2025 Update: We’re almost halfway through 2025, and if you’re part of the Defense Industrial Base (DIB), you’re probably already knee-deep in NIST SP 800-171 and CMMC requirements. As we roll through the year, it’s important to stay on top of any updates that might come your way.

In 2024, NIST SP 800-171 Revision 3 dropped, bringing some updates to the standard that protects Controlled Unclassified Information (CUI) in nonfederal systems. While this revision isn’t required for CMMC Level 2 just yet, it’s definitely something to keep on your radar. (Those changes could come into play sooner than we think.)

So, let’s break it down.

What’s New in the CMMC Program for 2025?

The CMMC program officially became live at the end of 2024, marking a pivotal shift from a self-attestation model to mandatory third-party assessments. As the CMMC program transitions into its implementation phase, CMMC Level 2—which aligns directly with NIST SP 800-171 Revision 2—remains the primary focus for contractors working with the Department of Defense (DoD). This level involves 110 security controls, and contractors must now be certified by a C3PAO (Certified Third-Party Assessment Organization).

Although CMMC Level 2 will be the primary certification required in 2025, the NIST SP 800-171 Revision 3 introduces updates that may eventually be integrated into the certification process. Revision 3 introduces Organizationally Defined Parameters (ODPs), streamlines security controls, and aligns with other NIST frameworks, making it a critical update for organizations preparing for the future.

For now, businesses should continue focusing on NIST SP 800-171 Revision 2 to ensure they meet the current CMMC and DoD requirements. However, understanding Revision 3 now will help your organization stay ahead of potential shifts in compliance demands in the coming years.

Why NIST SP 800-171 Revision 3 Matters for Your Compliance Strategy

As of now, NIST SP 800-171 Revision 2 remains the version in use for CMMC Level 2 assessments, but Revision 3 could become a standard for future assessments. Revision 3 not only strengthens existing controls but also introduces new guidance on managing risks associated with the growing complexity of modern IT environments, particularly for organizations navigating CMMC compliance.

With these updates in mind, let’s revisit the foundational principles of NIST SP 800-171 and how it plays a central role in CMMC Level 2 compliance. Understanding the framework’s core principles will give you the tools to navigate the shifting landscape of cybersecurity standards.

If you are a company that holds a contract with the DoD and handles CUI, you are probably very familiar with the NIST 800-171 since compliance became mandatory in 2017.  

The NIST CUI series was developed by the National Institute of Standards and Technology to help protect CUI in nonfederal systems. The 800-171 standard, specifically, established guidelines to protect controlled unclassified information (CUI) handled by contractors and subcontractors that engage with federal agencies. NIST 800-171 derives requirements from FIPS 200 and NIST SP 800-53 but has tailored these requirements to specifically address the protection of CUI in nonfederal information systems.

What is CUI?

CUI stands for Controlled Unclassified Information. CUI is defined as government-related information that needs to be protected and transmitted using controls compatible with government laws, regulations, and policies. 

The NIST CUI Program was established to standardize the way the government and its contracted companies handle information that requires protection and is not classified. The program was introduced with Obama’s Executive Order 13556 in 2010 to create a streamlined process for information sharing and safeguarding of controlled unclassified information.

What is the CMMC?

The CMMC program mandates security requirements for the huge scope of organizations that comprise the Defense Industrial Base (DIB). The CMMC is essentially a verification mechanism to ensure that companies within the DIB implement proven cybersecurity practices to protect CUI. Based on the NIST 800-171, CMMC requirements are divided by maturity levels to better align with various levels of protection needed in different businesses. The need for both the CMMC NIST 800-171 is explained in the next section.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Start implementing NIST 800-171 Revision 3: The Impact on CMMC Compliance and How To Get Ready in your organization for free
Learn more

Why Does the DIB Need to Comply With the CMMC and NIST 800-171?

The need for the NIST 800-171/CMMC double-pronged approach is easily explained, although it’s not so easily implemented in practice. 

NIST is a national organization that develops measurable standards in different economic sectors. They are not a regulatory body, and cannot enforce their standards. The CMMC is the mandated framework that requires the DIB to comply with NIST CUI standards.

Getting Ready for Spring

The final version of the CMMC 2.0 is scheduled to be released this Spring. According to the current draft of CMMC 2.0, contractors will need to be certified by a CMMC Third-Party Assessment Organization for Level 2 and Level 3 by the end of 2025 to contract work with the department of defense or to continue doing business with the department.

The CMMC certification is an entrance exam of sorts that a contractor must pass to even attempt to bid on a government contract.  To date, the CMMC 2.0 includes the complete requirements outlined in the NIST 800-171 for Level 2 CMMC certification which is the CMMC category level that a majority of companies in the DIB (Defense Industrial Base) fall into. 

In the CMMC 1.0, NIST 800-171 enforcement was a matter of self-attestation. But the DoD will be cracking down on this policy which was being neglected by DoD contractors, especially in smaller companies, and is ratcheting up the certification process with C3PAOs (CMMC Third Party Assessor Organization) and the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) under the soon-to-be-released CMMC 2.0.

This major shift of policy in requiring a third-party audit to ensure compliance with the NIST 800-171 is because both contractors and contracting officers have been “lackadaisical” about meeting the standards set by NIST SP 800-171 when they were trusted to reach the standard by their own attestation.

As the new CMMC is set to go into effect next spring, it’s as good a time as ever to start getting things in order to be in compliance with the 110 NIST 800 171 controls.

The NIST CUI Series is Going Toward Revision 3

To add a twist to the narrative, in the Summer of 2022, NIST announced that they are planning to revise the NIST 800-171 over the next 18 months.  Later in 2022, NIST announced their plan to release an initial draft of 800-171, Revision 3 in late Spring 2023. That coincides head-on with the anticipated CMMC 2.0 final publication. 

NIST’s Victoria Pillitteri provided a preview of what to expect in the NIST revision at a CMMC conference in May 2022.  She also called for comments from users and assessors of the CUI series to provide insight and feedback even before a third revision draft is drawn.

She said “the intention” is for NIST to learn from the stakeholder community “on how to improve and better streamline these resources so they are more usable and more effective and ultimately they increase how we implement cybersecurity and improve the outcomes.”

DIB businesses that have not yet implemented NIST 800-171 should take note of this because they will probably need to adopt extra controls with the anticipated third revision of the CUI series. The revision from NIST, however, is unlikely to have an impact on CMMC 2.0 early adopters who are fully prepared for assessments soon after the CMMC 2.0 rollout.

As of yet, there is no long-term timeframe for the expected rollout of NIST 800-171 Revision 3.

NIST CUI Series Revision & Impact on the CMMC

To date, businesses in the DIB should work on achieving compliance with the existing NIST 800 171 Rev 2 standard. Although changes are expected in the third revision, if your company receives a CMMC certification prior to the anticipated Revision 3 update to NIST 800-171, you will only need to meet the requirements in the current standard, NIST 800-171 Rev 2. As mentioned earlier, it is fair to assume that early adopters of the CMMC 2.0 are unlikely to be affected by the third revision of the NIST 800-171.

Centraleyes Releases the CMMC 2.0 Framework 

Centraleyes is excited to announce that our platform is upgraded with the new CMMC version 2.0 as part of our extensive framework library. Centraleyes has mapped the new CMMC version to update the existing framework and reflect the changes in the maturity levels.

Are You Mandated By the CMMC 2.0?

The Department of Defense (DoD) created the DOD CMMC certification protocol to ensure that contractors have the safeguards in place to protect confidential data such as Federal Contract Information and Controlled Unclassified Information (CUI).

Organizations that wish to do business with the US Department of Defense must comply with CMMC. The new revision requires third-party verification of contractor system security and demands that all third-party companies in their supply chain handle their partners with the same diligence.

The Centraleyes platform eases the process of meeting CMMC compliance by using an integrated and newly updated CMMC version 2.0 questionnaire with an easy-to-follow system to help track and close vulnerable areas.

The platform also allows users to start an assessment around the NIST 800-171 framework while walking you through all the requirements that need to be met for this prerequisite.

Centraleyes enables organizations to exchange data across various standards and frameworks, saving time and money and allowing for more accurate and reliable data.

Frequently Asked Questions (FAQs)

1. Is NIST SP 800-171 Revision 3 mandatory for CMMC Level 2 assessments in 2025?

No, CMMC Level 2 assessments are still based on NIST 800-171 Revision 2. However, Revision 3 introduces updates that could become relevant in future certification cycles. It’s a good idea to familiarize yourself with Revision 3, as it may be incorporated into future CMMC requirements. Staying informed will help your organization remain compliant as the standards evolve.

2. How is compliance assessed under NIST SP 800-171 Revision 3?

While the specific compliance scoring system for Revision 3 is still being refined, it’s expected that assessments will be more detailed compared to Revision 2. The updated revision introduces a more tailored approach to assess security controls based on organizational context. Organizations may be required to provide more documentation and evidence to support their compliance with the revised requirements.

3. How do small businesses manage self-assessments under NIST SP 800-171?

Small businesses often face challenges with self-assessments, especially in identifying the components of their systems that handle CUI. It’s important for small businesses to document their CUI handling processes carefully and ensure their self-assessments accurately reflect their compliance posture. Businesses should consider leveraging automated tools or seeking external guidance to streamline the self-assessment process.

4. What is the timeline for CMMC certification and implementation?

The CMMC program is being rolled out in phases:

• Phase 1 (2025): Self-assessments are allowed, but third-party assessments for CMMC Level 2 begin.
• Phase 2 (2026): Expanded CMMC enforcement with a broader rollout of Level 2 assessments.
• Phase 3 (2027): Full CMMC enforcement with all contractors required to have third-party assessments.

5. Do MSPs need to be CMMC-certified?

The short answer: not necessarily, but it’s a good idea. Managed Service Providers (MSPs) do not need to be independently certified, but they will often be included in the scope of a contractor’s CMMC certification. In many cases, MSPs provide critical services (like cloud infrastructure or security tools) that play a direct role in protecting CUI. Thus, MSPs must demonstrate their security practices and be prepared for assessments when their clients go through CMMC certification.

Given that many MSPs serve a range of clients, Centraleyes was built with multi-entity capabilities specifically in mind. This means MSPs can easily manage compliance for multiple clients from one platform, streamlining assessments and ensuring alignment with CMMC and NIST 800-171 requirements.

6. How do MSPs fit into the CMMC compliance ecosystem?

While MSPs don’t need to be CMMC-certified themselves, they will play a crucial role in ensuring that their clients meet compliance standards. Many CMMC assessments will consider MSPs as part of the contractor’s environment. For example, an MSP that manages cloud services or manages client networks must demonstrate how their tools and infrastructure help ensure CUI protection in alignment with CMMC Level 2.

This means that MSPs should be ready to prove their cybersecurity measures as part of a broader CMMC certification process, even if they don’t need their own certification. For MSPs, it’s advisable to get familiar with CMMC and NIST 800-171 standards so they can support their clients effectively.

7. How does Centraleyes help MSPs with CMMC compliance?

Centraleyes is designed with MSPs in mind. Our platform’s multi-entity capabilities allow MSPs to manage and track compliance for multiple clients across different industries. This makes it easier for MSPs to:

• Coordinate assessments: Centraleyes allows you to seamlessly manage assessments across your client base, ensuring every client stays on track for CMMC certification.
• Streamline reporting: Track, report, and close compliance gaps for all clients from one centralized dashboard.
• Save time and reduce complexity: Centraleyes simplifies complex compliance processes, saving MSPs significant time when preparing clients for CMMC assessments.

The post NIST 800-171 Revision 3: The Impact on CMMC Compliance and How To Get Ready appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Michelle Ofir Geveye. Read the original post at: https://www.centraleyes.com/nist-800-171-revision-3/