- NIST SP 800-171 R2 has 110 CUI controls (Appendix D) plus 61 NFO controls (Appendix E). Both are required for DFARS compliance.
- NFO controls are expected to be routinely satisfied without specification. NIST considers them so fundamental that no additional guidance should be needed.
- You can technically be CMMC 2.0 compliant while non-compliant with DFARS because CMMC doesn't assess NFO controls, but DFARS requires all of NIST 800-171.
- Without NFO documentation (policies, procedures, governance), you cannot pass NIST SP 800-171A assessment objectives or accurately complete a SPRS self-assessment.
- In NIST 800-171 R3, all 61 NFO controls were absorbed into the CUI control set, making this distinction moot going forward.
Understanding NIST 800-171 NFO Controls
When you really read NIST SP 800-171 rev2, you will see that there are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 61 NFO controls that are expected to exist for any organization that stores, transmits or processes CUI. Directly from NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." If you take a moment to break down the meanings of each of those words you will see:
Expected
Require (someone) to fulfill an obligation.
Routinely
As part of a regular procedure rather than for a special reason.
Satisfy
Adequately meet or comply with (a condition, obligation, or demand).
Without
In the absence of.
Specification
A detailed description of the criteria.
Take that one step further to simplify the meaning of NFO control applicability in plain English and NFO controls are "required to be adequately fulfilled as part of the regular course of business, without the need for additional detailed instructions." NIST considers NFO controls to be so fundamental to an organization's cybersecurity program that NIST states it does not need to provide additional guidance on the subject. The fundamental concept of NFO controls is that they are considered "business as usual" requirements that any reasonable business should already have in place.
NARA's CUI Notice 2020-04 specifies NIST SP 800-171A as the authoritative source that assessors use and identifies "specifications" that are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with in-scope systems. The assessment methods include examine, interview and test components. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence.
Are NFO Controls Required For CMMC?
For CMMC 2.0, NFOs are not technically required. However, to comply with DFARS for NIST 800-171 R2, NFO controls are required. That means you could comply with CMMC, but not be compliant with DFARS requirement to implement NIST 800-171 R2, that requires both CUI and NFO controls.
The requirement for NFO controls is stipulated in section 2.1 of NIST SP 800-171, where it states there are "three fundamental assumptions" to account for:
- Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal systems or nonfederal systems including the environments in which those systems operate;
- Safeguards implemented to protect CUI are consistent in both federal and nonfederal systems and organizations; and
- The confidentiality impact value for CUI is no less than FIPS 199 moderate.
Where people tend to get confused with this is with the "no less than FIPS 199 moderate" statement:
- When you follow the footnote to the bottom of page 5 of NIST SP 800-171 rev2, it states “the moderate impact value defined in [FIPS 199] may become part of a moderate impact system in [FIPS 200], which requires the use of the moderate baseline in [SP 800-53] as the starting point for tailoring actions.”
- From page 4 of FIPS 199, it states “…the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident...”
Within the footnotes of page 6 of NIST SP 800-171 rev2, NIST highlights the point about what constitutes a “comprehensive security program” for an organization that stores, transmits and/or processes CUI:
- The security requirements developed from the tailored [FIPS 200] security requirements and the [SP 800-53] moderate security control baseline represent a subset of the safeguarding measures that are necessary for a comprehensive information security program.
- The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies, procedures, and practices that support an effective risk-based information security program.
- Nonfederal organizations are encouraged to refer to Appendix E and [SP 800-53] for a complete listing of security controls in the moderate baseline deemed out of scope for the security requirements in Chapter Three.
Unlike CUI and NFO controls, FED and NCO controls are not integral to protecting CUI. The reason for this is CUI and NFO controls are focused on confidentiality requirements, while the FED controls are reserved for US Government usage and NCO controls are focused on integrity and availability. If you can address NCO controls as part of your security program, that is advisable since it focuses on resiliency, but it is not a focus for NIST SP 800-171 or CMMC.
There is a slight "translation error" between NIST SP 800-53 R4 and R5 versions, where there are six NFO controls that are affected. Those six R4 NFOs map to seven R5 controls, where it creates a new NFO requirement for MA-1. However, the other six NFO controls fall under controls that are already associated with a NIST SP 800-171 CUI control. Therefore, 6 of the 7 controls that are NFO controls under R4 become CUI controls under R5:
- CA-3(5) > SC-7(5) [covered by NIST 800-171 3.13.6]
- CM-2(1) > CM-2 [covered by NIST 800-171 3.4.1 & 3.4.2]
- CM-8(5) > CM-8 [covered by NIST 800-171 3.4.1 & 3.4.2]
- MA-4(2) > MA-1 & MA-4 [partially covered by NIST 800-171 3.7.5]
- PL-2(3) > PL-2 [covered by NIST 800-171 3.12.1, 3.12.2, 3.12.3 & 3.12.4]
- RA-5(1) > RA-5 [covered by NIST 800-171 3.11.2 & 3.11.3]
NIST SP 800-171 R2 uses the following tailoring symbols to categorize how each security control relates to protecting CUI:
National Archives and Records Administration (NARA)
Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the National Archives and Records Administration (NARA) is designated as the US government's CUI Executive Agent to develop and issue directives as are necessary to establish uniform policies and practices for a government-wide CUI Program.
Additional insights from NIST SP 800-171, rev2:
- NARA plans to sponsor a single FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors.
- Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate a system on behalf of an agency, must comply with the requirements in [FISMA], including the requirements in [FIPS 200] and the security controls in [SP 800-53].
- The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation.
- Rather, the intent is to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal systems and organizations and does not diminish the level of protection of CUI required for moderate confidentiality.
Without the documentation evidence that NFO controls fundamentally address, you cannot accurately fill out a SPRS self-assessment, nor can you pass a CMMC L1 or L2 assessment without documentation evidence (policies, standards, procedures, training records). As compliance professionals say, if it's not documented, it doesn't exist.
Industry Implications For NFO Controls
What is groundbreaking about the NFO controls within NIST SP 800-171 is that NIST essentially created a benchmark that define "reasonable" security expectations for private industry. Interestingly, most people are unaware of that. Particularly, the NFO controls in NIST SP 800-171 sets a precedent for what now constitutes minimum security requirements for non-governmental organizations and the failure to live up to that expectation may be considered negligence on the behalf of an organization.
On the concept of negligence, DFARS 252.204-7012 calls out as part of the “adequate security” requirements that “the Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections… [NIST SP 800-171].” That callout is for NIST SP 800-171 and does not mention just CUI controls. For an organization to not meet those requirements (without prior approval from the DoD) would put it in jeopardy of a False Claims Act (FCA) violation. However, on page 6 of NIST 800-171, NIST does recognize that 100% adoption is not always possible and indicates a Plan of Action & Milestones (POA&M) is a legitimate tool to identify and manage instances of non-compliance through compensating controls: “Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement.”
As defined on the first page of Appendix E of NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." In this context, the term "without specification" means that NIST approaches these NFO requirements as basic expectations that do not need a detailed description, since they are fundamental components of any organization’s security program. As a case in point, an organization cannot legitimately implement a security program without policies and procedures, which are requirements that the “-1” NFO controls (e.g., AC-1, AT-1, AU-1, etc.) address as “basic expectations” for an organization to have.
Without the NFO controls (e.g., foundational policies & governance), it is not feasible for an organization to have appropriate evidence of due care and due diligence to withstand external scrutiny in an audit.
When you rent a car at the airport, you do not need to specify that the car is in working condition, has four (4) inflated tires, and is safe to operate. These are assumed requirements, and NFO controls work the same way. They are the of course you have this expectations for any organization handling CUI.
Furthermore, NIST lists additional assumptions for the basic security program expectations that nonfederal entities:
- Have information technology infrastructures in place, and are not necessarily developing or acquiring systems specifically for processing, storing, or transmitting CUI;
- Have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the security requirements;
- May not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement; and
- Can implement a variety of potential security solutions directly or using external service providers (e.g., managed services) to satisfy security requirements.
The 61 NFO Controls (Appendix E)
ComplianceForge has several options for editable, professionally-written and affordable NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) documentation. This ranges from policies to standards, procedures, SSP templates, POA&M templates, and much more!
There are 61 total NFO controls in Appendix E of NIST SP 800-171 R2, which maintain their original control numbering from NIST SP 800-53: