Non-Federal Organization (NFO) controls are "expected to be routinely satisfied by non-federal organizations without specification." This is an often-overlooked reference from Appendix E of NIST 800-171.

In this context, the term "without specification" means that the National Institute of Standards and Technology (NIST) feels the requirements do not need a detailed description of the requirements, due to the requirement being basic. These are assumed requirements, such as when you rent a car at the airport, you do not need to specify a car that is: 

1. In working condition, 
2. Has four (4) inflated tires, and 
3. Is safe to operate. 

Those are reasonable specifications that do not need to be spelled out when you are selecting the car you want to rent. NIST has applied this common-sense approach to cybersecurity with NFO controls.

What is groundbreaking about the NFO controls is that NIST has essentially created a new benchmark to define minimum security expectations for private industry. The NFO controls in NIST 800-171 sets a precedent for what now constitutes “reasonable practices” by private industry and the failure to live up to that expectation may be considered negligence on the behalf of an organization.

Page E-1 of http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf