non federal organization controls nfo cmmc

Editorial: There is a lot of misconception about NFO controls. This page is focused on identifying the underlying requirements associated with NIST SP 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance. NFOs are a key piece to having appropriate evidence of due diligence and due care to address NIST SP 800-171 and CMMC compliance.

NIST 800-171 R2 - Non-Federal Organization (NFO) Controls

It might be possible to be "compliant with CMMC 2.0" and be non-compliant with DFARS 252.204-7008/7012 and NIST SP 800-171. By willfully ignoring NFO controls, you can be in a state of non-compliance with both DFARS and NIST SP 800-171, while technically being "CMMC compliant" and that should be a concern for businesses as they work through CMMC compliance efforts:

When you really read NIST SP 800-171 rev2, you will see that there are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 61 NFO controls that are expected to exist for any organization that stores, transmits or processes CUI. Directly from NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." If you take a moment to break down the meanings of each of those words you will see:

Take that one step further to simplify the meaning of NFO control applicability in plain English and NFO controls are "required to be adequately fulfilled as part of the regular course of business, without the need for additional detailed instructions." NIST considers NFO controls to be so fundamental to an organization's cybersecurity program that NIST states it does not need to provide additional guidance on the subject. The fundamental concept of NFO controls is that they are considered "business as usual" requirements that any reasonable business should already have in place.

NARA's CUI Notice 2020-04 specifies NIST SP 800-171A as the authoritative source that assessors use and identifies "specifications" that are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with in-scope systems. The assessment methods include examine, interview and test components. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence.

 ​The bottom line is without having the documentation evidence that NFO controls fundamentally address:

​What Is The Actual Requirement For NFO Controls?

The requirement for NFO controls is stipulated in section 2.1 of NIST SP 800-171, where it states there are "three fundamental assumptions" to account for:

    1. Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal systems or nonfederal systems including the environments in which those systems operate;
    2. Safeguards implemented to protect CUI are consistent in both federal and nonfederal systems and organizations; and
    3. The confidentiality impact value for CUI is no less than FIPS 199 moderate.

​Where people tend to get confused with this is with the "no less than FIPS 199 moderate" statement:

Within the footnotes of page 6 of NIST SP 800-171 rev2, NIST highlights the point about what constitutes a “comprehensive security program” for an organization that stores, transmits and/or processes CUI:

non federal organization controls nfo nist 800-171

In simple terms, this means the moderate control set of NIST SP 800-53 rev4 is applicable to any organization the stores, transmits and/or processes CUI.

nist 800-171 nfo appendix e

Note: Unlike CUI and NFO controls, FED and NCO controls are not integral to protecting CUI. The reason for this is CUI and NFO controls are focused on confidentiality requirements, while the FED controls are reserved for US Government usage and NCO controls are focused on integrity and availability. If you can address NCO controls as part of your security program, that is advisable since it focuses on resiliency, but it is not a focus for NIST SP 800-171 or CMMC.

There is a slight "translation error" between NIST SP 800-53 R4 and R5 versions, where there are six NFO controls that are affected. Those six R4 NFOs map to seven R5 controls, where it creates a new NFO requirement for MA-1. However, the other six NFO controls fall under controls that are already associated with a NIST SP 800-171 CUI control. Therefore, 6 of the 7 controls that are NFO controls under R4 become CUI controls under R5:

National Archives and Records Administration (NARA)

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the National Archives and Records Administration (NARA) is designated as the US government's CUI Executive Agent to develop and issue directives as are necessary to establish uniform policies and practices for a government-wide CUI Program.

Additional insights from NIST SP 800-171, rev2:

Industry Implications For NFO Controls

What is groundbreaking about the NFO controls within NIST SP 800-171 is that NIST essentially created a benchmark that define "reasonable" security expectations for private industry. Interestingly, most people are unaware of that. Particularly, the NFO controls in NIST SP 800-171 sets a precedent for what now constitutes minimum security requirements for non-governmental organizations and the failure to live up to that expectation may be considered negligence on the behalf of an organization.

On the concept of negligence, DFARS 252.204-7012 calls out as part of the “adequate security” requirements that “the Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections… [NIST SP 800-171].” That callout is for NIST SP 800-171 and does not mention just CUI controls. For an organization to not meet those requirements (without prior approval from the DoD) would put it in jeopardy of a False Claims Act (FCA) violation. However, on page 6 of NIST 800-171, NIST does recognize that 100% adoption is not always possible and indicates a Plan of Action & Milestones (POA&M) is a legitimate tool to identify and manage instances of non-compliance through compensating controls: “Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement.”

As defined on the first page of Appendix E of NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." In this context, the term "without specification" means that NIST approaches these NFO requirements as basic expectations that do not need a detailed description, since they are fundamental components of any organization’s security program. As a case in point, an organization cannot legitimately implement a security program without policies and procedures, which are requirements that the “-1” NFO controls (e.g., AC-1, AT-1, AU-1, etc.) address as “basic expectations” for an organization to have.

Without the NFO controls (e.g., foundational policies & governance), it is not feasible for an organization to have appropriate evidence of due care and due diligence to withstand external scrutiny in an audit. These are assumed requirements, such as when you rent a car at the airport, you do not need to specify a car that is:

Furthermore, NIST lists additional assumptions for the basic security program expectations that nonfederal entities:

Learn More About NFO & CUI Controls

ComplianceForge has several options for editable, professionally-written and affordable NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) documentation. This ranges from policies to standards, procedures, SSP templates, POA&M templates, and much more! 

There are 61 total NFO controls in Appendix E of NIST SP 800-171 R2, which maintain their original control numbering from NIST SP 800-53:

Browse Our Products

  • Digital Security Program (DSP)

    Policy, Standards, Controls & Metrics Template - DSP / SCF

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00 - $14,300.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 R2 & R3 / CMMC 2.0 Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes...

    $5,200.00 - $10,000.00
    Choose Options

Learn More About Cybersecurity & Data Privacy