03.01.19 —
What this control requires
Source: NIST SP 800-171 R3 §03.01.19 (official control text).
Why this matters
This control addresses the protection of Controlled Unclassified Information (CUI) when accessed or processed on external systems not directly managed by the organization, such as contractor laptops, partner networks, or cloud services outside organizational boundaries. When CUI leaves your controlled environment, the risk of unauthorized disclosure, modification, or loss increases dramatically. Adversaries specifically target less-secured external systems as entry points to sensitive data. Without explicit terms of use, security requirements, and verification mechanisms for external systems, the organization cannot ensure consistent protection of CUI across its entire processing lifecycle, potentially exposing defense information to compromise.
What evidence assessors expect
Assessors typically look for: PDF, CSV export, screenshot, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.01.19.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →