For NIST 800-171, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems do not always meet government security standards, which has led to information being compromised.
As a result, Defense Federal Acquisition Regulations (DFARS) stipulate that federal contractors and subcontractors that process, transmit or store sensitive information, or what the government calls Controlled Unclassified Information (CUI), must comply with the cybersecurity requirements listed in the National Institute of Standards and Technology (NIST) publication 800-171 (NIST 800-171).