CMMC 2.0 - NFO Controls

“NFO” Controls: Important Distinction for Organizations Seeking Certification (OSC)

There is a little known aspect of NIST SP 800-171 known as "NFO" controls. "NFO" controls are found in appendix E of the NIST SP 800-171 documentation. "NFO" is one of the tailoring criteria used in deriving CUI controls/practices from NIST SP 800-53 for NIST SP 800-171 and it refers to practices that are "expected to be routinely satisfied by nonfederal organizations without specification". So, it is assumed and expected that OSCs are implementing these "NFO" controls. The challenge is that many OSCs are not aware of the "NFO" controls and are not implementing these controls.

To make matters worse, the CMMC 2.0 released this week, on November 4th, 2021, states that CMMC 2.0 eliminates all maturity processes. Many OSCs are already interpreting that statement to mean that maturity processes will be out of scope for CMMC assessments; however, under the current CMMC assessment guidance, those maturity processes will be in scope for CMMC assessments because of "NFO" controls.

What does this mean for OSC?

To avoid surprises on assessment day, OSCs should plan for and account for maturity processes in their CMMC assessment preparation.

Although CMMC 2.0 "eliminated" maturity processes, OSCs are still "on the hook" for these practices during a CMMC assessment under the current CMMC assessment guidance because of "NFO" controls.