DFARS requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor that processes, stores, or transmits covered defense information. Failure to have or to progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.
