03.16.03 — (a) Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: {{ insert: param, A.03.16.03.ODP.01 }}. (b) Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers. (c) Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.

What this control requires

(a) Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: {{ insert: param, A.03.16.03.ODP.01 }}. (b) Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers. (c) Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.

Source: NIST SP 800-171 R3 §03.16.03 (official control text).

Why this matters

Organizations rarely operate in isolation — cloud providers, SaaS vendors, managed service providers, and contractors routinely handle controlled unclassified information. This control ensures external parties adhere to the same security standards your organization maintains. Without formal requirements and oversight, third parties become unmonitored weak links where CUI can leak, be misconfigured, or fall under foreign control. Documented roles clarify who owns encryption, incident response, and audit — preventing gaps where both parties assume the other is responsible. Ongoing monitoring catches drift when a vendor changes data centers, suffers a breach, or sunsets a security feature.

What evidence assessors expect

Assessors typically look for: signed letter, PDF, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.