A quiet but significant move by the Department of Defense may have just signaled that CMMC 3.0 is on the way. 

On April 10, the DoD released a memo defining values for organization-defined parameters (ODPs) in NIST 800-171 Revision 3—a framework that hasn’t officially been required yet under the current CMMC 2.0 rule.

Why does this matter? Because this memo suggests the DoD is preparing to reflect NIST 800-171 Rev. 3 in its cybersecurity requirements, including DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) and CMMC.  

For contractors, it’s a clear warning to start preparing now. If they don’t, they may risk falling behind or doing work for CMMC 2.0 certification only to have to re-do it for CMMC 3.0 certification. 

In this post, we break down what these DoD ODPs are, why they matter to organizations pursuing CMMC certification, and how this memo could mark the start of CMMC 3.0.

What are organization-defined parameters (ODPs)?

The latest revision of NIST 800-171, Revision 3, introduced clearly formatted organization-defined parameters (ODP) in selected security requirements. These ODPs are designed to increase flexibility and help organizations better manage risk. 

Similar to those seen in NIST 800-53, FedRAMP, and TX-RAMP, these parameters effectively ask organizations to fill in the blank in certain requirements. This allows for controls to be tailored to meet requirements that may have been overly prescriptive or vague in previous versions of these frameworks. 

For example, in NIST 800-171 Revision 2, requirement 3.1.8 is “Limit unsuccessful log-on attempts.” This single line left organizations guessing: How many attempts? Over what timeframe? What happens after? 

In Revision 3, the requirement changed to: “Enforce a limit of [organizationally defined] unsuccessful log-on attempts during [organizationally defined] time periods and take [organizationally defined] actions after the maximum attempts.”  While wordier than Revision 2, this is much clearer about what’s being asked. Namely, it’s asking organizations: 

• How many invalid log-on attempts will you allow and in what period of time?
• What are you going to do if this limit is exceeded?

How you answer these questions—in other words, how you define values for these ODPs— informs the control you implement to meet the requirement. For example, if you say you’ll allow 10 unsuccessful logon attempts in 20 minutes then an assessor will evaluate that your control environment enforces a limit of 10 unsuccessful log-on attempts during 20-minute time periods.

Organizations can define these ODPs in requirement 3.1.8 as well as other requirements in NIST 800-171 Rev. 3 based on their organizational needs and operational environments. This flexibility prevents NIST 800-171 from trying to be a one-size-fits-all framework and instead allows it to address varying risk tolerances, operational needs, and external mandates.

Certain external mandates, like FedRAMP Revision 5 Moderate baselines, define values for these parameters rather than deferring to the organizations pursuing compliance. The DoD recently followed suit and defined values for the ODPs in NIST 800-171 Revision 3 in a recent memo. 

What are the DoD’s ODP values for NIST 800-171 Revision 3?

In NIST 800-171 Rev. 3, there are 50 requirements containing organization-defined parameters. Since some requirements contain multiple ODPs, there are a total of 88 ODPs in Revision 3.

In the memorandum issued on April 10, 2025, the DoD defines values for all 88 ODPs. That means there are no blanks left in the Rev. 3 requirements for contractors to fill in.

So recall in Rev. 3, the 3.1.8 requirement read: “Enforce a limit of [organizationally defined] unsuccessful log-on attempts during [organizationally defined] time periods and take [organizationally defined] actions after the maximum attempts.” With the DoD’s ODP values, this requirement becomes: “Enforce a limit of at most 5 consecutive unsuccessful log-on attempts during a period of five (5) minutes and take one or more of the following actions after the maximum attempts:

• lock the account or node for at least 15 minutes
• lock the account or node until released by an administrator and notify a system administrator.”

With these ODP values defined, defense contractors know exactly what control to configure and implement to meet this requirement. 

The downside to this clarity: sometimes the DoD’s value for an ODP does not align with the value you’d pick for your organization and makes compliance harder, even if it’s clearer. For example, for requirement 3.5.5, the DoD specifies that organizations must prevent the reuse of identifiers for at least ten (10) years. That’s a long time and likely much longer than defense contractors currently require.

You can find the DoD ODP values for all 50 requirements in Rev. 3 in the memo. 

Why did the DOD release this memo now if NIST 800-171 Rev 3 isn’t required yet?

There’s currently a disconnect between two major cybersecurity regimes for defense contractors. DFARS 252.204-7012 requires contractors to implement the most current version of NIST 800-171, but CMMC 2.0 still assesses against Revision 2. To avoid forcing defense contractors to implement Revision 3 but then get assessed against an older version of NIST 800-171, the DoD published a class deviation in May 2024 allowing contractors to comply with Revision 2 for now. 

But this is a short-term solution. Eventually, CMMC will need to catch up. The class deviation will likely be rescinded so that both DFARS 7012 and CMMC align on requiring contractors to implement NIST 800-171 Rev. 3.

By releasing ODP values for Rev. 3 now, the DoD is signaling that this alignment will eventually happen. In fact, a proposed rule for an update to CMMC that reflects NIST Rev. 3 (CMMC 3.0) is likely already in the works. 

By publishing these ODP values early on, even before a new rulemaking process begins, the DoD’s goal is likely to give organizations in the Defense Industrial Base plenty of time to prepare.

What should defense contractors do now?

The DoD memo defining ODP values for NIST 800-171 Rev. 3 isn’t just a policy update. It’s a sign that CMMC 3.0 is coming and aligning more with NIST 800-53 and FedRAMP, similar to the NIST 800-171 Revision 2 to Revision 3 update.

To stay ahead of CMMC 3.0, defense contractors should consider using these ODP values for their NIST 800-171 Revision 2 configurations. So for example, if trying to meet requirement 3.1.8 in Revision 2—“Limit unsuccessful log-on attempts”—implement a control to limit the number of consecutive unsuccessful log-on attempts to five in five minutes. That way, you’ll already be prepared for this DoD ODP value in the NIST 800-171 Revision 3 baseline once that becomes mandated. 

Defense contractors that adopt as many DoD ODP values now will have a smoother transition to NIST 800-171 Rev. 3 and be better prepared to comply with updated DFARS 7012 and CMMC requirements.