Non-Federal Organization (NFO) Controls - NIST 800-171 Appendix E

Updated: Feb 18, 2018

NIST 800-171 has several dozen requirements that are hidden in plain sight, but most people are unaware they exist.

While it is not called out with the main NIST 800-171 requirements in chapter 3 (where most people focus their attention), Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO).

Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST 800-171 having to further clarify it - this creates a baseline for reasonable expectations for any government contractor to adhere to. The US government assumes that its contractors have sufficiently-scoped cybersecurity policies, standards and procedures in place to establish and maintain a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cybersecurity incidents, per DFARS requirements. However, the incident response plan control (IR-08) is listed as an NFO control within NIST 800-171.

The intent of the NFO requirements is to ensure that security controls are deployed in a comprehensive mannter that provides sufficient protection to address emerging threats. Therefore, if you are a government contractor, or hope to become one, you are strongly advised to review the complete listing of SP 800-171 controls to see what gaps you may have.


Recent Posts

See All