Since CMMC Phase 1 officially went into effect on November 10, 2025, defense contractors across the Defense Industrial Base have been actively validating their compliance posture against NIST SP 800-171.
As part of that effort, many organizations have revisited or completed the Peerless DoD SPRS Scoring and Self-Assessment Tool. One question continues to surface during these conversations.
If NIST 800-171 Revision 3 is final, why is the assessment tool still aligned to Revision 2?
It is a fair question. Understanding the answer is essential to preparing for CMMC correctly and avoiding missteps that can delay certification or introduce unnecessary risk.
Although NIST SP 800-171 Revision 3 has been finalized by NIST, the Department of Defense has not authorized Revision 3 for compliance scoring, SPRS reporting, or CMMC assessments.
Under the current DoD Class Deviation (2023-O0006), contractors are required to continue using NIST SP 800-171 Revision 2 for all assessments conducted under DFARS 252.204-7012, 7019, 7020, and 7021.
This deviation remains in effect today and does not include a defined expiration date.
As a result, SPRS scores must still be calculated using Revision 2. CMMC Level 2 self-assessments are based on Revision 2. C3PAO certification audits will continue to evaluate contractors against Revision 2 until the Department of Defense formally updates its guidance.
Revision 3 may be final from NIST’s perspective, but Revision 2 remains the only enforceable standard for CMMC compliance today.
NIST officially published NIST SP 800-171 Revision 3 on May 14, 2024. This marked the completion of the framework from NIST’s perspective and followed several public draft releases and comment periods that occurred throughout late 2023 and early 2024.
Final publication by NIST does not automatically make a standard enforceable for Department of Defense contracting or CMMC compliance.
Before Revision 3 can become the required baseline for DoD contractors, several steps must occur.
First, the Department of Defense must formally adopt Revision 3 through updated policy and acquisition guidance, including revisions to DFARS clauses that currently reference Revision 2.
Second, the Department of Defense must update the Supplier Performance Risk System to support scoring against Revision 3 requirements. Until SPRS is updated, contractors cannot submit valid scores based on Revision 3.
Third, CMMC assessment criteria, assessor training, and C3PAO evaluation procedures must be revised to align with Revision 3.
Only after these steps are completed would Revision 3 become enforceable for CMMC. Based on historical adoption timelines for similar changes, this transition is expected to take years rather than months and will require coordination between NIST, the Department of Defense, and industry stakeholders.
Until formal guidance changes, NIST 800-171 Revision 2 remains the required standard for CMMC, SPRS scoring, and DoD contracting.
The confusion is understandable.
In addition to finalizing NIST SP 800-171 Revision 3, NIST has released companion publications including NIST SP 800-172 Revision 3 and NIST SP 800-172A Revision 3 in draft form.
These publications expand on the baseline requirements of 800-171 by introducing enhanced safeguards for organizations that support critical programs, high value assets, or heightened national security missions.
The distinction is important.
NIST SP 800-171 Revision 2 defines the foundational security requirements for protecting Controlled Unclassified Information in nonfederal systems and is the basis for CMMC Level 2 today.
NIST SP 800-171 Revision 3 refines control language, structure, and outcomes. It provides insight into future expectations but is not currently enforceable.
NIST SP 800-172 introduces enhanced controls intended for a narrower subset of higher risk organizations.
Together, these frameworks reflect the direction of federal cybersecurity requirements, but they do not replace current compliance obligations.
As of today, DoD contractors must continue to assess, score, and report against NIST 800-171 Revision 2.
SPRS does not accept Revision 3 based scoring. CMMC assessors are not authorized to evaluate contractors against Revision 3 controls. Attempting to self-assess or prepare documentation using Revision 3 in place of Revision 2 can result in invalid SPRS submissions, misaligned SSPs and POA&Ms, and failed or delayed certification efforts.
This does not mean Revision 3 should be ignored.
Revision 3 provides valuable insight into where cybersecurity expectations are heading, with increased emphasis on outcomes, governance, and alignment with broader risk management frameworks.
Organizations that succeed under CMMC will treat Revision 2 as the compliance floor, not the ceiling. They will meet today’s requirements while preparing their programs to adapt as future standards are adopted.
One of the most important clarifications to make is that the Peerless DoD SPRS Scoring and Self-Assessment Tool is aligned to NIST 800-171 Revision 2 by design.
This alignment ensures that contractors are evaluating themselves against the same criteria used by the Department of Defense for SPRS scoring and CMMC Level 2 assessments. It allows organizations to produce valid scores, identify actionable gaps, and prioritize remediation efforts that actually matter for compliance today.
When the Department of Defense formally adopts Revision 3 through updated DFARS language, SPRS criteria, and CMMC guidance, the Peerless assessment platform will be updated accordingly. Our tools and methodologies evolve with enforceable requirements, not speculation or premature adoption.
One of the most common and costly mistakes we see across the Defense Industrial Base is a false start toward certification. This typically occurs when an organization engages a C3PAO before its documentation, controls, and remediation efforts are truly ready.
The result is often failed audits, extended timelines, additional cost, and unnecessary disruption.
Peerless exists to prevent those outcomes.
We serve as a CMMC readiness asssessor and compliant Managed Services Partner (MSP) for DoD and Federal contractors. Our role is to help organizations prepare the right way before pursuing formal certification. That includes validating assessment results, updating and maintaining SSPs and POA&Ms as living documents, supporting remediation toward a target SPRS score of 110, and ensuring operational controls are implemented and sustained.
We do not just assess compliance. We help contractors operate at the standard they are being assessed against.
Peerless supports DoD and Federal contractors throughout the full lifecycle of compliance.
Our services include NIST 800-171 Gap Assessments, with SSP and POA&M development, cybersecurity policy creation and maintenance, remediation support, compliant managed services, and CMMC readiness and certification preparation.
As your compliant MSP partner and CMMC readiness consultant, we support the day to day security operations that underpin long term compliance. We monitor updates from NIST, DFARS, and the Department of Defense, translate regulatory changes into practical guidance, and adapt our services as requirements evolve.
Our mission extends beyond individual engagements. By helping contractors avoid false starts, strengthen cybersecurity, and maintain eligibility, Peerless contributes to a more resilient and secure Defense Industrial Base.
If you are unsure where you stand today, or if you want a partner that will guide you through readiness, remediation, and sustained compliance, Peerless is built to support that journey.
Start with the Peerless DoD Self-Assessment Tool or connect with our team to discuss your NIST 800-171 and CMMC readiness strategy.
Helpful References:
