DoD Defines NIST 800-171 r3 Organizationally Defined Parameters (ODPs)
DoD defines the NIST 800-171 r3 ODPs.
Founder of GRC Academy | CISSP-ISSEP, CCP @ GRC Academy | April 22, 2025 · 2 min read
The Department of Defense has officially released the Organizationally Defined Parameters (ODPs) for NIST SP 800-171 Revision 3, marking a clear pivot toward future alignment with this updated standard.
These parameters are variables in the control text allowing for organizational discretion. There are 97 controls in NIST 800-171 r3, and 50 of them have ODPs in the control text. DoD defined values for every ODP.
How These Definitions Came Together
This wasn’t just a DoD internal exercise. The parameters were defined in coordination with many different types of entities, including:
- Other U.S. government agencies
- University Affiliated Research Centers (UARCs)
- Federally Funded Research and Development Centers (FFRDCs)
- And industry experts, when relevant
The process signals an effort to make r3 more actionable and consistent, not just for DoD contractors but for the broader federal ecosystem.
A Critical Step Towards NIST 800-171 r3
Right now, DFARS 7012 and CMMC are based on NIST 800-171 Revision 2, which came out in 2020. Contractors have been building their systems and policies around r2 for years. But time marches on, and revision 2 has become outdated.
NIST published revision 3 in May of 2024, but CMMC rulemaking couldn’t shift gears fast enough to incorporate it into the current rollout. Now that the ODPs have been set, the groundwork is being laid for a future transition.
A Look at the New ODP Values
Here are some examples of the newly defined expectations:
| Control ID | Control Topic | Defined Parameter |
|---|---|---|
| 3.13.11 | Cryptography for CUI | Use FIPS-validated cryptographic modules |
| 3.4.2 | Configuration Settings | Follow NIST National Checklist Program (NCP) baselines |
| 3.1.1 | System Account Management | Disable inactive accounts after 90 days |
| 3.5.7 | Password Management | Minimum password length of 16 characters |
| 3.1.10 | Device Lock | Automatically lock device after 15 minutes of inactivity |
| 3.2.1 | Security Literacy Training | Provide additional training after novel incidents or major risk changes |
| 3.3.1 | Event Logging | Must log 13 specific types of audit events |
| 3.4.10 | System Component Inventory | Review and update inventory at least quarterly |
| 3.5.5 | Identifier Management | Don’t reuse user identifiers for at least 10 years |
| 3.11.2 | Vulnerability Remediation Timelines | High: 30 days, Moderate: 90 days, Low: 180 days |
What This Means for CMMC (and You)
Canada’s CMMC-like program is already building around NIST 800-171 r3, and the USA may not be far behind. In a recent interview on the GRC Academy podcast, Stacy Bostjanick mentioned efforts to coordinate ODPs with the Federal CIO Council to align these definitions across the U.S. government as well.
With these definitions now in place, it’s becoming harder to imagine a long delay in adopting r3 into CMMC. A 1 – 2-year timeframe now feels realistic.
Need to fast track your way to CMMC? Check out our CMMC Overview Training for Defense Contractors! It will save you weeks of research and could save you hundreds of thousands of dollars in expensive mistakes!
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!