filmov
tv
What are NFO Controls? NIST SP 800-171
Показать описание
NIST SP 800-171 and NFO Controls
In the landscape of NIST SP 800-171, DFARS 252-204-7012, and CMMC, there is one lurking, often not talked about requirement set; the NFO controls. Well what are they and why are they important to us? NFO controls are called out in NIST SP 800-171 (called 171 from here on) via the assumptions and tailoring criteria but are not specified in the actual controls of 171. Does that mean you don't need to worry about them in order to submit a 110 for your 171 self-assessment? NO! In fact, it couldn't be more opposite from the truth.
When 171 was being made, there were certain controls that were considered so basic and fundamental to any functioning information security program that they were assumed to already exist in your business environment. The NFO controls are not called out in the body of 171 because 171 is considering itself as an addition to the already existing information security infrastructure. 171 is not prescribing a security infrastructure but is the additional requirements your environment must meet to ingest CUI. The exact verbiage is as follows:
"The security requirements developed from the tailored [FIPS 200] security requirements and the [SP 800-53] moderate security control baseline represent a subset of the safeguarding measures that are necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies, procedures, and practices that support an effective risk-based information security program "
How do I know what the NFO controls are?
The NFO controls are not meant to be some mystery or gatekeeping tactic predicated on your knowledge of information security meeting a certain unspoken threshold. They are laid out clearly in the tailoring criteria in Appendix E of 171. If you head over to 171 here and scroll down to Appendix E, you will see the NIST SP 800-53 controls that have been marked as NFO, and therefore not listed in the main body of the document.
Looking through the tables you will see a pattern emerge. Most of the NFO controls are high-level, policy, and maintenance-based. They are the things that should exist in any business but all too often are overlooked by small to medium-sized businesses because they were never "big enough" to warrant such a policy body. However, the federal government does not care and 171 is the "you must be this tall to ride" for CUI.
Without a policy body governing the behavior of everyone in the business, there is no way that a consistent, mature information security program could exist. It is easy to think that if you just check the boxes of 171 you will be good to go anyways, but that is a naive way of thinking. If you implement network separations and MFA on accounts but have no guidance in place as to why those rules exist, the goals of the environment, or how the business function is catered to by any of those, the controls will become isolated thorns and annoyances in the operation of a business. There must be a foundation before you can build a castle.
What happens if I don't have the NFO controls?
If you don't want to bother taking the time to create the policies and meet the other NFO controls, you will not pass your audits, and you will not reach CMMC maturity levels. The federal government is the ultimate risk owner when it comes to CUI, so they get to decide what the rules are for who is allowed to see CUI.
How do you make a useful policy?
That is a whole topic that is out of scope for this article. The specifics of a policy from organization to organization will change, but there is a whole ethos dedicated to good policy writing practice. If you want help meeting the NFO controls, building out your policy body for information security, or any other cybersecurity consulting practices, you can contact us at Trawvid Sec.
Sources
In the landscape of NIST SP 800-171, DFARS 252-204-7012, and CMMC, there is one lurking, often not talked about requirement set; the NFO controls. Well what are they and why are they important to us? NFO controls are called out in NIST SP 800-171 (called 171 from here on) via the assumptions and tailoring criteria but are not specified in the actual controls of 171. Does that mean you don't need to worry about them in order to submit a 110 for your 171 self-assessment? NO! In fact, it couldn't be more opposite from the truth.
When 171 was being made, there were certain controls that were considered so basic and fundamental to any functioning information security program that they were assumed to already exist in your business environment. The NFO controls are not called out in the body of 171 because 171 is considering itself as an addition to the already existing information security infrastructure. 171 is not prescribing a security infrastructure but is the additional requirements your environment must meet to ingest CUI. The exact verbiage is as follows:
"The security requirements developed from the tailored [FIPS 200] security requirements and the [SP 800-53] moderate security control baseline represent a subset of the safeguarding measures that are necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies, procedures, and practices that support an effective risk-based information security program "
How do I know what the NFO controls are?
The NFO controls are not meant to be some mystery or gatekeeping tactic predicated on your knowledge of information security meeting a certain unspoken threshold. They are laid out clearly in the tailoring criteria in Appendix E of 171. If you head over to 171 here and scroll down to Appendix E, you will see the NIST SP 800-53 controls that have been marked as NFO, and therefore not listed in the main body of the document.
Looking through the tables you will see a pattern emerge. Most of the NFO controls are high-level, policy, and maintenance-based. They are the things that should exist in any business but all too often are overlooked by small to medium-sized businesses because they were never "big enough" to warrant such a policy body. However, the federal government does not care and 171 is the "you must be this tall to ride" for CUI.
Without a policy body governing the behavior of everyone in the business, there is no way that a consistent, mature information security program could exist. It is easy to think that if you just check the boxes of 171 you will be good to go anyways, but that is a naive way of thinking. If you implement network separations and MFA on accounts but have no guidance in place as to why those rules exist, the goals of the environment, or how the business function is catered to by any of those, the controls will become isolated thorns and annoyances in the operation of a business. There must be a foundation before you can build a castle.
What happens if I don't have the NFO controls?
If you don't want to bother taking the time to create the policies and meet the other NFO controls, you will not pass your audits, and you will not reach CMMC maturity levels. The federal government is the ultimate risk owner when it comes to CUI, so they get to decide what the rules are for who is allowed to see CUI.
How do you make a useful policy?
That is a whole topic that is out of scope for this article. The specifics of a policy from organization to organization will change, but there is a whole ethos dedicated to good policy writing practice. If you want help meeting the NFO controls, building out your policy body for information security, or any other cybersecurity consulting practices, you can contact us at Trawvid Sec.
Sources
0:08:26
0:04:38
0:56:32
0:16:28
3:31:59
0:07:52
0:57:26
0:03:03
0:04:31
2:05:04
0:55:56
2:37:37
2:12:39
3:04:09
0:59:40
0:49:32
0:30:27
1:00:41
2:25:32
0:57:37
0:55:28
0:00:56
0:59:51
1:32:32