As of December 31, 2017, all covered contractor information systems will comply with NIST SP 800-171.
“Covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, ”Protecting Controlled Unclassified Information in Non- federal Information Systems and Organizations” (available via the internet at HTTP:// dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.
The Contractor shall implement NIST SP 800–171 as soon as practical, but no later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at firstname.lastname@example.org, within 30 days of contract award, of any security requirements specified by NIST SP 800–171 not implemented at the time of contract award.
Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.