These 2 seems to significantly overlap. Today which one do defense contractors have to meet? Just one or both? I am confused about what is required. is nist 800-171r3 being the standard enforced? Which one is enforcing it dfars or CmmC or both?

From what I am reading in nist 800-171r3 is it is saying all data from storage to transmission needs to be encrypted. Putting all your network devices in fips mode wouldn't even cover this because site to site VPN doesn't cover all layers of transmission. Only is done at the wan edge. Not the internal networks.

Is this asking for something like global protect that does sslvpn across all laptops. Everywhere?