On October 8, DoD issued a class deviation to the August 26 interim DFARS rule we reported on here which called for contractors working with covered defense information (which includes export-controlled information) to implement security requirements contained in NIST Special Publication (SP) 800-171.  The class deviation allows offerors up to nine (9) months, after contract award, to comply with the derived security requirement 3.5.3 “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts” within NIST Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.  Offerors must notify the contracting officer is the additional time for compliance will be necessary.  A copy of the class deviation is available here.