NIST 800-171 Appendix E

CUI & NFO Controls

ComplianceForge is an industry-leader in NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) compliance, specializing in cybersecurity compliance documentation and products that include the policies, standards, procedures and POA&M/SSP templates that companies need to comply with NIST 800-171 and CMMC, regardless of size or industry. ComplianceForge has been writing cybersecurity documentation since 2005 and is committed to making NIST 800-171 compliance as easy and as affordable as possible. 


One specific area where ComplianceForge helps its clients in regards to NIST 800-171 and CMMC compliance, is that ComplianceForge products not only address the well-publicized Controlled Unclassified Information (CUI), but also includes the other required controls identified in Appendix E of NIST 800-171 that includes Non-Federal Organization (NFO).

   NIST 800-171, CMMC, FIPS 199, FIPS 200 & NIST 800-53 Tie-In   

When you really read NIST 800-171 rev2, you will see that there are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 61 NFO controls that are expected to exist for any organization that stores, transmits or processes CUI.  

The requirement for NFO controls is stipulated in section 2.1 of NIST 800-171, where it states there are "three fundamental assumptions to account for:

  1. Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal systems or nonfederal systems including the environments in which those systems operate;

  2. Safeguards implemented to protect CUI are consistent in both federal and nonfederal systems and organizations; and

  3. The confidentiality impact value for CUI is no less than FIPS 199 moderate.

Where people tend to get confused with this is with the "no less than FIPS 199 moderate" statement:

  • When you follow the footnote to the bottom of page 5 of NIST 800-171 rev2, it states “the moderate impact value defined in [FIPS 199] may become part of a moderate impact system in [FIPS 200], which requires the use of the moderate baseline in [SP 800-53] as the starting point for tailoring actions.

  • From page 4 of FIPS 199, it states “…the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident...


Within the footnotes of page 6 of NIST 800-171 rev2, NIST highlights the point about what constitutes a “comprehensive security program” for an organization that stores, transmits and/or processes CUI:

  • The security requirements developed from the tailored [FIPS 200] security requirements and the [SP 800-53] moderate security control baseline represent a subset of the safeguarding measures that are necessary for a comprehensive information security program

  • The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies, procedures, and practices that support an effective risk-based information security program. 

  • Nonfederal organizations are encouraged to refer to Appendix E and [SP 800-53] for a complete listing of security controls in the moderate baseline deemed out of scope for the security requirements in Chapter Three.

In simple terms, this means the moderate control set of NIST 800-53 rev4 is applicable to any organization the stores, transmits and/or processes CUI.

NIST 800-171 Appendix E.JPG

   National Archives and Records Administration (NARA)   

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the National Archives and Records Administration (NARA) is designated as the US government's CUI Executive Agent to develop and issue directives as are necessary to establish uniform policies and practices for a government-wide CUI Program.


Additional insights from NIST 800-171, rev2:

  • page 2:

    • NARA plans to sponsor a single FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors.  

    • Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate a system on behalf of an agency, must comply with the requirements in [FISMA], including the requirements in [FIPS 200] and the security controls in [SP 800-53].

  • page 3:

    • The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation. Rather, the intent is to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal systems and organizations and does not diminish the level of protection of CUI required for moderate confidentiality.


   Industry Implications For NFO Controls   

What is groundbreaking about the NFO controls within NIST 800-171 is that NIST essentially created a benchmark that define "reasonable" security expectations for private industry. Interestingly, most people are unaware of that. Particularly, the NFO controls in NIST 800-171 sets a precedent for what now constitutes minimum security requirements for non-governmental organizations and the failure to live up to that expectation may be considered negligence on the behalf of an organization.


On the concept of negligence, DFARS 252.204-7012 calls out as part of the “adequate security” requirements that “the Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections… [NIST SP 800-171].” That callout is for NIST SP 800-171 and does not mention just CUI controls. For an organization to not meet those requirements (without prior approval from the DoD) would put it in jeopardy of a False Claims Act (FCA) violation. However, on page 6 of NIST 800-171, NIST does recognize that 100% adoption is not always possible and indicates a Plan of Action & Milestones (POA&M) is a legitimate tool to identify and manage instances of non-compliance through compensating controls: “Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement.”


As defined on the first page of Appendix E of NIST 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." In this context, the term "without specification" means that NIST approaches these NFO requirements as basic expectations that do not need a detailed description, since they are fundamental components of any organization’s security program. As a case in point, an organization cannot legitimately implement a security program without policies and procedures, which are requirements that the “-1” NFO controls (e.g., AC-1, AT-1, AU-1, etc.) address as “basic expectations” for an organization to have.


Without the NFO controls (e.g., foundational policies & governance), it is not feasible for an organization to have appropriate evidence of due care and due diligence to withstand external scrutiny in an audit. These are assumed requirements, such as when you rent a car at the airport, you do not need to specify a car that is:

  • In working condition,

  • Has four (4) inflated tires, and

  • Is safe to operate.


Furthermore, NIST lists additional assumptions for the basic security program expectations that nonfederal entities:

  • Have information technology infrastructures in place, and are not necessarily developing or acquiring systems specifically for processing, storing, or transmitting CUI;

  • Have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the security requirements;

  • May not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement; and

  • Can implement a variety of potential security solutions directly or using external service providers (e.g., managed services) to satisfy security requirements.

   Learn More About NFO & CUI Controls   

ComplianceForge put together some concise resources for you to learn more about NFO, NCO and CUI controls:

NIST 800-171 Compliance - NIST CSF NIST

ComplianceForge has several options for editable, professionally-written and affordable NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) documentation. This ranges from policies to standards, procedures, SSP templates, POA&M templates, and much more!

NIST 800-171 & CMMC Compliance Solutions