Skip to content
For Department of Defense (DoD) contractors that are pursuing Cybersecurity Maturity Model Certification (CMMC) compliance, you may have heard recent buzz of “organization-defined parameters” (ODP) pertaining to NIST SP 800-171 revision 3. The latest in our “What the heck?” series, this blog explains the history behind organization-defined parameters in DoD cybersecurity and, more importantly, explains their relevance for those pursuing CMMC compliance.
Organization-defined parameters in DoD cybersecurity
Organization-defined parameters are vital to NIST Special Publication (SP) 800-53, which serves as a catalog of security controls that federal government IT system managers select and implement as part of their cybersecurity risk management strategy. Depending on the system and its criticality to the DoD’s mission, the number and types of security controls implemented can vary widely between DoD systems. If you’re familiar with NIST SP 800-171 and you’ve ever read through NIST SP 800-53, you’ve likely wondered, hey, this looks similar! Well, you’re spot on, as NIST SP 800-171 was derived from NIST SP 800-53. Just as federal government systems follow the NIST Risk Management Framework (RMF) process to determine which NIST SP 800-53 security controls to select and implement, NIST used the same process when determining how to protect Controlled Unclassified Information (CUI) in non-federal (contractor) systems. They performed a risk assessment and selected relevant controls from NIST SP 800-53. The result was NIST SP 800-171 and the 110 security controls therein.
What does this have to do with ODPs? Well, until revision 3, NIST SP 800-171 did not include ODPs. Incorporating them into the latest revision is another way in which NIST is further aligning 800-171 with 800-53. This is why ODPs are relevant for CMMC; although NIST SP 800-171 revision 2 is the current requirement for CMMC Level 2 (see image below), it will eventually be replaced by 800-171 revision 3, which contains ODPs. So, DoD contractors will need to understand the purpose of ODPs prior to 800-171 revision 3 becoming the standard for CMMC Level 2.
That’s a little more about the why behind ODPs. For more about the what, including examples from NIST 800-171, continue on!
Organization-defined parameters in CMMC
The National Institute of Standards and Technology (NIST) provides the following definition for an organization-defined parameter:
"The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement."
Translated into lay-person terms, an organization-defined parameter is simply part of a security control that an entity defines. Now, one must be careful when interpreting organization in this context, as this does not always refer to the contractor implementing NIST SP 800-171. More on this shortly.
Let’s take a look at an example of an ODP in NIST SP 800-171 revision 3 using control 03.01.11 as an example, which involves session termination. The control description includes the following:
"Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect]."
In this case, everything between the brackets [] is known as the “ODP Assignment”. Clearly, this control is missing a measurable condition, likely a duration, that would complete the control (e.g., 24 hours). In NIST SP 800-171 revision 2, the corresponding control is similar, but not the same. Take a look:
"Terminate (automatically) user sessions after a defined condition."
Notice the absence of the ODP Assignment? In 800-171 revision 2, defining typically is done by the DoD contractor or adopting organization, as there is no hard guidance or direction that suggests otherwise. However, with the inclusion of ODP Assignments in 800-171 revision 3, the DoD now has a mechanism to provide their expectations for what expected parameters are. This is what we were alluding to a moment ago when mentioning that ‘organization’ in ODP does not always mean the entity implementing the control. In this case, the organization is the DoD themselves, and they have defined the parameters for the Defense Industrial Base (DIB) to implement.
How does one know, then, which 800-171 revision 3 controls have ODPs that the DoD has defined? Fantastic question! The answer comes from a memo released by the DoD on April 15th, 2025. When retrieving this document and navigating to the section covering control 03.01.11, we see the following:
In this ODP, we can see that the DoD has set the maximum allowable time for automatic session termination, as a result of inactivity, at 24 hours. It should be noted though that DoD still gives contractors some flexibility here in that their policy could be, for instance, 12 hours, so long as it does not exceed 24 hours. Furthermore, not only does the DoD define the session timeout parameter, but they also define the “triggers” or conditions that should initiate a session termination (a policy violation or issues pertaining to an upgrade or service outage).
Another ODP example, seen in control 03.01.01.g, which deals with notifying company personnel during various events:
"Notify account managers and designated personnel or roles within:
1. [Assignment: organization-defined time period] (03.01.01.g.01) when accounts are no longer required,
2. [Assignment: organization-defined time period] (03.01.01.g.02) when users are terminated or transferred, and
3. [Assignment: organization-defined time period] (03.01.01.g.03) when system usage or the need-to-know changes for an individual."
And the DoD’s definitions for these three parameters:
In this case, there is still some variability, so long as the appropriate individuals are notified within 24 hours. This is why it is essential to familiarize yourself with this memo sooner rather than later, not only to understand what is coming, but to gauge how your current parameters compare to the DoD’s ODPs. We would not recommend waiting until NIST SP 800-171 revision 3 replaces revision 2 to start ensuring your organization’s cybersecurity policies accord with these ODP.
When it comes time for a CMMC assessment, the assessors will verify that your policies are commensurate with the DoD’s defined ODPs. However, we should clarify that CMMC assessors will also be validating your policy. For instance, if your policy is to notify company personnel of an employee leaving the organization within 12 hours of receiving notice, the assessors will check that it a) meets the DoD ODP (it does), then b) assess that you actually notify within 12 hours.
Wrapping up
This blog gave an overview of organization-defined parameters, and why they matter for CMMC compliance. If you’ve not yet explored NIST 800-171 revision 3, our Totem™ CMMC Planning tool contains the latest 800-171 revision 3 standard. If you are a Managed Service Provider (MSP) assisting your clients with CMMC, don’t delay! Grab a free trial to our tool to explore what’s new, what’s changed, and to begin preparing! Otherwise, grab a seat in our next CMMC workshop, where we talk all about NIST 800-171 and upcoming revisions to this standard, including organization-defined parameters.
Thanks for reading!
Nathan
