03.10.03 —
What this control requires
Source: NIST SP 800-171 R3 §03.10.03 (official control text).
Why this matters
This control requires organizations to protect the confidentiality of backup CUI by encrypting it. Backup media—whether tapes, external drives, cloud snapshots, or database dumps—often sits in less-secure environments: off-site storage facilities, contractor offices, or third-party data centers. Unencrypted backups become single points of catastrophic loss if stolen, lost in transit, or accessed by unauthorized personnel. Encryption ensures that even if physical media is compromised, the CUI remains unreadable without the corresponding decryption key. This control directly mitigates risks from theft, improper disposal, and insider threats targeting backup repositories.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.10.03.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →