View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOW/OS RIN: 0790-AM01 Publication ID: 2026 
Title: ●Cybersecurity Maturity Model Certification (CMMC) Program 
Abstract:

This amendment defines a deadline and period for transition from the requirement to comply with NIST SP 800-171 Revision 2, to a requirement to comply with NIST SP 800-171 Revision 3. Significant changes between these two documents include added specificity in the security requirements and introduction of organization-defined parameters (ODP) in select security requirements.  In addition to revising the NIST documents that are incorporated by reference in 32 CFR part 170, this amendment adds administrative edits and clarifying content in multiple areas as necessary to effect the transition. 

 
Agency: Department of War(DOW)  Priority: Other Significant 
RIN Status: First time published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Undetermined  Unfunded Mandates: No 
EO 14192 Designation: Fully or Partially Exempt 
CFR Citation: 32 CFR 170   
Legal Authority: 5 U.S.C. 301    Pub. L 116-92, sec. 1648    133 Stat. 1198   
Legal Deadline:  None

Statement of Need:

With this amendment, DoD amends the Cybersecurity Maturity Model Certification (CMMC) Program to define a period for transition from the requirement to comply with NIST SP 800-171 Revision 2, to a requirement to comply with NIST SP 800-171 Revision 3.  As described by NIST, the significant changes between these two documents include added specificity in the security requirements and introduction of organization-defined parameters (ODPs) in select security requirements. In addition to revising documents incorporated by reference in this rule, this amendment adds administrative edits and clarifying content in multiple areas. 

Summary of the Legal Basis:

5 U.S.C. 301; Sec. 1648, Pub. L. 116-92, 133 Stat. 1198.

Alternatives:

None

Anticipated Costs and Benefits:

In addition to the change from NIST SP 800-171 revision 2 to revision 3, which impacted CMMC Level 2 and LEvel 3 assessment objectives, this rule amendment is based on a more current estimate of the size of the Defense Industrial Base.  Overall, we estimate approximately 20% fewer total companies will be impacted by 32 CFR Part 170.  

Risks:

None

Timetable:
Action Date FR Cite
Interim Final Rule  07/00/2026 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: Undetermined 
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Agency Contact:
Carrie Cardwell
Acquisition Analyst, Office of the DoD CIO
Department of War
Office of the Secretary
4800 Mark Center Drive , Suite 11G14,
Alexandria, VA 22350
Phone:571 372-4410
Email: carrie.m.cardwell.civ@mail.mil