Editorial: There is a lot of misconception about NFO controls. This page is focused on identifying the underlying requirements associated with NIST SP 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance. NFOs are a key piece to having appropriate evidence of due diligence and due care to address NIST SP 800-171 and CMMC compliance.
Non-Federal Organization (NFO) Controls: Appendix E NIST SP 800-171
It might be possible to be "compliant with CMMC 2.0" and be non-compliant with DFARS 252.204-7008/7012 and NIST SP 800-171. By willfully ignoring NFO controls, you can be in a state of non-compliance with both DFARS and NIST SP 800-171, while technically being "CMMC compliant" and that should be a concern for businesses as they work through CMMC compliance efforts:
DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, section (c)(1) requires contractors to "implement the security requirements specified by NIST SP 800-171"
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, section (b)(ii)(A) requires contractors to have NIST SP 800-171 controls implemented by 1 January 2018.
NIST SP 800-171, Protecting CUI in Nonfederal Systems and Organizations, Appendix E identifies that both CUI and NFO controls are required for an organization to "comply" with NIST SP 800-171.
When you really read NIST SP 800-171 rev2, you will see that there are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 61 NFO controls that are expected to exist for any organization that stores, transmits or processes CUI. Directly from NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." If you take a moment to break down the meanings of each of those words you will see:
Expected - require (someone) to fulfill an obligation
Routinely - as part of a regular procedure rather than for a special reason
Satisfy - adequately meet or comply with (a condition, obligation, or demand)
Without - in the absence of
Specification - a detailed description of the criteria
Take that one step further to simplify the meaning of NFO control applicability in plain English and NFO controls are "required to be adequately fulfilled as part of the regular course of business, without the need for additional detailed instructions."NIST considers NFO controls to be so fundamental to an organization's cybersecurity program that NIST states it does not need to provide additional guidance on the subject. The fundamental concept of NFO controls is that they are considered "business as usual" requirements that any reasonable business should already have in place.
NARA's CUI Notice 2020-04 specifies NIST SP 800-171A as the authoritative source that assessors use and identifies "specifications" that are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with in-scope systems. The assessment methods include examine, interview and test components. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence.
Within NIST SP 800-171A "potential assessment methods and objectives" section, you will consistently find requirements for policies, procedures and other written documentation. The only way to achieve compliance is through appropriate evidence of due diligence and due care, which is accomplished by having appropriate documentation. This can only be achieved with evidence that a reasonable cybersecurity program exists and is maintained, which is the entire point of NFO controls.
From the CMMC L2 Assessment Criteria & Methodology, Assessment Objects (AOs) identify the specific items that will be assessed and include specifications, mechanisms, activities and individuals. "Specifications" are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications architectural designs) associated with a system.
The bottom line is without having the documentation evidence that NFO controls fundamentally address:
You cannot accurately fill out a Supplier Performance Risk System (SPRS) self-assessment for the Department of Defense (DoD) without using the AOs from NIST SP 800-171A to evaluate the 110 CUI controls from NIST SP 800-171. The recurring requirement for policies, procedures and other documentation are exactly what the NFO controls from Appendix E of NIST SP 800-171 address.
You cannot pass a CMMC L1 or L2 assessment (self-attestation or third-party) without the documentation evidence of the due diligence and due care steps taken to address the controls (e.g., policies, standards, procedures, employee training records, etc.). A quote among compliance professionals is that "if it is not documented, then it doesn't exist" and that applies to CMMC for self-assessments or third-party assessments.
What Is The Actual Requirement For NFO Controls?
The requirement for NFO controls is stipulated in section 2.1 of NIST SP 800-171, where it states there are "three fundamental assumptions" to account for:
Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal systems or nonfederal systems including the environments in which those systems operate;
Safeguards implemented to protect CUI are consistent in both federal and nonfederal systems and organizations; and
The confidentiality impact value for CUI is no less than FIPS 199 moderate.
Where people tend to get confused with this is with the "no less than FIPS 199 moderate" statement:
When you follow the footnote to the bottom of page 5 of NIST SP 800-171 rev2, it states “the moderate impact value defined in [FIPS 199] may become part of a moderate impact system in [FIPS 200], which requires the use of the moderate baseline in [SP 800-53] as the starting point for tailoring actions.”
From page 4 of FIPS 199, it states “…the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident...”
Within the footnotes of page 6 of NIST SP 800-171 rev2, NIST highlights the point about what constitutes a “comprehensive security program” for an organization that stores, transmits and/or processes CUI:
The security requirements developed from the tailored [FIPS 200] security requirements and the [SP 800-53] moderate security control baselinerepresent a subset of the safeguarding measures that are necessary for a comprehensive information security program.
The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies, procedures, and practices that support an effective risk-based information security program.
Nonfederal organizations are encouraged to refer to Appendix E and [SP 800-53] for a complete listing of security controls in the moderate baseline deemed out of scope for the security requirements in Chapter Three.
In simple terms, this means the moderate control set of NIST SP 800-53 rev4 is applicable to any organization the stores, transmits and/or processes CUI.
Note: Unlike CUI and NFO controls, FED and NCO controls are not integral to protecting CUI. The reason for this is CUI and NFO controls are focused on confidentiality requirements, while the FED controls are reserved for US Government usage and NCO controls are focused on integrity and availability. If you can address NCO controls as part of your security program, that is advisable since it focuses on resiliency, but it is not a focus for NIST SP 800-171 or CMMC.
There is a slight "translation error" between NIST SP 800-53 R4 and R5 versions, where there are six NFO controls that are affected. Those six R4 NFOs map to seven R5 controls, where it creates a new NFO requirement for MA-1. However, the other six NFO controls fall under controls that are already associated with a NIST SP 800-171 CUI control. Therefore, 6 of the 7 controls that are NFO controls under R4 become CUI controls under R5:
CA-3(5) > SC-7(5) [covered by NIST 800-171 3.13.6]
CM-2(1) > CM-2 [covered by NIST 800-171 3.4.1 & 3.4.2]
CM-8(5) > CM-8 [covered by NIST 800-171 3.4.1 & 3.4.2]
NARA plans to sponsor a single FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors.
Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate a system on behalf of an agency, must comply with the requirements in [FISMA], including the requirements in [FIPS 200] and the security controls in [SP 800-53].
The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation.
Rather, the intent is to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal systems and organizations and does not diminish the level of protection of CUI required for moderate confidentiality.
Industry Implications For NFO Controls
What is groundbreaking about the NFO controls within NIST SP 800-171 is that NIST essentially created a benchmark that define "reasonable" security expectations for private industry. Interestingly, most people are unaware of that. Particularly, the NFO controls in NIST SP 800-171 sets a precedent for what now constitutes minimum security requirements for non-governmental organizations and the failure to live up to that expectation may be considered negligence on the behalf of an organization.
On the concept of negligence, DFARS 252.204-7012 calls out as part of the “adequate security” requirements that “the Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections… [NIST SP 800-171].” That callout is for NIST SP 800-171 and does not mention just CUI controls. For an organization to not meet those requirements (without prior approval from the DoD) would put it in jeopardy of a False Claims Act (FCA) violation. However, on page 6 of NIST 800-171, NIST does recognize that 100% adoption is not always possible and indicates a Plan of Action & Milestones (POA&M) is a legitimate tool to identify and manage instances of non-compliance through compensating controls: “Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement.”
As defined on the first page of Appendix E of NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." In this context, the term "without specification" means that NIST approaches these NFO requirements as basic expectations that do not need a detailed description, since they are fundamental components of any organization’s security program. As a case in point, an organization cannot legitimately implement a security program without policies and procedures, which are requirements that the “-1” NFO controls (e.g., AC-1, AT-1, AU-1, etc.) address as “basic expectations” for an organization to have.
Without the NFO controls (e.g., foundational policies & governance), it is not feasible for an organization to have appropriate evidence of due care and due diligence to withstand external scrutiny in an audit. These are assumed requirements, such as when you rent a car at the airport, you do not need to specify a car that is:
In working condition,
Has four (4) inflated tires, and
Is safe to operate.
Furthermore, NIST lists additional assumptions for the basic security program expectations that nonfederal entities:
Have information technology infrastructures in place, and are not necessarily developing or acquiring systems specifically for processing, storing, or transmitting CUI;
Have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the security requirements;
May not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement; and
Can implement a variety of potential security solutions directly or using external service providers (e.g., managed services) to satisfy security requirements.
Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
What Is The Digital Security Program (DSP)?
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-three (33) domains that defines a...
UPDATED FOR CMMC 2.0 NIST SP 800-171 & CMMC "Easy Button" Solution - Editable & Affordable Cybersecurity Documentation
What Is The NIST 800-171 Compliance Program (NCP)?
The NCP is a compilation of editable Microsoft...