NIST 800-171 assumes that your organization already has a comprehensive Information Security Program in place that includes ALL of the controls listed in Appendix E and labeled “NFO” that were tailored out of the baseline. These NFO controls are tailored out of the CUI requirements not because they are unnecessary, but because they are “expected to be routinely satisfied by non-federal organizations without specification.”
Included in this NFO list are the Policies and Procedures for each of the requirements families. These policies and procedures provide the foundation for your Information Security program and will need to be developed.
If your organization has NOT established a comprehensive Information Security Program (perhaps you are a small subcontractor who has never been required to do this), you will need to do so now in order to begin the steps to comply with 800-171 and hold on to your contracts with the federal government (or with your prime).
The information in NIST SP 800-39, FIPS 199, NIST SP 800-30, NIST SP 800-37, and NIST SP 800-53 can help you understand how to approach information security risk, perform your risk assessments, select and implement controls, and establish a monitoring program using the risk management framework.
You will also need NIST SP 800-18 for help creating your system security plan (which is required for any system that touches CUI).
If all of this sounds way too daunting, you may want to consider getting help from a Security professional or a Managed Service Provider with experience in setting up Information Security Programs and NIST 800-171 compliance.