App Login
Get in Touch
App Login
Try Our Demo
App Login
Get Free Demo

Filling in the Blanks: NIST SP 800-171 Rev 3 and the DoD’s Organization-Defined Parameters

When I was a kid, there was a cartoon called Chowder on good ole’ Cartoon Network. It was a dearly beloved show in the Molter household as it was just incredibly weird and kooky and was about this anthropomorphized animal boy named Chowder who gets into all sorts of mischief with his adopted family and friends who all live in a crazy food-centric world. Everyone’s names were based on food. Chowder, Schnitzel, Truffles, Panini. Ahhhh a classic. One of my favorite episodes is when Chowder and his family of Chefs set out to find a special ingredient to finish a dish for a customer. As they journey through the forest, they finally find what they were looking for, a cinnamini tree; the source of the precious cinnamini powder needed to accomplish the order. What made this powder so special is it had the ability to shrink anything it was applied to and Chowder, being a victim of unfortunate circumstances, was shrunk as they were trying to acquire it. It is then realized that there is a little monster, the Cinnamini Monster, living inside of the cinnamini tree and Chowder, now a fraction of his former size is kidnapped by the little monster and trapped inside his little home within the tree. Turns out, the little monster was just incredibly lonely and wanted someone to play board games with. The conditions were simple, if Chowder and his family could beat the Cinnamini Monster in a board game, he would let them go. Easy enough, right? Wrong. Every time the team would get close to beating the monster in the game, he would switch to a new game or even would change the rules and outcomes of dice rolls to ensure he remained in control and would never lose. The episode closes with Chowder and his family being perpetually stuck in the Cinnamini Monster’s house because he was always switching the up the game so he’d never be alone again.

Now, I can already feel the confusion in the air. “Why the heck are we talking about a random, incredibly weird TV show from the early 2000s, Steve?” I can feel it in my bones already. I present you, dear reader, this classic piece of cinematic, artful history with the expressed intention of analogy. Because like Chowder and his team of chefs, Defense Industrial Base (DIB) organizations and their Managed Service Providers (MSP) are in a similar position, specifically in regards to NIST SP 800-171 Revision 3 and the Organization-Defined Parameters (ODP). Everyone’s gotten incredibly familiar with Rev 2 and many have come a long way to implementing its requirements and many have already received a CMMC Level 2 certification and are in the process of maintaining their GRC program. The learned and were well on their way to winning the board game. However, on the horizon is the implementation of NIST SP 800-171 Rev 3 and with it are not just fundamental changes to the requirements and expectations, but many of the parameters and values that were previously left to the contractors (or their MSPs) discretion have also been mandated by the Department of Defense as required or minimum expectations the DIB organization must implement. Now, where the reality is not analogous to this episode of Chowder is the malicious intent of the monster. The Department of Defense (DoD) is levying these changes with the goal of protecting our nation, warfighters, and citizens. These updates to the requirements are aimed at enhancing and modernizing DIB contractor security to ensure sensitive information, namely Controlled Unclassified Information (CUI) is sufficiently protected. Nonetheless, this can feel like a bit of a bait-n-switch.

I know, I know. You’ve heard about Rev 3 already. And, at this point there’s been no shortage of blog posts, presentations, Discord conversations and LinkedIn posts about the fact that Rev 3 exists and what it’s all about. But here’s what I keep noticing in my conversations with clients and peers across the DIB: plenty of people are talking about Rev 3 at a high level, yet not nearly enough attention has been paid to the DoD’s specific, pre-defined ODP values and what they actually require of organizations and their service providers. That gap in the conversation is exactly what I want to address today.

So, in this blog, we’re going to walk through the key differences between Rev 2 and Rev 3, define some critical terminology so we’re all working from the same playbook, dig into the DoD’s ODP values (including a handy reference table), and talk about what all of it means practically for organizations that have already achieved a CMMC Level 2 Certification or are actively working toward one. Spoiler alert: it’s more work, but it is absolutely doable. Radda Radda Radda! (Chowder reference, only the cool kids would get it.)

Setting the Stage: A Quick Glossary

Before we dive in, let’s align on a few terms. I promise I’ll keep this brief and practical, not academic.

NIST SP 800-171 is the National Institute of Standards and Technology Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It is the foundational cybersecurity standard that Defense Industrial Base (DIB) contractors must implement to protect Controlled Unclassified Information (CUI). The Cybersecurity Maturity Model Certification (CMMC) program maps directly to its requirements and the assessment objectives sourced from its assessment procedures found in NIST SP 800-171A.

NIST SP 800-171 Revision 2 (Rev 2) is the version that has governed the DIB and CMMC 2.0 since late 2021. It contains 110 security requirements organized into 14 families. Rev 2 is what organizations have been assessed against for CMMC Level 2 Certification assessments to date.

NIST SP 800-171 Revision 3 (Rev 3) was officially published by NIST in May 2024. It represents a significant update in structure, terminology, and specificity. Rev 3 is organized into 17 families (adding Supply Chain Risk Management, Planning, and System and Services Acquisition) and contains 97 base requirements. While that sounds like fewer requirements, the expanded use of ODPs and enhanced controls makes the actual compliance burden substantially more nuanced.

Organization-Defined Parameters (ODPs) are placeholders within specific security requirements that, under a standard NIST publication, organizations would be expected to fill in based on their own risk management decisions. They appear as [Assignment: organization-defined …] or [Selection: …] within a requirement’s text. Think of them as blanks in a sentence that organizations typically fill in themselves based on their risk posture and operational context.

Organization-Defined Values (ODVs) are what actually get filled into those ODP blanks. When the DoD steps in and defines those values for contractors, the result is an ODV. Once the DoD does this, those values are no longer optional or flexible; they become the mandated requirements and/or minimums. This is a critical distinction and one of the most practically important aspects of this entire discussion.

A Tale of Two Revisions: What Changed from Rev 2 to Rev 3?

Rev 3 isn’t just a minor tune-up to Rev 2. It’s more like a thoughtful renovation. The requirements are quite familiar, but there are several adjustments to get used to. Here are the most impactful differences organizations need to understand:

New Requirement Families

Rev 2 organized its requirements into 14 families. Rev 3 adjusted those families and added three new ones:

  • Planning (PL)
    • Addresses the heavy documentation side of things like policies, procedures, and plans that had formerly been considered implicit under Rev 2.
  • System and Services Acquisition (SA)
    • Having to do with the overarching principles for engineering, architecting, and acquiring new components or services within the system.
  • Supply Chain Risk Management (SR)
    • Another new family that didn’t exist independently in Rev 2. It signals the DoD’s intent to make supply chain considerations first-class compliance citizens, not afterthoughts.

Enhanced Specificity Through ODPs

Here is where things get really important. Rev 3 deliberately introduced ODPs into a significant number of requirements, giving organizations flexibility to tailor controls to their risk environment. But (and this is a significant but) when the DoD defines ODVs for those parameters (as they have done in their April 2025 memorandum), a lot of that flexibility goes away for DIB contractors. Many of the blanks get filled in for you, and the values are either mandatory and/or the minimum.

Expanded Scope and Rigor

Rev 3 introduces enhanced controls in areas like supply chain risk management, and planning. Several requirements that were broader in Rev 2 now have additional sub-requirements or more specific performance criteria in Rev 3. For example, vulnerability scanning and remediation are now explicitly tied to specific timeframes and risk tiers, and the system component inventory must be reviewed on a defined frequency, both of which are governed by DoD-defined ODVs.

The DoD Fills In the Blanks: Understanding the ODPs and ODVs

In April 2025, at-the-time Deputy DoD CIO David W. McKeown signed a memorandum establishing the DoD’s ODP values for NIST SP 800-171 Rev 3. According to this document, which you can find at dodcio.defense.gov, these ODVs represent a collaborative effort drawing input “…from DoD offices, external government agencies, and subject matter experts from University-Affiliated Research Centers and Federally Funded Research and Development Centers.” The DoD also incorporated input from industry stakeholders. This is the document that turns Rev 3’s flexible framework into a set of concrete, non-negotiable requirements for DIB contractors.

Here’s what I want to underscore before we look at the specifics: the DoD didn’t just fill in these blanks arbitrarily. In four instances, they actually chose to define the ODP as guidance rather than a hard value, which means there is some flexibility remaining in those areas. But for the vast majority of ODPs, the DoD has set firm values. These aren’t suggestions. When Rev 3 becomes the basis for CMMC assessments, organizations that haven’t met these defined values will be found NOT MET on those requirements.

Let’s look at some of the most operationally significant ODVs. I’ve summarized the key ones in the table below for quick reference:

ODP IDControl AreaDoD-Defined ODP Value
03.01.01.f.02Account Management (inactive accounts)At most 90 days
03.01.08.a.01Invalid Logon Attempts (max attempts)At most 5 consecutive failures
03.01.08.a.02Invalid Logon Attempts (time window)Within 5 minutes
03.01.08.bInvalid Logon Attempts (lockout)Lock for at least 15 min OR lock until admin release
03.01.10.aDevice Lock (inactivity)At most 15 minutes of inactivity
03.01.11Session Termination (trigger events)Max 24-hour inactivity, policy violations, maintenance
03.03.05.aAudit Record Review FrequencyAt least weekly
03.04.08.cSoftware Execution Authorization reviewAt least quarterly
03.04.10.bSystem Component Inventory reviewAt least quarterly
03.04.12.aHigh-Risk Travel ConfigNo CUI/FCI on device unless CO exception in writing
03.05.05.cIdentifier Reuse PreventionAt least 10 years
03.05.07.fPassword ComplexityMinimum 16 characters
03.05.12.e.01Authenticator RotationNever (w/ MFA); 5 yrs hard tokens; 3 yrs all others
03.09.02.a.01Employment Termination (disable access)Within 4 hours
03.11.02.aVulnerability Scanning FrequencyAt least monthly
03.11.02.bVulnerability Remediation TimeframesHigh: 30 days; Moderate: 90 days; Low: 180 days
03.14.01.bFlaw Remediation (patch SLAs)High: 30 days; Moderate: 90 days; Low: 180 days
03.16.03.aExternal System ServicesCSPs: FedRAMP Moderate+; All other ESPs: NIST 800-171 R2

Table 1: Selected DoD ODP Values from NIST SP 800-171 Rev 3 (April 2025 Memorandum). There are 88 ODPs within NIST SP 800-171 Rev 3 so this list is not exhaustive; refer to the full document for all values.

Let me call out a few of these that I think will cause some practical friction for organizations:

Passwords must be at least 16 characters (03.05.07.f). Rev 2 referenced NIST guidance on password management but didn’t mandate a specific character minimum in the requirement text itself. Rev 3 with the DoD’s ODV does. If your systems still rely on shorter password policies or if you have system components that don’t support the specification of minimum character length (I’m looking at you Microsoft Entra ID), then it’s time to consider your options and how you intend to address the gaps.

Audit records must be reviewed at least weekly (03.03.05.a). This is a meaningful escalation in operational effort. Weekly log review is not optional. For many small-to-midsize contractors, this is a resourcing question more than a technical one.

Terminated employees’ access must be disabled within 4 hours (03.09.02.a.01). This is tight. Four hours from termination to disabled access requires a defined, well-tested, and consistently executed offboarding process. Verbal confirmations after the fact won’t cut it. Granted, most companies I’ve worked with do this pretty well. I can’t think of a single organization that would wait longer than 4 hours to terminate access. But, the point remains, it’s a tight deadline to be adhered to consistently and, without going into detail, brings more practical and philosophical questions to mind in regard to how this control and its required values could be tested when it’s time for formal assessment.

High-risk vulnerabilities must be remediated within 30 days (03.11.02.b). Same for flaw remediation under 03.14.01.b. The DoD is aligning these timeframes with risk tiers (30/90/180 days for high/moderate/low), and this is now tied to a defined frequency of monthly scanning. For organizations that have been more relaxed in their remediation timelines (e.g., 365 days for lows/informational), this might be a tough pill to swallow.

There absolutely are other values that matter and are important to get right, but for the sake of brevity, I just wanted to provide a few examples. I would encourage everyone to review NIST SP 800-171 Rev 3 as well as the ODPs for the full picture.

What This Means for CMMC Level 2 Organizations

Here’s the big question, right? You may have already achieved your CMMC Level 2 Certification against Rev 2 requirements, or you may be actively implementing and preparing for a C3PAO assessment. Either way, you’re probably wondering: “What does this mean for me?”

The honest answer, per usual is “it depends.” It depends on timing and the specific requirements where Rev 3 and the DoD ODVs diverge from what you’ve already implemented. Here’s how I’d think about it:

If You’ve Already Achieved CMMC Level 2 Certification

Your current certification was assessed against Rev 2. It remains valid for the duration of its certification period. However, when it comes time to recertify, you will almost certainly be assessed against Rev 3 (pending the final CMMC rulemaking that incorporates it). That means you should start treating Rev 3 gap analysis as a near-term priority, not something to worry about later. The gap between Rev 2 compliance and Rev 3 plus DoD ODV compliance is real and, for some organizations, significant. Starting now gives you time to adjust while also maintaining your current program.

If You’re Preparing for Your First C3PAO Assessment

Watch the regulatory timelines closely. If your assessment happens while Rev 2 is still the operative standard under the CMMC rule (due to the current class deviation locking things to Rev 2 found here), you’ll be assessed against Rev 2. When the CMMC rule is updated to incorporate Rev 3 as the baseline, you’ll be assessed against that. The practical advice here is to start implementing Rev 3 and the DoD ODVs now rather than waiting. Getting assessed against Rev 2 and then immediately needing to remediate to meet Rev 3 is not an efficient path. Build toward the higher bar from the start. However, your documentation still needs to reflect the current standard so don’t throw out Rev 2 based documentation.

For Everyone: The Challenge Is Real, But So Is the Path Forward

I’ve gotta be honest here; the combination of Rev 3’s restructured requirements, the new families, and the DoD’s ODVs creates a meaningful compliance lift. For the small machine shop or the five-person engineering firm already stretched thin, this is not trivial work. I sympathize with organizations trying to absorb these requirements while running their actual business.

But I also want to be clear: it is absolutely doable. The DoD’s ODVs, while specific, are not unreasonable. The timeframes, the frequencies, and the technical thresholds all reflect genuine security hygiene that well-run organizations should be striving for regardless of regulatory requirement. And frankly, if you’ve already navigated Rev 2, you have the organizational muscle memory to handle Rev 3. The key is to start the gap analysis now, document your findings honestly, and work through the remediation in good faith.

If you’re working with a consultant or MSP to support your compliance program, have that conversation now about Rev 3 readiness. If you’re using a GRC tool, make sure it either already supports Rev 3 or has a clear roadmap to do so. And if you’re doing this internally, the full DoD ODP memorandum is publicly available and well worth a thorough read alongside the NIST SP 800-171 Rev 3 publication itself.

Back to the Kitchen

The eventual transition from NIST SP 800-171 Rev 2 to Rev 3, layered with the DoD’s specific ODVs, will represent one of the most meaningful shifts in the CMMC compliance landscape since the program launched. Unlike Chowder’s encounter with the Cinnamini Monster, it’s not something to fear, but it absolutely is something to take seriously and to act on now rather than later. The organizations that approach this proactively, with an honest assessment of where they stand and a disciplined plan to close their gaps, will be in the best possible position when the formal transition arrives.

As always, if you have questions, want to talk through your specific situation, or are looking for a GRC platform that’s designed to grow with the evolving requirements of CMMC and beyond, we’d love to connect with you at IntelliGRC. Reach out to us at intelligrc.com/contact-us. You can also find me personally on LinkedIn. I’m always happy to yap it up.

Until next time, Happy Implementing!

Steven Molter

IntelliGRC

Frequently Asked Questions

Q: When will CMMC assessments officially transition to NIST SP 800-171 Rev 3?

As of this writing, CMMC Level 2 assessments are still based on NIST SP 800-171 Rev 2 under the existing 32 CFR Part 170 rule. The DoD has signaled its intent to transition to Rev 3, and the April 2025 ODP memorandum is a clear preparatory step. However, the formal rulemaking to update the CMMC assessment basis to Rev 3 has not yet been announced. Watch for updates from DoD CIO and the CMMC Accreditation Body (CyberAB) for official transition timelines. In the meantime, preparing for Rev 3 now is the strategically wise move. I, personally, am hopeful that we’ll see some movement towards the Rev 3 by this December, Year of our Lord 2026.

Q: Are the DoD’s ODP values legally binding right now?

The April 2025 memorandum establishes these values as DoD policy. While their formal integration into the CMMC assessment framework through rulemaking is still pending, treating them as the target standard for your compliance program is strongly advisable. Organizations that wait for formal rulemaking to begin addressing them risk being behind when the transition does happen.

Q: My password policy currently requires 12 characters. Is 16 a hard requirement?

Based on the DoD’s ODV for requirement 03.05.07.f, yes, 16 characters is the defined minimum. This is one of the clearest examples of where the DoD’s pre-defined value is more specific than what many organizations currently have implemented. Service accounts, default passwords, and legacy systems often get overlooked. Take inventory. Also, be wary of your CSPs like Microsoft Entra ID. Currently, it does not support the ability to set a minimum character length on its own. Using something like an Active Directory Hybrid deployment to Entra ID so that Identities from local AD (where such password configurations can be employed) seems to be the work around for most folks. It’s definitely something to think about.

Q: We just passed our CMMC Level 2 assessment last year. Do we need to start over?

No, you don’t need to start over. Your certification is valid through its certification period. What you should do is begin a Rev 3 gap analysis now so that you’re not surprised when recertification comes around. Think of it as maintaining your competitive edge. Organizations that proactively address Rev 3 requirements now will have a much smoother recertification experience than those who wait.

Q: Is there anywhere specific I can find the full list of DoD ODP values?

Yes! The full document is titled ‘Department of Defense Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3’ and is publicly available at dodcio.defense.gov. It’s a thorough document and well worth reading alongside NIST SP 800-171 Rev 3 itself. I’d also encourage you to reach out to us here at IntelliGRC if you’d like help working through the implications for your specific environment.