In August 2015, NIST 800-171 listed 62 Non-Federal Organization or NFO controls as “expected.” Think of NFO as the controls you should already have in place. The additional 62 NIST controls marked “NFO,” are not part of the “mandatory minimum.” The Government expects them to be satisfied as part of your existing security policy. NFO items include controls covering every NIST category from Access Controls to Systems and Information Integrity — they also include a new category, Planning. The SP 800-171 rule specifies a mandatory minimum baseline of risk mitigation effort. There is no option to accept a certain level of risk in lieu of the minimum security controls.
You will be expected to have ALREADY MET all NFO controls in an audit.
The NFO controls affect all 16 of the following categories:
- Configuration Management
- Identification & Authentication
- Incident Response
- Acquisition (SA-8)
- Physical Security
- Risk Assessment
- Security Assessment (CA-2)
- Awareness & Training
- Contingency Planning
- Security Assessment
- Physical & Environmental Protection
- System & Comms Protection
- System & Information Integrity
At this point you may be asking, “Okay, but my company deals with Federal contracts, not DoD, so does this apply to me?” Great question. Even though FAR 52.204-21 does not have the NFO requirements, the “things you should be doing anyway,” directly called out in NIST 800-171 (although, it does reference NIST SP 800-171-like requirements), should be enforced behind the FAR 52.204-21 requirements as well.