Did You Catch It? SP 800‑171A Rev. 3 Quietly Dropped in 2024
It snuck past me too—but yes, NIST officially released SP 800‑171A Revision 3 last year.
Why does this matter?
Because on April 15, 2025, the DoD declared the end of ODPs (Organization‑Defined Parameters) via memo, replacing them with hard-coded control values—based explicitly on SP 800‑171 Rev. 3.
Meanwhile, up north, Canada launched the CPCSC (March 2025), a cybersecurity program aligned with SP 800‑171 Rev. 3. So, it’s not just the DoD that’s taking this seriously.
Still waiting for 48 CFR to make DFARS 252.204‑7021 mandatory? The acquisition rule is expected mid‑2025—and that’s the real contract trigger.
So… is CMMC 3.0 on the horizon?
It’s not official (yet), but the stars are aligning for SP800-171r3.
Get ready, friends. The future of compliance is coming faster than we think.
https://doi.org/10.6028/NIST.SP.800-171r3
https://doi.org/10.6028/NIST.SP.800-171Ar3
https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf