Starting in October of 2016, the DoD issued the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting clause. A huge part of this regulation requires primes and their suppliers to implement NIST 800-171 and prove that they are compliant to better secure sensitive defense information.
The DoD set a deadline of December 31st, 2017, stating that all companies that hold CUI (Controlled Unclassified Information) must become compliant.
All of the following must be accomplished to adhere to DFARS 252.204-7012:
Contractors and subcontractors must have implemented NIST 800-171, Protecting CUI in Nonfederal Information Systems and Organizations to safeguard covered contractor information systems.
You must report cyber incidents that affect a covered contractor information system or covered defense information or your ability to perform the requirements of the contract.
If discovered and isolated in connection with a reported cyber incident, you must submit the malicious software to the DoD.
You must keep and protect all relevant information related to the cyber incident to prove compliance, should the DoD choose to conduct a damage assessment.
This can all be overwhelming.

We get that. The truth is, even the people who drafted these regulations get that. To complete this on your own, you would need either an extensive history of doing assessments like this, or an advanced knowledge of cyber security.
At ComplyUp, we’ve created assessment software that walks you through each NIST 800-171 requirement.
We break down each of the requirements in both layman’s terms and technical detail.
We’ll get you started with policy templates and evidence recommendations.
When you finish your assessment, you’ll have everything you need when you’re asked to submit compliance documentation.
We want to take the stress out of the compliance process and get you back to business as usual.
Let’s get NIST 800-171 out of the way.