Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry.

But is this just noise, or is there something more substantial happening behind the scenes? As it turns out, recent DoD actions suggest that conversations about the next iteration of CMMC might be closer than we thought.

 

The State of CMMC and the Final Rule

To understand why CMMC 3.0 discussions seem premature, we need to acknowledge the current status of CMMC 2.0. The 32 CFR final rule, which lays the framework for CMMC 2.0, took effect on December 16, 2024, but the actual implementation is only beginning to unfold in 2025. The rollout is planned in phases, starting in October 2025 with Level 1 and some Level 2 contracts, which will allow self-assessment. Full enforcement is not expected until October 2028.

This phased approach means many defense contractors are still in the early stages of understanding what CMMC 2.0 compliance means for their operations. They’re still:

• Mapping their systems and data flows to determine which CMMC level applies to them
• Conducting gap assessments against NIST 800-171 Revision 2 requirements
• Developing remediation plans to address security deficiencies
• Budgeting for third-party assessments and certification costs

For many smaller contractors, primarily, the journey to CMMC 2.0 compliance represents a significant investment in time, resources, and organizational change. The prospect of another major revision while they’re still climbing the current mountain understandably triggers concern.

 

The Department of Defense Memo 

So why are industry experts already mentioning CMMC 3.0? The catalyst was a seemingly innocuous Department of Defense memorandum released in April 2025. The DoD released a memo defining values for organization-defined parameters (ODPs) in NIST 800-171 Revision 3, a framework that has not yet been officially required under the current CMMC 2.0 rule.

This might sound like bureaucratic minutiae, but its implications are significant. NIST Special Publication 800-171 Revision 3 introduced a more flexible approach to specific security requirements by incorporating organization-defined parameters. Instead of prescriptive mandates, Rev. 3 allows organizations to customize certain controls based on their specific operational context and risk profile. However, the DoD’s memo removes that flexibility by defining particular values for all 88 ODPs across the 50 requirements that contain them.

For example, NIST 800-171 Revision 2 requirement 3.1.8 simply states, “Limit unsuccessful log-on attempts,” leaving organizations to guess about the specifics. In Revision 3, this became “Enforce a limit of [organizationally defined] unsuccessful log-on attempts during [organizationally defined] time periods.”

The DoD’s memo now specifies this as five consecutive unsuccessful attempts within a five-minute period, with a mandatory lockout for at least 15 minutes or until an administrator releases the account.

Why This Memo Matters More Than You Think

The timing and nature of this memorandum reveal something important about DoD’s strategic thinking. Currently, there’s a disconnect in the regulatory landscape:

• DFARS 252.204-7012 (the contract clause requiring cybersecurity controls) technically requires contractors to implement the most current version of NIST 800-171. 
• CMMC 2.0 assessments evaluate compliance against the older NIST 800-171 Revision 2. 
• NIST 800-171 Revision 3 has been published, but the DoD issued a class deviation allowing contractors to continue using Revision 2 to avoid forcing the implementation of standards against which they won’t be assessed.

By releasing ODP values for Revision 3 now, even before a new rulemaking process begins, the DoD is signaling that alignment between DFARS requirements and CMMC assessments will eventually occur, and the agency’s goal is likely to give organizations in the Defense Industrial Base ample time to prepare.

 

What Would CMMC 3.0 Actually Look Like?

If CMMC 3.0 materializes as expected, it would primarily align the certification framework with NIST 800-171 Revision 3 rather than representing a complete overhaul of the CMMC structure. The three-level model (Levels 1, 2, and 3) would likely remain intact; however, the specific requirements at Level 2 (the most common level for contractors handling CUI) would shift to reflect the updated NIST baseline.

The practical implications include:

• More Prescriptive Requirements: Where Revision 2 left room for interpretation, Revision 3, with DoD-defined ODPs, provides exact specifications. This removes some flexibility but adds clarity about compliance expectations. 
• Potentially More Stringent Controls: Some DoD ODP values impose longer timeframes or stricter thresholds than many organizations currently maintain. For example, requirement 3.5.5 now specifies that organizations must prevent the reuse of identifiers for at least ten years, which is likely much longer than defense contractors currently require. 
• Better Alignment with Other Frameworks: NIST 800-171 Rev. 3 brings the standard closer to NIST 800-53 and FedRAMP approaches, which could ease compliance burdens for contractors working across multiple government agencies.

The transition from CMMC 2.0 to a potential CMMC 3.0 wouldn’t invalidate existing certifications immediately. The DoD would likely implement another phased approach, allowing existing CMMC 2.0 certifications to remain valid until their expiration while new assessments use the updated standard.

 

What Defense Contractors Should Do Now

The specter of CMMC 3.0 creates a strategic dilemma for defense contractors: should they focus exclusively on achieving CMMC 2.0 compliance, or should they hedge their bets and prepare for requirements that haven’t been officially announced?

The pragmatic answer involves a balanced approach that doesn’t ignore either reality. Contractors should continue pursuing CMMC 2.0 certification—it’s the current requirement, and there’s no indication the DoD will pause enforcement to wait for a future version. However, smart organizations will simultaneously take steps to future-proof their compliance efforts:

• Review the DoD ODP Values for NIST 800-171 Rev. 3 and compare them against your current security configurations. Where feasible, implement controls that meet the Rev. 3 requirements even while pursuing Rev. 2 certification. Defense contractors that adopt as many DoD ODP values now will have a smoother transition to NIST 800-171 Rev. 3 and be better prepared to comply with updated DFARS and CMMC requirements. 
• Build Flexibility into Your Architecture so that adjusting control parameters (like lockout thresholds or password history requirements) doesn’t require massive system overhauls. Modern identity and access management solutions often allow these adjustments through configuration changes rather than code modifications. 
• Document Everything Meticulously, including your rationale for specific security decisions. If controls need to be adjusted for CMMC 3.0, having comprehensive documentation will make the transition smoother and demonstrate due diligence to assessors. 
• Stay Engaged with Industry Resources and professional organizations that track CMMC developments to stay informed. The Cyber Accreditation Body (Cyber-AB) and various industry associations provide updates as new information emerges.

 

The Problem of Certification 

One of the most practical questions contractors face is when to pursue CMMC 2.0 certification, given the possibility of CMMC 3.0. Should organizations delay their assessment, hoping to jump directly to the newer standard?

For most contractors, delaying is not a viable strategy. Contract opportunities requiring CMMC certification are already appearing in solicitations, and more will follow as the phased rollout continues. Waiting could mean losing competitive positioning or even being unable to bid on specific contracts. Additionally, there’s no guarantee about when CMMC 3.0 will be finalized, as the rulemaking process typically takes years.

A more sensible approach is to pursue CMMC certification while implementing controls that align with Rev. 3 requirements where possible. CMMC certifications are valid for three years (for Level 2) or potentially longer, depending on the assessment type and level of certification. By the time a CMMC 2.0 certification expires, the regulatory landscape may have clarified considerably regarding CMMC 3.0 timelines.

 

Be Ready for Today and 5 Years from Now with Lazarus Alliance

So, are we already talking about CMMC 3.0? Tentatively, yes. The DoD memo defining ODP values for NIST 800-171 Rev. 3 isn’t just a policy update; it’s a sign that CMMC 3.0 is coming and possibly aligning more with NIST 800-53 and FedRAMP. 

To learn more about how Lazarus Alliance can help, contact us. 

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!

[wpforms id=”137574″]