Summary and dates.
Publication dates
Which version CMMC currently references
32 CFR Part 170, as published in the Federal Register, references NIST SP 800-171 Rev. 2 as the control catalog for CMMC Level 2. Any transition to Rev. 3 would require an amendment to the CMMC Program rule.
Structural changes in Rev. 3 (factual)
NIST has published a public mapping between Rev. 2 and Rev. 3. The total control count, the family structure, and the wording of several requirements changed between revisions. Refer to NIST CSRC for the full mapping document.
Sources and citations.
- NIST CSRC — SP 800-171 Rev. 2 (with Update 1)
- NIST CSRC — SP 800-171 Rev. 3
- NIST CSRC — SP 800-171A Rev. 3 (assessment objectives)
DBIT Defense does not interpret control intent or republish substantive control text. All claims above link to primary sources for verification.
Related insights.
CMMC 2.0 Final Rule: timeline and structure
The CMMC 2.0 Program rule (32 CFR Part 170) was published in the Federal Register in October 2024 and took effect in December 2024. The dates and document struc…
CMMC phased rollout: Phase 1 through Phase 4
DoD has published a four-phase rollout schedule for CMMC, beginning when the DFARS implementation rule becomes effective and ramping over three years. The phase…
The C3PAO ecosystem: who they are, where they are
Authorized CMMC Third Party Assessment Organizations (C3PAOs) conduct Level 2 certification assessments. The Cyber-AB maintains the authoritative marketplace li…
DFARS 252.204-7012: history and current applicability
DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been in DoD contracts since 2015 and remains the underlying a…