NIST 800-171 Rev 3 cut the control count from 110 to 97. Sounds simpler. But assessment objectives jumped from 320 to 510, and nearly half require net-new effort. Here is what that means for organizations planning the transition.
If you have been tracking the CMMC landscape, you have probably heard that NIST 800-171 Rev 3 reduces the number of controls from 110 to 97. On the surface, that sounds like good news: fewer requirements, simpler compliance. But that narrative misses the bigger story.
The real change is not in the number of controls. It is in how deeply each control is assessed.
Assessment Objectives (AOs) are the individual checkpoints that assessors evaluate during a CMMC assessment. Each control has multiple AOs, and every AO requires evidence, documentation, and demonstrated implementation. Under Rev 2, there were 320 Assessment Objectives across 110 controls. Under Rev 3, there are 510 Assessment Objectives across 97 controls.
That is a 59% increase in assessment objectives with 13 fewer controls. The depth of scrutiny went up significantly while the control count went down modestly.
Organizations that have already achieved compliance under Rev 2 are not starting from zero. Our analysis of the R3 assessment objectives shows a clear breakdown:
About one-third of R3 AOs map directly to what you already have in place. If your R2 program was well-built, this portion carries forward with minimal effort.
Roughly one-fifth map indirectly, meaning your existing controls cover some of the requirement but gaps remain. These need targeted analysis and augmentation.
Nearly half are net new or have no clear link to R2. These require new controls, new documentation, and new evidence. This is where the real work lives.
The bottom line: your R2 program is a foundation, not a finish line. The transition to R3 is not a simple re-labeling exercise. It requires a structured gap analysis and a deliberate implementation plan.
We are already hearing a common refrain in client conversations: "R3 has fewer controls, so it should be easier." This is the most dangerous assumption in the transition. Organizations that treat the reduction in control count as a signal to relax will be caught off guard when their C3PAO walks through 510 assessment objectives, each requiring demonstrated evidence of implementation.
The organizations that will navigate this well are the ones that start mapping now, before the transition deadline forces a compressed timeline.
There is another dimension to the R3 transition that organizations should be tracking. In April 2025, the Department of Defense released formal guidance on Organization-Defined Parameters (ODPs) for NIST SP 800-171 Rev 3. ODPs are essentially fill-in-the-blank fields embedded in Rev 3 controls that allow tailoring to specific environments. The DoD memo defined values for all 88 ODPs across 50 requirements, removing any ambiguity about what the government expects.
This matters because the DoD published these values before Rev 3 is even formally required. Rev 2 remains the current standard under the class deviation issued in May 2024, and there is no official transition date yet. But by publishing concrete ODP values, the DoD is clearly signaling that the transition is being actively prepared.
Organizations that start reviewing the ODP values now and aligning their current Rev 2 configurations where possible will have a meaningful head start when the formal mandate arrives.
Three Steps to Get Ahead of the Transition
1. Conduct an R3 Readiness Assessment. Map your current R2 posture against the R3 AOs to understand exactly where you stand and where the gaps are. This does not replace your Rev 2 compliance work. It runs alongside it.
2. Build a prioritized transition roadmap. Not all gaps carry the same weight. A structured plan ensures you address the highest-impact areas first and avoid scrambling under deadline pressure.
3. Treat compliance as continuous, not episodic. With 510 AOs to maintain, a one-time push will not be sustainable. The organizations that build ongoing compliance management into their operations will be in the strongest position for both initial certification and annual assessments.
As of today, Rev 2 remains the required standard for CMMC assessments, SPRS scoring, and DoD contracting. The class deviation has no end date. The DoD will formally transition to Rev 3 through future rulemaking, and that process is expected to take years rather than months, with 12 to 24 months of advance notice before enforcement.
But "years away" is not a reason to wait. It is a window to prepare. The organizations that use this window to understand Rev 3, map their gaps, and build a transition plan will move through the change with minimal disruption. The organizations that wait for the formal mandate will face a compressed timeline, limited assessor availability, and the cost of rushing what should have been a methodical process.
Stehrling has completed the detailed control-by-control mapping from Rev 2 to Rev 3. If you want to understand where your program stands against the coming changes, contact us to start the conversation.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.