Where can I download NIST 800-171 rev 3 ODPs in Excel format?

NIST 800-171 OPDs In Excel?

ComplianceForge Support ComplianceForge Support CMMC | DFARS | NIST 800-171 R2 | NIST 800-171 R3 | Templates
July 18th, 2025 2 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more
Where can I download NIST 800-171 rev 3 ODPs in Excel format? 

In April 2025, the US Department of Defense (DoD) released a memorandum that defines what the DoD expects for Organization Defined Parameters (ODP) when implementing NIST SP 800-171 Rev 3. Unfortunately, the DoD chose to keep those ODP values in PDF format, so it is not the most user friendly approach to help with adoption.

ComplianceForge published the NIST 800-171 R2 To R3 Transition Guide and on page 11, there is a link to download the tables in Excel format, including the ODPs!

AO Level Analysis for NIST 800-171 R3

The R2 to R3 Transition Guide provides an Assessment Objective (AO)-level analysis to address differences for NIST 800-171 R2 to R3:

  • Over 1/3 are minimal effort (clear, direct mapping)
  • Approximately 1/5 are moderate effort (indirect mapping)
  • Approximately 1/2 are significant effort (no clear mapping or new AOs)
This guide also addresses the logical dependencies that exist from "orphaned AOs" that are not in NIST 800-171A R3, but a requirement to demonstrate evidence of due diligence and due care still exists for specific functions (e.g., maintenance operations, roles & responsibilities, inventories, physical security, etc.).
free guide to NIST 800-171 R3 upgrade transition

For those organizations needing to upgrade from NIST SP 800-171 R2 to R3, it is worth taking a look at ComplianceForge's NIST 800-171 / CMMC product lineup that already includes coverage for NIST SP 800-171 R3, including the ODPs

« Back to Blog

Related Articles

How to get CMMC certified?

How to get CMMC certified?

2 minute read

June 30th, 2025

NIST 800-171 ODP

NIST 800-171 R3 ODPs

1 minute read

April 24th, 2025

Your CMMC Requirements Guide

Your CMMC Requirements Guide

1 minute read

January 3rd, 2025

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!