Non-Federal Organization (NFO) Controls - NIST SP 800-171 Appendix E

Updated: Jun 9

NIST SP 800-171 has several dozen requirements that are hidden in plain sight, but most people are unaware they exist.

While it is not called out with the main NIST SP 800-171 requirements in chapter 3 (where most people focus their attention), Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO).

Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST SP 800-171 having to further clarify it - this creates a baseline for reasonable expectations for any government contractor to adhere to. The US government assumes that its contractors have sufficiently-scoped cybersecurity policies, standards and procedures in place to establish and maintain a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cybersecurity incidents, per DFARS requirements. However, the incident response plan control (IR-08) is listed as an NFO control within NIST SP 800-171.

The intent of the NFO requirements is to ensure that security controls are deployed in a comprehensive manner that provides sufficient protection to address emerging threats. Therefore, if you are a government contractor, or hope to become one, you are strongly advised to review the complete listing of NIST SP 800-171 controls to see what gaps you may have.

NIST SP 800-171A is the authoritative source that assessors use and it identifies "specifications" that are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with in-scope systems. The assessment methods include examine, interview and test components. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence.

Within the NIST SP 800-171A "potential assessment methods and objectives" section, you will consistently find requirements for policies, procedures and other written documentation. The only way to achieve compliance is through appropriate evidence of due diligence and due care, which is accomplished by having appropriate documentation. This can only be achieved with evidence that a reasonable cybersecurity program exists and is maintained, which is the entire point of NFO controls.


Recent Posts

See All