03.04.11 — (a) Identify and document the location of CUI and the system components on which the information is processed and stored. (b) Document changes to the system or system component location where CUI is processed and stored.

What this control requires

(a) Identify and document the location of CUI and the system components on which the information is processed and stored. (b) Document changes to the system or system component location where CUI is processed and stored.

Source: NIST SP 800-171 R3 §03.04.11 (official control text).

Why this matters

Organizations must maintain an accurate inventory of where Controlled Unclassified Information lives and moves through their systems. Without this mapping, security teams cannot apply appropriate protections, respond to breaches, or prove compliance during audits. This control prevents CUI from spreading untracked across file shares, cloud storage, endpoints, and collaboration tools. It ensures that when a system component is decommissioned or relocated, the organization knows whether sensitive data traveled with it and can account for proper handling. The threat mitigated is unauthorized disclosure through lost visibility—data living in forgotten locations where access controls, encryption, and monitoring have lapsed.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.