Your organization has until December 31, 2017 to implement NIST SP 800-171 if you have contracts with the United States Department of Defense (DoD) or are a subcontractor to a prime contractor with DoD contracts. This requirement is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS).
When dealing with the cyber security of your organization you have to evaluate your legal environment. Are there regulations put into place that can help regulate and maintain a safe and secure work environment? Is there a set policy framework for computer security guidance that will help me assess our cyber security readiness?