I have a medium sized business customer that I have been working on getting DEFARS / NIST compliant over the past few months. We had a company called OnCall Computer Solutions come in to train us, write our policies and help us with the other required steps which include submitting our SPRS score and sign up for Identrust which is needed for the compliance. They also made us a sort of punch list (POAM) for things we needed to get done after they did an evaluation on everything we had setup already. I have to say so far after getting about 80% done it is very expensive and a lot of work for sure. Basically its locking everything down as much as possible and having to document everything, along with having a good incident response plan. There's more to it than that but that's the jist of it from what my brain can think of now lol.
