03.14.08 —
What this control requires
Source: NIST SP 800-171 R3 §03.14.08 (official control text).
Why this matters
When contracts end or projects conclude, CUI lingering on systems becomes a liability without purpose. Orphaned data expands the attack surface — more files to encrypt during ransomware, more records to breach, more compliance scope to audit — with zero business justification. This control enforces deliberate retention policies aligned with contractual obligations and NARA schedules, ensuring CUI is destroyed when its mission purpose expires. It protects the organization from accumulating digital debris that increases risk while delivering no operational value.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
See your live posture on 03.14.08.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →