bigforceone
NIST 800-171 r3 · System and Communications Protection

03.13.08

What this control requires

Source: NIST SP 800-171 R3 §03.13.08 (official control text).

Why this matters

CUI travels across networks and sits on disks, USB drives, cloud storage, and backup systems. Without encryption, an attacker with physical access to a device, network tap, or cloud account can read your controlled data in plaintext. This control mandates cryptographic protection both in transit (while data moves between systems) and at rest (while stored on any medium). It closes the gap between access controls and actual data exposure — even if someone bypasses authentication, encrypted data remains unreadable without the key. This applies to internal file shares, email, API calls, database backups, decommissioned hard drives, and portable media.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls

SC.L2-3.13.8

See your live posture on 03.13.08.

FORCE shows where you stand on this control and walks you through closing it.

Start a free trial tenant →
← All controls