Call Us Today! (256) 704-0234 |

NFO Controls – “What you Should be Doing Anyway”

||NFO Controls – “What you Should be Doing Anyway”

NFO Controls – “What you Should be Doing Anyway”

In August 2015, NIST 800-171 listed 62 Non-Federal Organization or NFO controls as “expected.” Think of NFO as the controls you should already have in place. The additional 62 NIST controls marked “NFO,” are not part of the “mandatory minimum.” The Government expects them to be satisfied as part of your existing security policy. NFO items include controls covering every NIST category from Access Controls to Systems and Information Integrity — they also include a new category, Planning. The SP 800-171 rule specifies a mandatory minimum baseline of risk mitigation effort. There is no option to accept a certain level of risk in lieu of the minimum security controls.

You will be expected to have ALREADY MET all NFO controls in an audit.

The NFO controls affect all 16 of the following categories:

  1. Planning
  2. Acquisition
  3. Configuration Management
  4. Identification & Authentication
  5. Incident Response
  6. Acquisition (SA-8)
  7. Maintenance
  8. Physical Security
  9. Risk Assessment
  10. Security Assessment (CA-2)
  11. Awareness & Training
  12. Contingency Planning
  13. Security Assessment
  14. Physical & Environmental Protection
  15. System & Comms Protection
  16. System & Information Integrity

At this point you may be asking, “Okay, but my company deals with Federal contracts, not DoD, so does this apply to me?” Great question. Even though FAR 52.204-21 does not have the NFO requirements, the “things you should be doing anyway,” directly called out in NIST 800-171 (although, it does reference NIST SP 800-171-like requirements), should be enforced behind the FAR 52.204-21 requirements as well.

Procedures drive your detailed documentation. If policies do not drive your procedures then implementations, continuous monitoring, and improvements will fail.

By |2018-06-02T16:55:04+00:00March 9th, 2017|Techni-Core Blog|0 Comments

About the Author:

Hi, everyone! My name is Jana Abbott Ricchetti, and I serve as Techni-Core's Team Lead, Project Manager for all IT and Cyber Security services, and Marketing/Business Development Manager. I am a graduate of Mississippi State University (Hail State!) with a degree in Communication Studies. I joined Techni-Core about four years ago. Over that time, I have worked with executive leadership to rebrand TCNS, expand service offerings, structure more successful and efficient compliance projects, and foster vendor relationships to serve all of our customers. The best part of my job is the reward of knowing that our services directly support the success of our customers - there is no better feeling! My customers are the bomb, and I am so honored that they trust me to manage their IT, Compliance, and Cyber services. I LOVE phone calls from customers, so give me a call any time you need anything - I am always happy to help.

Leave A Comment