On December 30, 2015, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.

As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171. This current revision appears responsive to significant concerns raised by industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.
In the Federal Register notice, DoD states that it is granting additional time “for contractors to assess their information systems and to set forth an economically efficient strategy to implement the new security requirements at a pace that fits within normal information technology lifecycle timelines.”
Keep reading this article at: http://www.insidegovernmentcontracts.com/2015/12/time-is-on-my-side-dod-hears-industry-concerns-additional-time-provided-to-implement-security-controls-under-new-cyber-rule/