CMMC's Rev 3 Deadline Rule Is Due This Month

The Unified Agenda shows DoD adopting an interim final rule in July that sets the transition from NIST SP 800-171 Rev 2 to Rev 3. Interim final rules take effect on publication.

The 2026 Unified Agenda of Federal Regulatory and Deregulatory Actions, updated in early July, shows DoD adopting an interim final rule this month for the CMMC program — one that defines the deadline and transition period for moving from NIST SP 800-171 Revision 2 to Revision 3.

The vehicle matters as much as the content. An interim final rule takes effect on publication, without waiting for a comment period to close. And it arrives against a settled industry expectation that Rev 3 was still years away.

What actually changes

CMMC Level 2 is built on the 110 NIST SP 800-171 Rev 2 controls. Rev 3, published in May 2024, has 97. The reduction is misleading: withdrawn requirements were largely absorbed into surviving ones rather than eliminated.

Rev 3 adds three security requirement families with no Rev 2 equivalent — Planning, System and Services Acquisition, and Supply Chain Risk Management. It introduces 88 organization-defined parameters: values like session timeout or password length that an organization must set. DoD has already published its own ODP values for CMMC, so that flexibility does not extend to defense contractors.

The assessment burden grows. Determination statements — the evidence checkpoints behind each requirement — rise from 320 in Rev 2 to somewhere between 392 and 422 in Rev 3, depending on the source. Either figure means substantially more to produce, whether your contract assigns a self-assessment or a C3PAO certification.

What is confirmed, and what is not

The reginfo.gov entry (RIN 0790-AM01) confirms the amendment defines a deadline and transition period, and cites added specificity and the introduction of ODPs as the significant changes. It does not publish the deadline itself. The rule has not appeared in the Federal Register. Treat July as the window, not a certainty.

Two adjacent items sit on the same agenda. DoD expects a Notice of Proposed Rulemaking in August updating DFARS 252.204-7012. And on the civilian side, the FAR CUI rule already keyed to Rev 3 is projected final in September, alongside CIRCIA. Rev 3 is converging across defense and civilian contracting at the same time.

The move

Do not wait for the deadline to start the crosswalk. Map your Rev 2 controls to their Rev 3 equivalents, identify where the three new families leave you with nothing in place, and check DoD's published ODP values against your current configurations. Your SPRS score is computed against Rev 2 today; when the transition date lands, the recompute is yours to do. Confirm the deadline against the Federal Register once the interim final rule publishes.

FAQ

Is NIST SP 800-171 Rev 3 required for CMMC yet?
No. CMMC assessments remain tied to Rev 2. The Unified Agenda shows DoD adopting an interim final rule that will set the transition deadline, but that rule has not published.

How many controls are in Rev 3 versus Rev 2?
Rev 2 has 110 security requirements. Rev 3 has 97, but the drop is misleading — most withdrawn requirements were absorbed into surviving ones, and the number of assessment determination statements increases.

What are organization-defined parameters?
ODPs are values an organization sets for a control, such as session timeout duration. Rev 3 introduces 88 of them. DoD has published its own ODP values for CMMC, so defense contractors do not set them independently.

What is an interim final rule?
A rule that takes effect on publication, without waiting for a public comment period to close. Comments may still be accepted afterward.

Rev 3 has been "years away" for two years. It is now on the regulatory calendar for this month. Federal Cyber Brief tracks the federal IT and cybersecurity rules that gate small-business work — what changed, what it costs you, and what to do about it — every Tuesday.

Sources

Office of Information and Regulatory Affairs, Unified Agenda — RIN 0790-AM01https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202510&RIN=0790-AM01

Federal News Network, CIRCIA, other big cyber rules expected to get finalized this fall, July 7, 2026 — https://federalnewsnetwork.com/cybersecurity/2026/07/circia-other-big-cyber-rules-expected-to-get-finalized-this-fall/

NIST, SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizationshttps://csrc.nist.gov/pubs/sp/800/171/r3/final

DoD CIO, Department of Defense Organization-Defined Parameters for NIST SP 800-171 Revision 3https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf

Summit 7, What is NIST 800-171? Six Things to Know about Revision 3https://summit7.us/blog/nist-800-171-revision-3

Keep Reading