Non-Federal Organization (NFO) controls are "expected to be routinely satisfied by non-federal organizations without specification." This is an often-overlooked reference from Appendix E of NIST 800-171.
In this context, the term "without specification" means that the National Institute of Standards and Technology (NIST) feels the requirements do not need a detailed description of the requirements, due to the requirement being basic. These are assumed requirements, such as when you rent a car at the airport, you do not need to specify a car that is:
- In working condition,
- Has four (4) inflated tires, and
- Is safe to operate.
Those are reasonable specifications that do not need to be spelled out when you are selecting the car you want to rent. NIST has applied this common-sense approach to cybersecurity with NFO controls.
What is groundbreaking about the NFO controls is that NIST has essentially created a new benchmark to define minimum security expectations for private industry. The NFO controls in NIST 800-171 sets a precedent for what now constitutes “reasonable practices” by private industry and the failure to live up to that expectation may be considered negligence on the behalf of an organization.