Technology Resources for Cybersecurity, IT, + Cloud | CompassMSP

CMMC Rev. 3 Is Coming: What the New Rule Means for Defense Contractors

Written by Wesley Reinhart | Jul 10, 2026 7:47:55 PM

The federal government recently released its regulatory agenda for all agencies, including the Department of Defense. Within that agenda is a rule that would implement Revision 3 of NIST SP 800-171 for CMMC Level 2. As the rulemaking describes, there will be a phase-in period, but the change is imminent, with the rule expected this month.

If you handle Controlled Unclassified Information (CUI) for the Department of Defense, here is what is happening, what it means for your organization, and the practical steps to take now. If you are newer to these requirements, our small manufacturer's guide to CMMC 2.0 and defense contracts is a helpful place to start.

Author’s Note: Throughout this article, we use the commonly accepted shorthand “CMMC Rev. 3” to describe the Department of Defense’s planned transition of CMMC Level 2 from NIST SP 800-171 Revision 2 to Revision 3.

What Is the New Update, and When Does It Go Into Effect?

The easiest way to understand CMMC Rev. 3 is this: CMMC is not going away, it’s evolving.

The current version of CMMC Level 2 is based on NIST SP 800-171 Revision 2, which contains the 110 cybersecurity requirements that defense contractors are currently working to implement and be assessed against. NIST has since released a newer version of that cybersecurity standard called NIST SP 800-171 Revision 3. The Department of Defense is expected to eventually update CMMC to align with this newer standard.

The timeline just became much more concrete. The government's newly published Unified Agenda signals that the Department intends to move this month on rulemaking that sets the deadline for shifting CMMC assessments from Revision 2 to Revision 3. Today, assessments are tied to Revision 2, and the update introduces added specificity in the security requirements while bringing in organization-defined parameters (ODPs) that contractors will need to address. You can track the program directly on the official Department of War CIO CMMC page, where the Department posts current program documentation and guidance.

What changes?

Revision 3 is not simply a few new cybersecurity controls added to the current CMMC checklist. It is a modernization of the standard. The new version updates the requirements to better address today's cybersecurity threats, technologies, cloud environments, and ways of doing business. It also places more emphasis on organizations being able to clearly define how security requirements apply to their specific environment. In simple terms, the focus continues to shift away from asking "Do you have this security control?" and toward asking "How does this security control work in your environment, who is responsible for it, how is it configured, and can you prove that it is working?"

Because the rule includes a phase-in period, contractors will not be expected to meet the new standard overnight. But with the rule expected this month, now is the time to understand what is coming and position your program to adapt.

What Does This Mean for Defense Contractors?

Does this mean companies should stop preparing for the current version of CMMC?

No. Absolutely not. Companies should continue preparing for and pursuing CMMC under the requirements that apply today. The current CMMC program remains the requirement companies must meet for contracts that include CMMC. The work being done today is not wasted. Strong cybersecurity fundamentals, proper scoping, policies, technical controls, documentation, evidence collection, and continuous compliance will remain important under the next version.

So what should defense contractors do now?

Do not stop your current CMMC efforts, but build your program in a way that can evolve. Companies that treat CMMC as a one-time project or a checklist may have more work to do when the requirements change. Companies that build a sustainable cybersecurity and compliance program will be in a much better position to adapt.

Do not stop your current CMMC efforts, but build your program in a way that can evolve.

This matters more than ever as CMMC enforcement ramps up. Third-party (C3PAO) certification requirements are already moving from optional to mandatory for many CUI-handling contracts, and self-attestation alone will not be enough for those contracts going forward. Whether you are aligning to Revision 2 today or Revision 3 tomorrow, the underlying expectation is the same, because both demand real, provable, continuously maintained security.

Related Article: How to choose the right C3PAO

What If I Am Already CMMC Certified?

First, the good news is that a certification you have already earned does not disappear. CMMC certifications remain valid, and Revision 3 does not erase the work you have already done. The requirements that applied when you were assessed are the requirements you were held to.

Your job now is to protect that investment and stay ready for the transition:

  • Maintain continuous compliance. Certification is not a finish line. You are still responsible for annual affirmation of continued compliance and for keeping your controls, documentation, and evidence current between assessments.

  • Build a Revision 3 crosswalk. Map your existing Revision 2 controls to their Revision 3 equivalents so you can see, in advance, where the new standard adds specificity, introduces organization-defined parameters, or raises the bar. This turns the future transition into a planned project instead of a scramble.

Prioritize the gaps, not the whole checklist again. Because much of Revision 3 builds on the fundamentals you already have in place, a well-run program should be updating and extending existing controls rather than starting from zero.

If you built your program as a living system rather than a one-time certification exercise, you are in exactly the position you want to be in when the rule takes effect.

What If I Haven't Yet Started My CMMC Remediation Efforts?

Do not wait. The requirement that applies today is still Revision 2, and it is still the standard you must meet for contracts that include CMMC. Delaying does not spare you the Revision 2 work, and it only compresses your timeline and adds risk, especially as third-party certification becomes mandatory for many CUI contracts.

The reassuring part is that starting now is not wasted effort, even with Revision 3 on the horizon. Strong cybersecurity fundamentals, proper scoping, policies, technical controls, documentation, and evidence collection are the foundation of both versions of the standard. Every hour you invest in doing those things well carries directly into Revision 3.

A practical way to begin is to work through these steps:

  • Scope your environment. Identify where CUI lives, flows, and is processed. Proper scoping shapes everything that follows.

  • Run a gap assessment against Revision 2. Know exactly where you stand against the 110 requirements before you spend money remediating.

  • Build for durability from day one. Put policies, configurations, ownership, and evidence collection in place as repeatable processes rather than one-time artifacts, so they can flex when Revision 3 arrives.

Starting today with a program built to evolve means you meet the requirement in front of you and get a head start on the one that is coming.

Your Next Steps

The biggest takeaway is that CMMC Rev. 3 does not mean starting over. It means the cybersecurity standard behind CMMC is being modernized. Organizations should focus on passing the requirements that apply today while making sure their security program, documentation, technology, and compliance processes are flexible enough to support what comes next.

Here is where to go from here:

  • Confirm your obligations. Know whether your contracts require CMMC Level 2, and whether self-assessment or third-party (C3PAO) certification applies to you.

  • Assess where you stand today against NIST SP 800-171 Revision 2, and close the highest-risk gaps first.

  • Prepare a Revision 3 migration plan. Build a crosswalk from Revision 2 to Revision 3 so the transition is a managed project rather than a fire drill.

  • Build (or rebuild) your program to be sustainable, with continuous compliance, living documentation, and clear ownership of every control.

If you are not sure where to begin, or you want a partner who lives in this every day, Compass MSP can help you get ready and stay ready. Explore our CMMC Readiness solution to see how we guide defense contractors through assessment, remediation, and continuous compliance.