the gaps, not the whole checklist again. Because much of Revision 3 builds on the fundamentals you already have in place, a well-run program should be updating and extending existing controls rather than starting from zero.

If you built your program as a living system rather than a one-time certification exercise, you are in exactly the position you want to be in when the rule takes effect.

What If I Haven't Yet Started My CMMC Remediation Efforts?

Do not wait. The requirement that applies today is still Revision 2, and it is still the standard you must meet for contracts that include CMMC. Delaying does not spare you the Revision 2 work, and it only compresses your timeline and adds risk, especially as third-party certification becomes mandatory for many CUI contracts.

The reassuring part is that starting now is not wasted effort, even with Revision 3 on the horizon. Strong cybersecurity fundamentals, proper scoping, policies, technical controls, documentation, and evidence collection are the foundation of both versions of the standard. Every hour you invest in doing those things well carries directly into Revision 3.

6-months-to-audit-cmmc

A practical way to begin is to work through these steps:

  • Scope your environment. Identify where CUI lives, flows, and is processed. Proper scoping shapes everything that follows.

  • Run a gap assessment against Revision 2. Know exactly where you stand against the 110 requirements before you spend money remediating.

  • Build for durability from day one. Put policies, configurations, ownership, and evidence collection in place as repeatable processes rather than one-time artifacts, so they can flex when Revision 3 arrives.

Starting today with a program built to evolve means you meet the requirement in front of you and get a head start on the one that is coming.

Your Next Steps

The biggest takeaway is that CMMC Rev. 3 does not mean starting over. It means the cybersecurity standard behind CMMC is being modernized. Organizations should focus on passing the requirements that apply today while making sure their security program, documentation, technology, and compliance processes are flexible enough to support what comes next.

Here is where to go from here:

  • Confirm your obligations. Know whether your contracts require CMMC Level 2, and whether self-assessment or third-party (C3PAO) certification applies to you.

  • Assess where you stand today against NIST SP 800-171 Revision 2, and close the highest-risk gaps first.

  • Prepare a Revision 3 migration plan. Build a crosswalk from Revision 2 to Revision 3 so the transition is a managed project rather than a fire drill.

  • Build (or rebuild) your program to be sustainable, with continuous compliance, living documentation, and clear ownership of every control.

If you are not sure where to begin, or you want a partner who lives in this every day, Compass MSP can help you get ready and stay ready. Explore our CMMC Readiness solution to see how we guide defense contractors through assessment, remediation, and continuous compliance.

YOU MAY NEED TO KNOW

Frequently Asked Questions

What is NIST SP 800-171 Revision 3, and how is it different from Revision 2?

Revision 3 is the modernized version of the cybersecurity standard behind CMMC Level 2. Rather than simply adding controls to the Revision 2 checklist, it updates requirements to reflect today's threats, technologies, and cloud environments, and it emphasizes clearly defining how each requirement applies to your specific environment.

Is CMMC going away because of Revision 3?

No. CMMC is not going away, and it is evolving instead. The program remains the requirement for contracts that include CMMC, and the standard underneath it is being modernized.

When does the Revision 3 rule take effect?

The government's regulatory agenda signals that the rule is expected this month. It includes a phase-in period, so contractors will have time to transition rather than being held to the new standard immediately.

Should I stop my current CMMC preparation and wait for Revision 3?

No. You should continue preparing for and pursuing CMMC under the requirements that apply today. Revision 2 remains the standard you must meet, and the work you do now is not wasted.

Will the work I'm doing for Revision 2 carry over to Revision 3?

Yes. Strong cybersecurity fundamentals such as proper scoping, policies, technical controls, documentation, evidence collection, and continuous compliance remain important under the next version. Most of your foundation carries forward.

What are organization-defined parameters (ODPs)?

ODPs are specific values or thresholds, such as password length or session timeout, that Revision 3 requires organizations to define and document for their environment. They are a key part of the added specificity in the new standard.

I'm already CMMC certified. Do I lose my certification?

No. Your certification remains valid. Your focus should be on maintaining continuous compliance and building a Revision 2 to Revision 3 crosswalk so you are ready when the transition arrives.

I haven't started my CMMC efforts yet. Is it too late?

No, but you should not wait. Revision 2 is still the requirement today, and starting now lets you meet current obligations while building a program flexible enough to adapt to Revision 3.

What's the single most important thing to do right now about CMMC Rev. 3?

Build your CMMC program in a way that can evolve. Companies that treat CMMC as a one-time checklist may have more work to do when requirements change, while companies that build a sustainable program adapt far more easily.

How can Compass MSP help me with CMMC Rev. 3?

Compass MSP helps defense contractors scope their environment, assess against current requirements, remediate gaps, and maintain continuous compliance, building a program designed to meet today's standard and adapt to what comes next.

Wesley Reinhart

Wesley is an experienced cybersecurity executive with a focus on Information Technology / Cybersecurity Lifecycle Management, Compliance, and Governance. Wesley is the Director of our CMMC Program at CompassMSP.

Navigate What’s Next

Get new insights, practical guides, and timely resources delivered to your inbox.