← Back to Rev. 3 Resources

A timeline of information released about NIST SP 800-171 revision 3.

DoD Official ODPs

DoD Publishes Official ODP Guidance Ahead of NIST SP 800-171 Rev. 3 Implementation

On April 15, 2025, the Department of Defense (DoD) released formal guidance for Organizationally Defined Parameters (ODPs) as introduced in NIST SP 800-171 Revision 3. While the new revision signals a major shift in federal cybersecurity expectations, the DoD also reaffirmed that Revision 2 remains the official compliance baseline for now—thanks to a standing class deviation.

In other words, contractors are expected to stay compliant with Rev. 2, but the foundation for what's next is now being revealed.

What Are ODPs and Why Do They Matter?

ODPs represent one of the most important structural changes in Rev. 3. Rather than hardcoding values (e.g., how frequently to review logs or respond to threats), the controls now include placeholders that each organization must define based on its size, risk profile, and mission needs.

This flexibility gives federal agencies room to tailor expectations—but it also introduces the risk of inconsistency. To address that, the DoD has published recommended values for nearly all of Rev. 3’s ODPs. These default suggestions are intended to guide contractors toward defensible and consistent implementations, especially as the Cybersecurity Maturity Model Certification (CMMC) continues to evolve.

Why You're Still on Rev. 2 (For Now)

Even though Rev. 3 is finalized, the DoD issued a class deviation in 2024 locking DFARS 252.204-7012 compliance to Revision 2. This gives contractors and assessors time to understand the new structure before it becomes enforceable and ensures that current CMMC 2.0 assessments remain aligned with the 110 established controls.

What’s in the April 15 Guidance?

The DoD’s newly released memo includes recommended values and ranges for dozens of ODPs. These were developed in consultation with federal cybersecurity experts, defense agencies, and industry partners. Most parameters now have clearly defined expectations—like "review audit logs every 72 hours"—while a few remain open for organizational interpretation.

The goal: help contractors start planning early and reduce the burden of figuring things out alone once Rev. 3 becomes mandatory.

What You Should Do Now

  • Start learning about ODPs: Understand how they work and where they appear in Rev. 3.
  • Use the DoD's recommended values: Treat the April 15 guidance as a head start on future-proofing your program.
  • Keep your SPRS score accurate: Your Supplier Performance Risk System (SPRS) posture is a signal of readiness—and critical for future contract awards.
  • Track CMMC updates: As CMMC integrates Rev. 3, being ahead on ODP alignment will provide a competitive edge.

Be Prepared

Rev. 3 is coming. ODPs are real.

📄 View the official DoD memo on ODPs and CMMC updates

Finalization of Revision 3

NIST 800-171 Revision 3 Finalized

The protection of Controlled Unclassified Information (CUI) is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. This publication can be used in conjunction with its companion publication, NIST Special Publication 800-171A, which provides a comprehensive set of procedures to assess the security requirements.

After months of public comment and iterative drafts, Revision 3 has now been finalized. This marks a major milestone in federal cybersecurity guidance, setting the definitive structure for compliance moving forward. Organizations working with CUI should now begin aligning their systems and procedures with the final requirements outlined in this release.