On April 15, 2025, the Department of Defense (DoD) released official guidance on Organizationally Defined Parameters (ODPs) appearing in the newly published NIST SP 800-171 Revision 3. At the same time, the DoD reaffirmed that contractors must continue complying with Revision 2 thanks to a previously issued class deviation. What does this mean in plain terms? The DoD is slowly pulling back the curtain on the next major shift in cybersecurity compliance. Still, the full prestige hasn’t happened yet.
ODPs and Why They Matter
ODPs are a structural change introduced in NIST SP 800-171 Revision 3 intended to soften requirements and make them more flexible to federal agency requirements. Unlike Rev. 2, which hardcodes many control requirements, Rev. 3 includes variables each organization must define based on its environment, risks, and mission needs.
ODPs are essentially placeholders in a control, like:
- How often do you review audit logs?
- How quickly must you respond to detected threats?
- What’s the acceptable length of time to apply security patches?
Instead of answering those questions for you, Rev. 3 lets your organization set those values—but in a way that must be defensible and justifiable to both assessors and the government.
To prevent a patchwork of weak implementations, the DoD issued guidance on April 15 providing recommended or default values for nearly all ODPs within Rev. 3. These values are intended to help ensure consistent protection across the Defense Industrial Base (DIB), especially as the Cybersecurity Maturity Model Certification (CMMC) evolves.
The Class Deviation: Stick with Rev. 2 for Now
In May 2024, the DoD issued a class deviation that locked DFARS 252.204-7012 compliance to NIST SP 800-171 Revision 2—even after Rev. 3 was finalized and published. The intent of the deviation was to try to avoid confusion by giving contractors and assessors time to prepare for the new structure, help ensure CMMC 2.0 assessments stay aligned with a known baseline (Rev. 2), and ultimately, avoid confusion or premature implementation of ODP-based controls before supporting frameworks are ready. What this means for contractors is that while you need to be aware of where NIST SP 800-171 is moving, for now, if your current contract refers to DFARS 7012, you are still expected to comply with the 110 controls in Rev. 2, so don’t move! No changes yet.
April 15 Guidance: Preparing for the Next Act
Helpfully, the DoD’s April 15 ODP memo provides a list of defined values or recommended ranges for the parameters found in Rev. 3. According to the guidance, these were developed with input from military departments and defense agencies, federal cybersecurity experts, and industry stakeholders.
Of the dozens of ODPs in Rev. 3, most are now defined with specific values (e.g., “review logs every 72 hours”), with a few left as flexible “guidance,” giving organizations some room for tailoring. The ultimate goal here remains to give contractors a head start on understanding what “acceptable” ODP values may look like so that contractors are not starting from scratch when Rev. 3 becomes the requirement.
What Now?
There is no need to step into the spotlight just yet. But now is the time to pay attention. The DoD’s slow reveal is well underway—so stay sharp, learn the choreography, and be ready when the cue comes.
- Stick with Rev. 2: NIST SP 800-171 Revision 2 remains the official standard. The System Security Plan, self-assessments, and compliance activities should continue to reflect the current 110 controls.
- Start Learning ODPs Now: ODPs are central to Rev. 3’s structure. Take time now to understand how they work and how they’ll affect future compliance postures.
- Leverage the April 15 DoD Guidance: Use the DoD’s recommended ODP values as a starting point. Aligning with this guidance during internal reviews or upgrades can help future-proof security programs and minimize disruption.
- Track CMMC Developments: As future versions of CMMC incorporate Rev. 3, being prepared with predefined and defensible parameters will give contractors a significant advantage during assessments and audits.
This Isn’t Misdirection; It’s the Setup for the Next Trick
At first glance, the recent moves by the DoD might look like minor adjustments, just a shuffling of the deck. But make no mistake: This is the careful setup to a more significant transformation in federal cybersecurity compliance.
But here’s the real trick: Don’t let the reveal of what’s coming distract from what’s required now. The act in progress is still Rev. 2 compliance, and existing compliance obligations under DFARS 252.204-7012 have not changed. The new elements—Rev. 3 and ODPs—should inform contractors’ preparation, not replace their current performance. This emerging act should inform, not distract from, current cybersecurity compliance obligations:
- DFARS 252.204-7012 (safeguarding CUI and reporting cyber incidents)
- DFARS 252.204-7019 (requiring a current NIST SP 800-171 self-assessment)
- DFARS 252.204-7020 (allowing DoD access to assess compliance and validate Supplier Performance Risk System (SPRS) scores)
Now is also the time to verify that SPRS scores are accurate and up to date. A strong SPRS posture isn’t just a compliance requirement—it’s an audition for future contract awards. In any well-executed illusion, the audience is focused on the wrong hand. This time, the DoD is giving its audience a rare advantage: The DIB has seen the sleight of hand before it happens. Know the routine. Learn the mechanics. And when the spotlight shifts, be ready for the final flourish.
[View source.]
