03.05.09 —
What this control requires
Source: NIST SP 800-171 R3 §03.05.09 (official control text).
Why this matters
Organizations must establish and maintain accurate inventories of systems that process, store, or transmit CUI. Without knowing what systems exist, where they live, and what they handle, you cannot protect them. This control prevents shadow IT proliferation, ensures all CUI-handling systems receive appropriate security controls, and enables rapid incident response when threats emerge. An outdated or incomplete inventory means unpatched systems, forgotten databases, and compliance blind spots that auditors and adversaries both exploit.
What evidence assessors expect
Assessors typically look for: CSV export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.05.09.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →