NIST 800-171 Non-Federal Organization (NFO) Controls   

The security controls in Tables E-1 through E-14 of NIST 800-171 rev2 are taken directly from from NIST 800-53 rev4. These NFO controls do not utilize a unique "NIST 800-171 control number" and are only referred to by the NIST 800-53 rev4 control that it originates from. There are 61 unique NFO controls, as listed below:

Control #
NIST 800-53 NFO Control Name
SA-10
Developer Configuration Management
SA-11
Developer Security Testing and Evaluation
SC-1
System and Communications Protection Policy and Procedures
SC-7(3)
Boundary Protection | Access Points
SC-7(4)
Boundary Protection | External Telecommunications Services
SC-20
Secure Name / Address Resolution Service (Authoritative Source)
SC-21
Secure Name / Address Resolution Service (Recursive or Caching Resolver)
SC-22
Architecture and Provisioning for Name/Address Resolution Service
SC-39
Process Isolation
SI-1
System and Information Integrity Policy and Procedures
SI-4(5)
Information System Monitoring | System-Generated Alerts
SI-16
Memory Protection
AC-1
Access Control Policy and Procedures
AT-1
Security Awareness and Training Policy and Procedures
AT-4
Security Training Records
AU-1
Audit and Accountability Policy and Procedures
CA-1
Security Assessment and Authorization Policies and Procedures
CA-2(1)
Security Assessments | Independent Assessors
CA-3
System Interconnections
CA-3(5)
System Interconnections | Restrictions on External System Connections
CA-7(1)
Continuous Monitoring | Independent Assessment
CA-9
Internal System Connections
CM-1
Configuration Management Policy and Procedures
CM-2(1)
Baseline Configuration | Reviews and Updates
CM-2(7)
Baseline Configuration | Configure Systems, Components, or Devices for High-Risk Areas
CM-3(2)
Configuration Change Control | Test / Validate / Document Changes
CM-8(5)
Information System Component Inventory | No Duplicate Accounting of Components
CM-9
Configuration Management Plan
IA-1
Identification and Authentication Policy and Procedures
IR-1
Incident Response Policy and Procedures
IR-8
Incident Response Plan
MA-1
System Maintenance Policy and Procedures
MA-4(2)
Nonlocal Maintenance | Document Non-Local Maintenance
MP-1
Media Protection Policy and Procedures
PE-1
Physical and Environmental Protection Policy and Procedures
PE-6(1)
Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment
PE-8
Visitor Access Records
PE-16
Delivery and Removal
PL-1
Security Planning Policy and Procedures
PL-2
System Security Plan
PL-2(3)
System Security Plan | Plan / Coordinate with Other Organizational Entities
PL-4
Rules of Behavior
PL-4(1)
Rules of Behavior | Social Media and Networking Restrictions
PL-8
Information Security Architecture
PS-1
Personnel Security Policy and Procedures
PS-6
Access Agreements
PS-7
Third-Party Personnel Security
PS-8
Personnel Sanctions
RA-1
Risk Assessment Policy and Procedures
RA-5(1)
Vulnerability Scanning | Update Tool Capability
RA-5(2)
Vulnerability Scanning | Update by Frequency / Prior to New Scan / When Identified
SA-1
System and Services Acquisition Policy and Procedures
SA-2
Allocation of Resources
SA-3
System Development Life Cycle
SA-4
Acquisition Process
SA-4(1)
Acquisition Process | Functional Properties of Security Controls
SA-4(2)
Acquisition Process | Design / Implementation Information for Security Controls
SA-4(9)
Acquisition Process | Functions / Ports / Protocols / Services In Use
SA-4(10)
Acquisition Process | Use of Approved PIV Products
SA-5
Information System Documentation
SA-9
External Information System Services
SA-9(2)
External Information System Services | Identification of Functions / Ports / Protocols / Services