NIST SP 800-172 Revision 3 Is Final: What It Means for CMMC Level 2 and Level 3

Published: May 15, 2026 NIST SP 800-172 Revision 3 is the updated set of enhanced security requirements for protecting Controlled Unclassified Information (CUI) associated with critical programs and high-value assets. Published on May 13, 2026, it replaces the original SP 800-172 from February 2021 and significantly expands the scope and scale of requirements that may eventually form the basis for a revised CMMC Level 3. This matters for every defense contractor tracking the Cybersecurity Maturity Model Certification (CMMC) program — not just those pursuing Level 3. Today's publication completes the set of revised NIST baselines that the Department of Defense (DoD) would need to update CMMC through rulemaking. That has implications for Level 2 contractors as well. This article explains what changed, what it means for CMMC, and what defense contractors should be doing now.

In This Article

• What Is NIST SP 800-172?
• What Changed in Revision 3?
• Does This Change Current CMMC Requirements?
• Why This Publication Matters for CMMC Rulemaking
• Why the Level 3 Impact Deserves Attention
• What Does This Mean for Level 2 Contractors?
• What Should Defense Contractors Do Now?
• Frequently Asked Questions

What Is NIST SP 800-172?

NIST SP 800-172 provides enhanced security requirements designed to supplement NIST SP 800-171. While SP 800-171 establishes the baseline for protecting CUI in nonfederal systems, SP 800-172 adds requirements specifically intended to defend against Advanced Persistent Threats (APTs) — sophisticated, nation-state-level cyber threats targeting CUI associated with critical programs or high-value assets. Under the current CMMC framework, codified in 32 CFR Part 170, the DoD selected 24 of the original 39 SP 800-172 requirements as the basis for CMMC Level 3 certification. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and apply to fewer than 1% of defense contractors in the Defense Industrial Base (DIB). NIST also published SP 800-172A Revision 3 alongside the main publication. SP 800-172A provides the assessment procedures used to evaluate whether organizations have effectively implemented the enhanced requirements. Both publications are available on the NIST Computer Security Resource Center:

• NIST SP 800-172 Rev. 3
• NIST SP 800-172A Rev. 3

What Changed in Revision 3?

The scope of this revision is significant. The original SP 800-172 (February 2021) contained 39 enhanced security requirements focused on protecting the confidentiality of CUI. Revision 3 expands the framework to cover confidentiality, integrity, and availability — a fundamental shift in scope. Early analysis from the community suggests the requirement count has grown to approximately 115, with roughly 80 of those being new. If those numbers hold, this is closer to a redesign than a revision. The revision also introduces a substantial number of new Organizationally Defined Parameters (ODPs), which allow organizations and agencies to tailor certain requirements to their specific environments. The assessment procedures in SP 800-172A Revision 3 have been expanded accordingly. Three structural themes define this revision:

Penetration-resistant architecture

Requirements designed to make systems inherently more difficult to compromise, rather than relying solely on detection and response.

Damage-limiting operations

Practices that constrain what an adversary can achieve even after gaining initial access — limiting lateral movement, reducing blast radius, and isolating critical assets.

Cyber resiliency

Requirements focused on the ability to continue operating and recover during sustained attacks, reflecting the reality that sufficiently motivated adversaries will eventually breach perimeter defenses.

Does This Change Current CMMC Requirements?

No. Nothing changes operationally right now. CMMC Level 2 is still assessed against NIST SP 800-171 Revision 2. CMMC Level 3 is still assessed against the 24 requirements DoD selected from the original SP 800-172 (February 2021), as specified in 32 CFR Part 170. NIST publishing revised standards does not automatically update the CMMC program. The DoD would need to go through formal rulemaking to adopt either revised baseline. This distinction matters. Contractors preparing for CMMC Level 2 or Level 3 today should continue working against the current assessment baselines. The revised NIST publications represent where the framework is heading, not where it is today.

Why This Publication Matters for CMMC Rulemaking

Here is what makes today's publication significant from a rulemaking perspective: both updated baselines are now final. NIST SP 800-171 Revision 3 was finalized in May 2024. NIST SP 800-172 Revision 3 is finalized as of May 13, 2026. That means DoD now has the option to update CMMC Level 2 and Level 3 requirements simultaneously through a single rulemaking process, rather than two separate efforts. This may be one of the reasons DoD has not yet initiated rulemaking for SP 800-171 Revision 3 at Level 2. Updating one level while the other still referenced an older framework generation would have created an awkward mismatch — Level 2 on Revision 3 while Level 3 still pointed to Revision 2 publications. With both Revision 3 publications now complete, a unified update becomes possible. DoD has published ODPs for NIST SP 800-171 Revision 3 already - the last missing piece is the list of ODPs for NIST SP 800-172 Revision 2. Howewever, this should not prevent start of rulemaking. As of today, no timeline for rulemaking has been announced. But the building blocks are now in place.

Why the Level 3 Impact Deserves Attention

The potential scale of change at Level 3 is substantial. Currently, CMMC Level 3 requires 24 enhanced security requirements selected from the original 39 in SP 800-172 — approximately two-thirds. If DoD applies a similar selection ratio to the revised publication, that would mean roughly 77 enhanced requirements on top of the Level 2 baseline. That is a significant jump from the current 24. It would substantially expand the scope, cost, and complexity of Level 3 certification. The original SP 800-172 focused exclusively on confidentiality. Revision 3 adds integrity and availability, which means Level 3 contractors could eventually face requirements covering a much broader range of security objectives. The inclusion of cyber resiliency requirements — designing systems to operate through sustained attacks — represents a particularly demanding addition. These changes will not take effect until DoD completes rulemaking. But Level 3 applies to contractors supporting the most sensitive DoD programs, and preparation timelines for this level of certification are already measured in years. Understanding the direction now is practical planning, not speculation.

What Does This Mean for Level 2 Contractors?

If you are pursuing or maintaining CMMC Level 2 certification, your immediate requirements have not changed. Continue preparing against NIST SP 800-171 Revision 2, which remains the current CMMC Level 2 assessment basis. That said, today's publication is relevant for Level 2 contractors for two reasons. First, the completion of both Revision 3 baselines makes a unified CMMC rulemaking update more likely. When that rulemaking occurs, Level 2 will move to SP 800-171 Revision 3, which introduces ODPs and restructured requirements. Familiarizing yourself with Revision 3 now — particularly its ODPs — helps you anticipate the transition rather than react to it. Second, some Level 2 contractors will eventually need Level 3 certification as their programs grow or contract requirements change. Understanding the trajectory of Level 3 requirements helps with long-term planning and resource allocation.

What Should Defense Contractors Do Now?

A practical approach depends on where you are in the certification process. Contractors preparing for Level 2 certification should stay focused on the current baseline — NIST SP 800-171 Revision 2. Your Certified Third-Party Assessor Organization (C3PAO) assessment will evaluate you against those requirements, and that has not changed. Where it makes sense, familiarize yourself with the ODPs in Revision 3, as they signal where requirements are heading. Contractors holding Level 2 certification should monitor the rulemaking process. When DoD announces a timeline for adopting Revision 3, you will need to plan a transition. Understanding the differences between Revision 2 and Revision 3 now reduces the effort required later. Contractors anticipating Level 3 requirements should read SP 800-172 Revision 3 now, even though compliance is not yet required. The expansion from 39 to approximately 115 requirements is not something to address reactively. Scoping decisions, infrastructure investments, and staffing plans all benefit from early visibility into where the framework is heading. For all contractors, remember that scoping comes before gap assessment. You cannot evaluate your readiness against a set of requirements until you understand where CUI lives in your environment, how it flows, and which systems are in scope. This is true under the current baselines and will be equally true under the revised ones.

Frequently Asked Questions

Does NIST SP 800-172 Revision 3 change my current CMMC requirements?

No. Current CMMC requirements are defined in 32 CFR Part 170 and reference the original NIST publications (SP 800-171 Revision 2 for Level 2 and selected requirements from SP 800-172 February 2021 for Level 3). NIST publishing new revisions does not change CMMC until DoD completes formal rulemaking to adopt them.

When will CMMC be updated to reference the Revision 3 publications?

No timeline has been announced. With both SP 800-171 Revision 3 and SP 800-172 Revision 3 now finalized, DoD has the option to update both CMMC levels through a single rulemaking process. The timing remains at DoD's discretion.

How many requirements are in SP 800-172 Revision 3?

Early community analysis suggests approximately 115 enhanced security requirements, up from 39 in the original publication. Roughly 80 of those are reported as new. These figures are based on initial reviews of the published document and should be verified against the official NIST publication or the CPRT dataset.

What is the difference between SP 800-172 and SP 800-172A?

SP 800-172 defines the enhanced security requirements — what organizations need to implement. SP 800-172A provides the assessment procedures — how those implementations are evaluated. Both were published simultaneously on May 13, 2026.

Will CMMC Level 3 require all 115 requirements?

That is not yet determined. Under the current framework, DoD selected 24 of the original 39 requirements for Level 3 — approximately two-thirds. If a similar ratio applies to Revision 3, approximately 77 requirements could be selected. The actual number will depend on future rulemaking.

Does this affect CMMC Level 1?

No. CMMC Level 1 is based on the 17 practices in FAR 52.204-21, which protects Federal Contract Information (FCI). NIST SP 800-172 applies to CUI protection and is relevant only to Level 2 and Level 3.

Should I start implementing SP 800-172 Revision 3 requirements now?

Not unless your contracts or agency specifically require it outside of CMMC. For CMMC purposes, continue working against the current baselines. However, reading the revised publication and understanding its direction is useful for long-term planning — particularly if you anticipate Level 3 requirements.

Looking Ahead

We will publish updates as the rulemaking picture develops. If you have questions about how — or whether — these changes may affect your organization, contact us to discuss your specific situation. If you are working toward Level 2 certification or anticipate Level 3 requirements in future contracts, understanding how these baseline changes may affect your timeline and scope is worth a conversation. Contact us at cmmc@ecuron.com to schedule a 30-minute consultation. Ecuron is a Registered Provider Organization (RPO) since 2021 authorized by the Cyber AB to provide CMMC consulting services. We do not sell or resell any tools or services — our recommendations are based entirely on what your organization needs. Learn more about our 5-step methodology for CMMC certification preparation.