NIST 800-171 Rev 3 vs Rev 2, what changed?

NIST 800-171 Rev 3 (released May 2024) is the current revision. Significant changes from Rev 2: control numbering reorganised, some controls consolidated, requirements language clarified to reduce assessor interpretation variance, and explicit alignment with NIST 800-53 r5 parent controls. Rev 2 remains the basis for current DFARS contracts until DoD updates clauses to reference Rev 3, but new contracts and recertifications are increasingly Rev 3-only. The checklist covers all 110 controls under the Rev 3 numbering with Rev 2 cross-references where the mapping changed.

CMMC 2.0 timing, when do I need certification?

Phase 1 of the CMMC 2.0 rollout has been in effect since November 2025; contracts include CMMC affirmation requirements at the contractor level. Phase 2 is enforceable November 10, 2026, at that point new DoD contracts handling CUI require third-party C3PAO Level 2 certification (not self-attestation). The realistic timeline from gap analysis to a clean C3PAO assessment is 9–12 months, with documentation depth typically the long pole, not technical control implementation. Contractors that haven't started by mid-2026 will statistically miss Phase 2.

Is DFARS 252.204-7012 covered?

Yes, the checklist explicitly maps every control to the four DFARS clauses that drive 800-171 compliance: 252.204-7012 (Safeguarding Covered Defense Information + 72-hour cyber incident reporting via DIBNet), 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements / SPRS submission), 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements at Basic / Medium / High level), and 252.204-7021 (CMMC 2.0 cascade requirements). The DFARS 7012(m) subcontractor flow-down language is included as a separate appendix you can attach to your downstream supplier contracts.

SPRS reporting included?

Yes. The checklist ships with the official SPRS scoring methodology, start at 110 points, subtract weighted values per not-yet-implemented control (most are worth 1, 3, or 5 points; some are worth more), and a worksheet that produces a defensible score plus the POA&M items required for the un-implemented controls. SPRS scores range from -203 to +110; DoD source-selection officials read the score directly on award decisions, so submitting the right number with the right backing evidence matters more than chasing 110/110.

NIST 800-172 enhanced controls (CMMC L3)?

CMMC 2.0 Level 3 (Expert) layers 24 enhanced controls from NIST 800-172 on top of the full 110 NIST 800-171 controls. Level 3 is intended for contractors handling CUI associated with the most critical defence programmes (the Defense Industrial Base subset most likely to be targeted by advanced persistent threats). The checklist focuses on Level 2 / 800-171, the 110-control floor every contractor handling CUI must meet, and includes a one-page summary of the 24 enhanced 800-172 controls so Level 3 contenders can see the gap before committing to the higher level.

Free Download · NIST 800-171 Rev 3 + CMMC 2.0

The complete NIST 800-171 + CMMC 2.0 checklist.

All 14 control families, all 110 controls, mapped to NIST 800-171 Rev 3 (May 2024) and CMMC 2.0 Level 2. Includes the DFARS 252.204-7012 flow-down tracker, the SPRS scoring methodology, and the CUI scope determination worksheet your prime keeps asking about. Download immediately, no credit card.

Get the checklist See the platform

14 control families
110 controls (Rev 3)
320 assessment objectives
DFARS 7012 / 7019 / 7020 / 7021

Self-Assessment

All 110 controls

CUI Scope

In-scope · Connected-to · Out

SPRS Submission

DFARS 252.204-7019

SPRS Score

88/110

Self-assessment, Rev 3

DFARS 7019 ready

14 families · 110 controls · 320 AOsPDF · 36 pages

Trusted by DoD contractors and CUI handlers across the Defence Industrial Base, aerospace primes, federal contractors, and Tier 2 suppliers running NIST 800-171 + CMMC 2.0 readiness on the same control library.

What's Inside · 14 Families · 110 Controls

Every control family the C3PAO will grade you against.

NIST 800-171 Rev 3 was published May 2024 with tightened scoping language, clearer assessor-facing requirements, and explicit alignment to NIST 800-53 r5 parent controls. CMMC 2.0 Level 2 reuses all 110 controls with a third-party C3PAO assessment layered on top. The checklist groups every control + sub-objective by family so you can self-assess in the order an assessor walks them.

3.1

Access Control

Least privilege, MFA for privileged + remote access (3.5.3)
Mobile device + remote-access encryption
Wireless access authorisation

3.2

Awareness + Training

Security awareness for all CUI handlers
Role-based training for privileged users
Insider-threat awareness

3.3

Audit + Accountability

Audit logging on CUI systems
Time stamps + audit log protection
Audit reduction + report generation

3.4

Configuration Management

Baseline configurations + change control
Least functionality + restricted software
User-installed software policy

3.5

Identification + Authentication

Unique user identifiers + MFA (3.5.3)
FIPS-validated cryptography for authenticators
Replay-resistant auth + lockout

3.6

Incident Response

IR capability across detect / contain / recover
DFARS 252.204-7012(c) 72-hour reporting via DIBNet
IR plan testing + tracking

3.7

Maintenance

Controlled maintenance on CUI systems
Maintenance personnel authorisation
Off-site maintenance media handling

3.8

Media Protection

Marking + storage + transport of CUI media
Sanitisation before disposal
Encryption on portable media

3.9

Personnel Security

Personnel screening before CUI access
Termination + transfer access revocation

3.10

Physical Protection

Physical access controls + visitor logs
Alternate work-site protections (remote staff)
Monitoring physical access to CUI systems

3.11

Risk Assessment

Periodic risk assessments
Vulnerability scanning + remediation
Risk ranking + treatment decisions

3.12

Security Assessment

System Security Plan (SSP) per 800-171A
Plan of Action + Milestones (POA&M)
Continuous monitoring + reassessment

3.13

System + Communications Protection

Network boundary protection
FIPS-validated cryptography in transit + at rest
Subnet separation + DNS protections

3.14

System + Information Integrity

Flaw remediation timelines
Malicious-code protection
Security alert handling + system monitoring

Rev 3 (May 2024) tightens scoping, clarifies assessor language, and aligns explicitly to NIST 800-53 r5 parent controls. CMMC 2.0 Level 2 reuses all 110 controls; Level 3 adds 24 enhanced controls from NIST 800-172.

Why use it

DoD primes are asking for SPRS scores. Phase 2 starts soon.

NIST 800-171 Rev 3 changed the bar (May 2024)

Rev 3 introduced tightened scoping language, four reorganised control families, and explicit mapping to NIST 800-53 r5 parents. If you handle Controlled Unclassified Information (CUI) under any DFARS-flowed contract, aerospace prime, federal civilian agency, or sub-tier supplier, you are required to implement all 110 Rev 3 controls and produce a defensible System Security Plan.

Source · NIST SP 800-171 Rev 3 (csrc.nist.gov)

CMMC 2.0 layers a C3PAO assessment on top

CMMC 2.0 Level 1 (Foundational) covers 15 practices from FAR 52.204-21. Level 2 (Advanced) reuses all 110 NIST 800-171 controls plus the 320 assessment objectives a C3PAO grades against. Level 3 (Expert) adds 24 enhanced controls from NIST 800-172. DFARS clauses 252.204-7012, -7019, -7020, and -7021 are the legal hooks that make these requirements binding on the contract.

Source · DoD CIO · CMMC programme (dodcio.defense.gov)

SPRS reporting + Phase 2 timing is now

Today, contractors self-attest a Supplier Performance Risk System (SPRS) score per DFARS 252.204-7019. Source-selection officials read the score on award decisions. Phase 2 of the CMMC rollout is enforceable November 10, 2026, at that point Level 2 contracts handling CUI require third-party C3PAO certification, not self-attestation. The realistic timeline from gap analysis to a clean assessment is 9–12 months, so the team that starts in 2026 is the team that lands the 2027 contract.

Source · DFARS 252.204-7012 (eCFR)

Who it's for

Built for the three teams running point on CUI handling.

Primary

DoD Compliance Lead / CMMC Lead

You own the SSP, the POA&M, the SPRS submission, and the C3PAO scheduling decision. You need a checklist that maps to the 320 assessment objectives, not just the 110 practices.

Secondary 1

CISO at a federal contractor

Your contracts touch CUI through DFARS flow-down. The SPRS score is now a board-level metric and an audit-committee question. You need a defensible self-assessment with evidence, not a spreadsheet.

Secondary 2

Subcontractor preparing for prime flow-down

Your prime is asking for proof of NIST 800-171 implementation before contract execution. You need the same checklist your prime is grading you against, plus the DFARS 7012(m) flow-down language for any of your own subs.

Trusted by 1,500+ risk and compliance teams

Related platform pages

If you've outgrown a static PDF and need continuous scoring, SSP/POA&M automation, or DFARS flow-down across subcontractors, these are the three platform pages most lead-magnet downloaders open next.

NIST 800-171 + DFARS Compliance Software

All 110 controls · CUI scope wizard · SSP + POA&M · SPRS submission

Open page

CMMC 2.0 Compliance Software

Phase 2 countdown · 320 AO tracker · C3PAO-ready evidence vault

Open page

Risk Management Software for Government

FedRAMP · NIST 800-53 · ATO support · cross-framework scoring

Open page

FAQ

Frequently asked questions

Past the checklist?

CMMC + NIST 800-53 + ATO on one platform?

If you're running NIST 800-171, CMMC 2.0, and a NIST 800-53 ATO at the same time, you don't need three control libraries, you need one. Book a 30-minute walkthrough and we'll show you the cross-framework scoring, the SPRS auto-calculation, and the C3PAO-ready evidence vault on a real DIB tenant.

Request a demo Start a 30-day free trial

Or call US: +1 941-500-4525

The complete NIST 800-171 + CMMC 2.0 checklist.

Every control family the C3PAO will grade you against.

Access Control

Awareness + Training

Audit + Accountability

Configuration Management

Identification + Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical Protection

Risk Assessment

Security Assessment

System + Communications Protection

System + Information Integrity

DoD primes are asking for SPRS scores. Phase 2 starts soon.

NIST 800-171 Rev 3 changed the bar (May 2024)

CMMC 2.0 layers a C3PAO assessment on top

SPRS reporting + Phase 2 timing is now

Built for the three teams running point on CUI handling.

DoD Compliance Lead / CMMC Lead

CISO at a federal contractor

Subcontractor preparing for prime flow-down

When the checklist is no longer enough.

NIST 800-171 + DFARS Compliance Software

CMMC 2.0 Compliance Software

Risk Management Software for Government

Frequently asked questions

NIST 800-171 Rev 3 vs Rev 2, what changed?

CMMC 2.0 timing, when do I need certification?

Is DFARS 252.204-7012 covered?

SPRS reporting included?

NIST 800-172 enhanced controls (CMMC L3)?

CMMC + NIST 800-53 + ATO on one platform?