Editorial note: This post separates sourced regulatory facts from forward-looking practitioner analysis. Sections are labeled accordingly. Draft NIST publications should be treated as planning inputs rather than current compliance obligations unless and until adopted through DoW rulemaking. Nothing in this post constitutes legal advice.
What Is Actually Authoritative Right Now
Before engaging with any analysis of SP 800-172r3, it is worth being explicit about what creates enforceable obligations and what does not. The following table reflects how the federal regulatory process works in practice:
| Event | Legal Effect |
| NIST publishes draft | No contractual obligation |
| NIST finalizes publication | Still no automatic CMMC requirement |
| DoW proposes rule (NPRM) | Signals future intent only |
| Final rule published in Federal Register | Creates a contractor-specific requirement |
| DFARS contract clause applied | Final rule published in the Federal Register |
For current enforceable requirements, contractors should rely exclusively on 32 CFR Part 170 as published in the Federal Register on October 15, 2024, applicable DFARS clauses including 252.204-7012 and 252.204-7021, official DoW CIO CMMC guidance, Federal Register notices, and NIST publications that have been formally incorporated by reference through rulemaking.
NIST SP 800-172r3 is currently a Final Public Draft. It is not a finalized NIST publication. It has not been proposed for incorporation into CMMC through rulemaking. It creates no contractual obligation today.
Current Law: What SP 800-172 Governs and the Existing Level 3 Requirement
Sourced regulatory facts. NIST SP 800-171 provides recommended security requirements for protecting CUI in nonfederal systems. NIST SP 800-172 is a separate supplemental publication providing enhanced security requirements for CUI associated with high-value assets and critical programs facing Advanced Persistent Threats. SP 800-172 supplements SP 800-171, it does not replace it and is designed for a significantly narrower population of contractors than the broader DIB.
Sourced regulatory facts. Under 32 CFR § 170.18 and the October 15, 2024 final CMMC rule published in the Federal Register, CMMC Level 3 currently requires contractors to first achieve Final Level 2 (C3PAO) certification, then undergo a separate assessment conducted by DCMA DIBCAC covering 24 security requirements selected from the February 2021 version of SP 800-172. That is the enforceable Level 3 requirement as of the date of this publication. The 2021 document not the Revision 3 draft is what DIBCAC assesses against. That is the law. Everything else in this post is analysis and planning.
Sourced regulatory facts. CMMC Level 2 is assessed against NIST SP 800-171 Revision 2 under 32 CFR § 170.17 as established in the October 15, 2024 final rule. The Phase 2 enforcement date of November 10, 2026 is unchanged. Nothing has been published by NIST since that rule took effect, altering any Level 2 obligation.
Current Facts: What SP 800-172r3 and SP 800-172Ar3 Contain
Sourced from the NIST draft publications. NIST released the SP 800-172 Revision 3 Final Public Draft on September 29, 2025, alongside the SP 800-172A Revision 3 Initial Public Draft. The public comment period, initially set to close November 14, 2025, was extended through January 16, 2026. Both documents are available on the NIST Computer Security Resource Center.
According to NIST’s own documentation of the draft, SP 800-172r3 identifies 115 total security requirements, 80 of which are described as new relative to the prior baseline, and 118 Organizationally Defined Parameters, 78 of which are new. Those figures are sourced directly from the NIST draft publication.
Practitioner interpretation, not a NIST-confirmed figure. Independent practitioner analysis of the companion SP 800-172Ar3 assessment procedures draft suggests the total assessment objective count may approach 195. NIST has not formally published that figure, and it should be treated as a working estimate pending finalization of the document.
The draft addresses areas that received limited treatment or were absent in the 2021 version. Based on the review of the draft, expanded coverage appears in access controls, network segmentation, asset management, supply chain, and acquisition security. The 118 Organizationally Defined Parameters 78 of them new require organizations to define, document, and implement specific parameter values independently, creating a configuration and documentation burden beyond the implementation requirements themselves.
Sourced from the existing SP 800-172A. The companion assessment procedures document matters as much as the security requirements document. Under the current SP 800-172A, assessment procedures define what evidence, interviews, and technical testing an assessor uses to make pass or fail determinations against each security requirement. An organization may implement every requirement correctly and still not satisfy the assessment objectives if supporting evidence is not structured according to the assessment procedures’ standard.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and determine the steps required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
What the Draft Does Not Contain: Important Uncertainty Boundaries
Several variables remain unknown and should be stated explicitly before any forward-looking analysis proceeds.
It is not known whether DoW will adopt SP 800-172r3 substantially as written or make significant modifications through rulemaking. It is not known whether DoW will continue to use a subset selection model for Level 3 requirements or restructure the Level 3 framework differently. It is not known what transition timelines will apply to organizations holding current Level 3 certifications when a new rule takes effect. It is not known whether future DFARS updates will proceed in parallel with 32 CFR Part 170 revisions or on a separate acquisition rulemaking track. Separate from CMMC certification mechanics, DFARS 252.204-7012 may continue to evolve independently through acquisition rulemaking, and individual program offices retain authority to impose enhanced security requirements on specific contracts outside the CMMC framework before any rulemaking is complete.
Any analysis of what Level 3 may eventually require should be read with those unknowns in mind.
Forward-Looking Analysis: The Rulemaking Situation
The following section reflects practitioner interpretation of the current regulatory environment and historical DoW implementation patterns. It is not regulatory guidance.
DoW has not yet initiated rulemaking to align CMMC with newer NIST revisions. NIST SP 800-171 Revision 3 was finalized in May 2024. CMMC Level 2 assessments today still run against Revision 2, because formal rulemaking incorporating the newer baseline has not yet occurred. DoW intentionally pins CMMC to fixed revisions for ecosystem stability, allowing assessors, contractors, and tooling vendors to align against a specific baseline without mid-cycle disruption. That is a defensible policy position and explains why updated NIST baselines do not automatically flow into CMMC requirements.
DoW now appears to have two separate NIST baseline updates, 800-171r3 and 800-172r3, that are not yet reflected in the October 15, 2024, final CMMC rule. Incorporating both into CMMC would require a Notice of Proposed Rulemaking published at regulations.gov, a public comment period, resolution of submitted comments, and a final rule published in the Federal Register before any new requirements become enforceable. Whether DoW addresses both updates in a single combined rulemaking or proceeds sequentially remains unknown. A combined action may be more coherent from a framework perspective; a sequential approach could result in a period where Level 2 and Level 3 obligations run against different generational revisions of their respective baselines.
Forward-Looking Analysis: What a Future Level 3 Could Look Like
The following section is speculative analysis. No figures in this section are sourced from DoW guidance. They are illustrative only.
The current 24-security-requirement Level 3 obligation was drawn as a subset of the 35 requirements in the original 2021 SP 800-172. If DoW were to follow a similar subset selection methodology when incorporating SP 800-172r3, the eventual security requirement count at Level 3 could increase substantially relative to the current baseline. The specific count would depend on how DoW defines the subset, which program categories trigger Level 3, and what the final version of SP 800-172r3 contains after NIST processes the public comments received by January 16, 2026.
No specific future requirement count should be inferred from this analysis. The 80 new security requirements in the draft do not translate directly into a specific future Level 3 count. What the draft provides is meaningful insight into the direction NIST appears to be taking enhanced CUI protection security requirements, not a confirmed picture of what DoW will eventually require.
What Each Audience Should Take From This
Level 2 contractors. Your near-term obligations are unchanged. CMMC Level 2 certification under 32 CFR § 170.17 against the NIST SP 800-171 Revision 2 baseline, before November 10, 2026, is your compliance priority. Submit your SPRS score, engage your C3PAO, and complete your evidence package. SP 800-172r3 does not affect any of that.
Level 3 contractors currently in the DIBCAC assessment pipeline. Your assessment runs against the 24 security requirements in the February 2021 SP 800-172 under 32 CFR § 170.18. That certification is valid under current law. Reviewing the SP 800-172r3 draft now is a planning input, not a current obligation.
Level 3 contractors not yet in the pipeline. Beginning Level 3 work under the current rule produces a legitimate, enforceable certification under the 2021 baseline. When rulemaking eventually incorporates a new baseline, a transition period and a gap analysis against the new security requirements will likely be required. Conducting a preliminary gap review against the SP 800-172r3 draft now means that gap analysis will not start from zero when the rule moves.
CISOs and compliance leads. Read the SP 800-172Ar3 assessment procedures draft specifically. The security requirements document describes what must be implemented. The assessment procedures document describes how implementation will be evaluated. For Level 3 programs where DIBCAC assesses using examine, interview, and test methods across every assessment objective, the procedures document is the more operationally relevant planning resource.
MSPs and MSSPs serving the Level 3 population. Supply chain and acquisition security received significant expansion in the Revision 3 draft. If your organization is documented in a Level 3 contractor’s System Security Plan as an External Service Provider, your security posture may eventually be assessed within the scope of their Level 3 boundary under future rulemaking. Reviewing those supply chain security requirements in the draft now is prudent preparation.
What to Do Right Now
Read the source documents directly. The SP 800-172r3 Final Public Draft and the SP 800-172Ar3 Initial Public Draft are publicly available at no cost on the NIST CSRC website. The NIST publication page clearly identifies each document’s current status. Final Public Draft means the public comment period has closed, and NIST is preparing the final version. It does not mean the document is in force.
Monitor regulations.gov and the Federal Register for any Notice of Proposed Rulemaking related to CMMC baseline updates. That notice, when it appears, is the formal starting point for any updated compliance clock.
Conduct a preliminary gap analysis against the draft’s 80 new security requirements. Even without a CMMC obligation, understanding where your current Level 3 or advanced CUI security implementation has gaps against the Revision 3 draft is useful planning data. Network segmentation, supply chain risk management, and asset management received the most significant additions and are worth prioritizing in any initial review.
Do not mistake a draft publication for a current mandate. The DoW CIO CMMC documentation and 32 CFR Part 170 as published on October 15, 2024 remain the authoritative sources for current enforceable requirements. The current CMMC Level 3 obligation is defined at 32 CFR § 170.18 and references the February 2021 SP 800-172 document. That is the law. Everything else is planning.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.