DFARS 252.204-7012 / NIST 800-171 Requirements - Non-Federal Organizations (NFO)

Posted by ComplianceForge on Mar 30th 2017

Have You Looked At Appendix E of NIST 800-171?

While it is not called out with the main NIST 800-171 requirements in chapter 3, Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO). Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST 800-171 having to further clarify it - this creates a baseline for reasonable expectations for any government contractor to adhere to. The US government assumes that its contractors have sufficiently-scoped cybersecurity policies, standards and procedures in place to establish and maintain a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cybersecurity incidents, per DFARS requirements. However, the incident response plan control (IR-08) is listed as an NFO control within NIST 800-171.

The intent of the NFO requirements is to ensure that security controls are deployed in a comprehensive mannter that provides sufficient protection to address emerging threats. Therefore, if you are a government contractor, or hope to become one, you are strongly advised to review the complete listing of SP 800-171 controls to see what gaps you may have.

Check out our NIST 800-171 Compliance Criteria (NCC), since that contains coverage for both the main NIST 800-171 compliance requirements, as well as the NFO requirements in Appendix E.