NFO Controls – What you Should be Doing Anyway

In August 2015, NIST 800-171 listed 62 Non-Federal Organization or NFO controls as “expected.” Think of NFO as the controls you should already have in place. The additional 62 NIST controls marked “NFO,” are not part of the “mandatory minimum.” The Government expects them to be satisfied as part of your existing security policy. NFO items include controls covering every NIST category from Access Controls to Systems and Information Integrity — they also include a new category, Planning. The SP 800-171 rule specifies a mandatory minimum baseline of risk mitigation effort. There is no option to accept a certain level of risk in lieu of the minimum security controls.

You will be expected to have ALREADY MET all NFO controls in an audit.

The NFO controls affect all 16 of the following categories:

  1. Planning
  2. Acquisition
  3. Configuration Management
  4. Identification & Authentication
  5. Incident Response
  6. Acquisition (SA-8)
  7. Maintenance
  8. Physical Security
  9. Risk Assessment
  10. Security Assessment (CA-2)
  11. Awareness & Training
  12. Contingency Planning
  13. Security Assessment
  14. Physical & Environmental Protection
  15. System & Comms Protection
  16. System & Information Integrity

At this point you may be asking, “Okay, but my company deals with Federal contracts, not DoD, so does this apply to me?” Great question. Even though FAR 52.204-21 does not have the NFO requirements, the “things you should be doing anyway,” directly called out in NIST 800-171 (although, it does reference NIST SP 800-171-like requirements), should be enforced behind the FAR 52.204-21 requirements as well.

Procedures drive your detailed documentation. If policies do not drive your procedures then implementations, continuous monitoring, and improvements will fail.

NIST 800-171 Compliance Information
First Name
Last Name
E-mail
Phone Number
Where do you work?
Title
How do you prefer to be contacted?