DFARS 252.204-7012 / NIST 800-171 Requirements - Non-Federal Organizations (NFO)

Posted by

Have You Looked At Appendix E of NIST 800-171?

While it is not called out with the main NIST 800-171 requirements in chapter 3, Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO). Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST 800-171 having to further clarify it - this creates a baseline for reasonable expectations for any government contractor to adhere to. The US government assumes that its contractors have sufficiently-scoped cybersecurity policies, standards and procedures in place to establish and maintain a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cybersecurity incidents, per DFARS requirements. However, the incident response plan control (IR-08) is listed as an NFO control within NIST 800-171.

The intent of the NFO requirements is to ensure that security controls are deployed in a comprehensive mannter that provides sufficient protection to address emerging threats. Therefore, if you are a government contractor, or hope to become one, you are strongly advised to review the complete listing of SP 800-171 controls to see what gaps you may have.

Check out our NIST 800-171 Compliance Criteria (NCC), since that contains coverage for both the main NIST 800-171 compliance requirements, as well as the NFO requirements in Appendix E.

​Scoping NIST 800-171 - Use PCI DSS As A Guide

Managing NIST 800-171 Scoping If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all [...]

Read More »

Announcing The NIST 800-171 Compliance Criteria (NCC)

We listened to our customer needs for guidance on becoming compliant with NIST 800-171, so we created the NIST 800-171 Compliance Criteria (NCC) product. This took considerable time to develop and contains expectations and recommendations that a for-hire consultant would offer you. If you are just starting out on the path to become compliant with NIST 800-171, [...]

Read More »

FTC - Data Security Considerations for "Unfair" Business Practices

Section 5 of the Federal Trade Commission Act (FTC Act) (15 USC 45) prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’ The prohibition applies to all persons engaged in commerce - this includes online retailers or any business that maintains sensitive consumer information.In the data security context, the FTC has gone after companies [...]

Read More »

Cybersecurity Risk Assessment Template

We are very pleased to announce that our Cybersecurity Risk Assessment Template is now available!We listened to our customers and we delivered - a simple, professional solution that will allow risk assessments to be performed without having to buy specialized tools or hiring expensive consultants. What we did was modify templates that we use for our [...]

Read More »

Customized Cybersecurity Policies & Standards

Ignorance is neither bliss, not is it an excuse! That is a simple fact to keep in mind when you evaluate your information security program. Is it sufficient? Are we doing what a "reasonable person" would expect?In 2005, we started selling customized information security policies that could be downloaded from the Internet. We were the [...]

Read More »

Understanding Compliance Needs

Understanding information security compliance requirements can be complex and the heavy lifting has already been done by cool feature that offers with its Written Information Security Program (WISP) and PCI DSS Data Security Policies & Standards solutions is reference material that can help you understand your scoping. Within the WISP and PCI DSS [...]

Read More »

Why You Need To Be Compliant

Compliance with information security laws and contractual obligations can be daunting. Turning to professionals who understand information security best practices helps reduce the chance of negligence.Information security compliance is a broad topic and means different things to people, depending on what industries they work in and the scope of their customer and partners. For some, [...]

Read More »