The U.S. Department of Defense (DOD) issued an interim rule on December 30, 2015 that extended the deadline for DOD contractors to comply with security requirements for protecting non-classified, but sensitive government information until December 31, 2017. The rule followed a public meeting where contractors expressed concern and need for additional time to implement the requirements.
With the extension comes a requirement that contractors notify the DOD CIO of any unimplemented cybersecurity requirements within 30 days of being awarded a DOD contract. This means that the DOD can assess whether the contract will be awarded to a company based upon its implementation of the requirements, depending on the nature of the information that will be available to the contractor.
Even though an extension has been granted, DOD contractors may want to consider expediting compliance in order to be in the best position to win DOD contracts.