With 55% of government contractors expecting their next job to include a CMMC requirement, adhering to the latest, most updated version of “CMMC 3.0" is imperative.
According to a recent US Department of Defense (DoD) memo, such an update may be on the horizon.
Here are the facts, and what they could mean for certification hopefuls.
What is CMMC 3.0?
First, let’s get a few things straight. The CMMC 2.0 is not changing. Its underlying NIST documentation might.
The Cybersecurity Maturity Model Certification (CMMC) Program is the safeguard implemented by the DoD to strengthen the Defense Industrial Base (DIB) and protect sensitive DoD information. The framework was updated just last year to CMMC 2.0, with the Final Rule published on October 15, 2024.
Now, a memo from the DoD hints at changes to its underlying document, a NIST publication. The CMMC is essentially two parts: one is the actual CMMC framework, the other is the NIST document that serves as its foundation.
Currently, CMMC 2.0 uses NIST SP 800-71 Rev 2. The April 15, 2025 DoD memo hints at using NIST SP 800-71 Rev 3—giving rise to the upcoming advent of “CMMC 3.0.” Specifically, the DoD used the memo to define values for organization-defined parameters (ODPs) only found in Rev 3, a version not currently in use under CMMC 2.0. But it could be—and that’s the point.
While the standard itself will not be updated (there is nothing to suggest this, especially given the recent release of its Final Rule), the underlying NIST publication might be swapped.
And that could mean some changes.
What is New About “CMMC 3.0” vs CMMC 2.0?
The primary difference between “CMMC 3.0” and CMMC 2.0 is that 2.0 relies on NIST SP 800-71 Rev 2 while 3.0 relies on NIST SP 800-71 Rev 3.
But you know that. Let’s dig deeper.
In practice, a switch from Rev 2 to Rev 3 means defense contractors have the opportunity to “fill in the blanks” on certain requirements.
In Rev 3, NIST gave organizations more flexibility and power over how they implement certain security requirements by introducing organization-defined parameters. These ODPs are structured clearly and leave room for the entity to define limits that are right for them.
For example, wording in Rev 2, Requirement 3.1.8 reads: “Limit unsuccessful log-on attempts.” The new requirement under Rev 3 would read, in ODP form: “Enforce a limit of [organizationally defined] unsuccessful log-on attempts during [organizationally defined] time periods and take [organizationally defined] actions after the maximum attempts.”
Now, the organization can decide the specifics. In theory.
However, the DoD memo specifically outlined the limits, so defense contractors can choose to follow their prescribed guidelines instead.
Here’s where it gets dicey. The purpose of the DoD’s memo was to specifically outline the limits for each ODP (and there are 88 total in Rev 3), though those DoD-provided limits are technically optional. However, for safety and simplicity’s sake, contractors can just go ahead and follow the DoD’s prescribed suggestions if they so choose.
To illustrate, in the above example, the ODPs are left with blanks. The DoD memo fills in those blanks itself, specifying in this particular instance:
“Enforce a limit of at most 5 consecutive unsuccessful log-on attempts during a period of five (5) minutes and take one or more of the following actions after the maximum attempts:
lock the account or node for at least 15 minutes
lock the account or node until released by an administrator and notify a system administrator.”
Much clearer and more prescriptive. And, organizations always have the option to still create their own if the outlined parameters don’t suit. For reference, these DoD-outlined ODPs cover a number of specifics for the following controls:
Audit and Accountability
Identification and Authentication
Personnel Security
Physical Protection
System and Communications Protection
Planning
System and Services Acquisition
Why the Memo if Rev 3 Is Not Yet Required in CMMC 2.0?
This begs a good question. The fact that the DoD released the memo prior to Rev 3 being required under CMMC 2.0 (the current and only CMMC standard) is more a matter of logistics than uncertainty.
Defense contractors serve two masters, DFARS and CMMC. While DFARS regulations require contractors to adhere to the latest possible version of NIST SP 800-71 (so Rev 3), the CMMC makes no such claims. CMMC 2.0 was created on Rev 2, and that’s how it’s going to stay. At least until it catches up.
Which will most likely be soon. As stated on CMMC.com, “By releasing ODP values for Rev. 3 now, the DoD is signaling that this alignment will eventually happen.”
What Should Defense Contractors Do?
The best advice is to lean into NIST SP Rev 3 just in case, or risk having to redo work. At the worst, you’ll be overprepared, which is never a bad thing in government compliance. At best, you’ll be not only on track but ahead of the rest. Whether you use your own ODPs or those defined by the DoD, the overall compliance effect is the same.
Early adoption also makes you first at the contract table, with a compliance-strong competitive position.
The bottom line is clear: if NIST SP 800-71 Rev 3 is even earmarked for use in CMMC 2.0, government contractors need to pivot quickly if they want certification.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
