Non-Federal Organization (NFO) Controls - NIST 800-171 Appendix E

Updated: Feb 18, 2018

NIST 800-171 has several dozen requirements that are hidden in plain sight, but most people are unaware they exist.

While it is not called out with the main NIST 800-171 requirements in chapter 3 (where most people focus their attention), Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO).

Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST 800-171 having to further clarify it - this creates a baseline for reasonable expectations for any government contractor to adhere to. The US government assumes that its contractors have sufficiently-scoped cybersecurity policies, standards and procedures in place to establish and maintain a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cybersecurity incidents, per DFARS requirements. However, the incident response plan control (IR-08) is listed as an NFO control within NIST 800-171.

The intent of the NFO requirements is to ensure that security controls are deployed in a comprehensive mannter that provides sufficient protection to address emerging threats. Therefore, if you are a government contractor, or hope to become one, you are strongly advised to review the complete listing of SP 800-171 controls to see what gaps you may have.


Recent Posts

See All

Secure Controls Framework Council, LLC (SCF Council) disclaims any liability whatsoever for the use of this website or the Secure Controls Framework™ (SCF). Use at your own risk.


If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. This website is for educational purposes only and does not render professional services advice - it is not a substitute for dedicated professional services. There is no endorsement of any kind in the company listing of SCF Solution Providers - It is entirely your responsibility to conduct appropriate due care and due diligence in selecting and engaging with a consultant to assist in your implementation of the SCF.

SCF Council does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website, or its contents, is assumed by the user. ​


SCF Council reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

© 2019. Secure Controls Framework Council, LLC


  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon