Agencies are also allowed to accept to-do lists from vendors who need to keep working up to a point where they can self-attest their compliance with NIST guidance.
Article Link: OMB: New Acquisition Rule Coming for Vendors to Vouch for Their Software Security - Nextgov