03.12.05 — (a) Approve and manage the exchange of CUI between the system and other systems using {{ insert: param, A.03.12.05.ODP.01 }}. (b) Document interface characteristics, security requirements, and responsibilities for each system as part of the exchange agreements. (c) Review and update the exchange agreements {{ insert: param, A.03.12.05.ODP.02 }}.

What this control requires

(a) Approve and manage the exchange of CUI between the system and other systems using {{ insert: param, A.03.12.05.ODP.01 }}. (b) Document interface characteristics, security requirements, and responsibilities for each system as part of the exchange agreements. (c) Review and update the exchange agreements {{ insert: param, A.03.12.05.ODP.02 }}.

Source: NIST SP 800-171 R3 §03.12.05 (official control text).

Why this matters

When your organization shares Controlled Unclassified Information with partners, vendors, or other systems, you create a potential leak path if those external parties have weaker security. This control requires formal, documented agreements that spell out exactly what security measures each side must maintain, how data will be protected in transit and at rest, and who is responsible when something goes wrong. It prevents informal, undocumented data sharing that bypasses your security architecture and ensures every external connection has undergone risk review and approval.

What evidence assessors expect

Assessors typically look for: signed letter, CSV export, PDF, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.