In my current “day job” I work for the DoD.
Your NIST 800-171 requirements are all about protecting unclassified information that shouldn’t be shared. If your contract is with a civilian company, then you need to make sure that your phone system can’t leak information of possible use to adversaries. This means reading through the checklist for double protection of data (two-factor authentication, for example) and other specific items. There should be a good checklist in https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/archive/2016-12-20 that gives you the run-down you need. The good news is that, in general, it’s pretty easy to do if you are working with a company that’s working with the government.
DFARS 252.204-7012 is mostly about incident reporting, which means if you have a CUI disclosure, you are obligated to report it and have a process in place to do that.
Neither of these is hard to get through, and there are checklists galore (including from the government) that can walk you through the processes of getting squared away on this stuff. If it was me, I’d just follow the docs.