03.08.06: Withdrawn

9 min readLast verified: February 2026By

03.08.06 is a withdrawn requirement in NIST SP 800-171 Rev. 3, so you should not implement a standalone control for it. Operationalize it by documenting that it is withdrawn, mapping it to “not applicable (withdrawn)” in your control matrix and SSP, and retaining evidence that your program tracks requirement changes and maintains assessment-ready traceability. 1

Key takeaways:

  • Treat the 03.08.06: withdrawn requirement as a governance and traceability task, not a technical implementation task.
  • Examiners assess how you handle “withdrawn” items: clear mapping, rationale, and change control evidence prevent scoring confusion.
  • Keep your SSP/control matrix clean: mark withdrawn explicitly, point to the source, and ensure no orphan test procedures reference it.

A withdrawn control creates a different kind of risk than an unmet control: assessment confusion, inconsistent scoping, and documentation drift. For federal contractors and other nonfederal organizations handling CUI, NIST SP 800-171 Rev. 3 is often treated as a contractual baseline. That means your assessors, customers, primes, and internal audit teams expect your system security plan (SSP) and control implementation statements to line up with the current revision.

03.08.06 is explicitly labeled “Withdrawn” in NIST SP 800-171 Rev. 3. 1 The practical requirement for you as a CCO/GRC lead is to ensure your program recognizes that withdrawal, records it correctly, and does not accidentally test, attest to, or build process around a control that no longer exists. This page shows how to operationalize that quickly: what to put in your control matrix, what to update in the SSP, how to handle inherited controls and third-party attestations, what evidence to keep, and which audit questions to anticipate.

Regulatory text

Excerpt (framework text): “NIST SP 800-171 Rev. 3 requirement 03.08.06 (Withdrawn).” 1

Operator interpretation

There is no active control requirement to implement for 03.08.06 because it has been removed from the active set. Your operational obligation is documentation hygiene:

  • Do not design or test a dedicated control for 03.08.06.
  • Do maintain traceability by explicitly marking it as withdrawn in the places your program tracks requirements (control matrix, SSP, assessment procedures).
  • Do prevent “ghost requirements.” Make sure no policies, procedures, test scripts, or third-party questionnaires still reference 03.08.06 as if it were active.

If you can’t show clean traceability, assessors may treat the item as “missing,” or they may question the maturity of your requirements management process.

Plain-English interpretation of the requirement

03.08.06: withdrawn requirement means: “This control identifier exists historically, but NIST has removed it in Rev. 3; your compliance posture depends on documenting the withdrawal and ensuring your compliance artifacts reflect the current revision.” 1

This is a governance requirement in practice. The deliverable is not a security feature; it is accurate, revision-specific compliance documentation.

Who it applies to (entity and operational context)

This applies to:

  • Federal contractors and subcontractors that must align to NIST SP 800-171 for CUI handling as a contractual requirement.
  • Any nonfederal organization operating systems that store, process, or transmit CUI and uses NIST SP 800-171 Rev. 3 as the governing control set. 1

Operationally, this touches:

  • GRC/control owners maintaining the control matrix (or equivalent control catalog).
  • Security authors maintaining the SSP and implementation statements.
  • Internal audit / readiness teams maintaining test procedures and POA&M templates.
  • Third-party risk teams when questionnaires or contract exhibits reference legacy identifiers.

What you actually need to do (step-by-step)

Use this as a quick runbook.

1) Confirm the control status and record the source

  • Pull the primary source text and record the exact language indicating “Withdrawn.” 1
  • Record the governing revision: NIST SP 800-171 Rev. 3. 1

Output: A requirements register entry that states: “03.08.06 – Withdrawn 1.” 1

2) Update your control matrix (authoritative mapping)

In your control matrix row for 03.08.06:

  • Implementation status: “Not applicable – Withdrawn in Rev. 3”
  • Rationale: “Control withdrawn by NIST in NIST SP 800-171 Rev. 3; no implementation required.”
  • Evidence pointer: Link to your revision tracking record and the cited source excerpt. 1

If you maintain a crosswalk from Rev. 2 to Rev. 3, add a note that the identifier is retired and should not be tested.

3) Clean up the SSP and assessment narrative

In the SSP:

  • If you list requirements, keep 03.08.06 present only if your template requires all IDs, then mark it Withdrawn with the same rationale and source. 1
  • Remove any implementation statement that implies an active control (for example, “we do X to satisfy 03.08.06”).

In your assessment plan/test scripts:

  • Search for “03.08.06” and remove test steps.
  • Confirm your scoring worksheets won’t treat it as an unmet requirement.

4) Check dependent documents for “ghost references”

Run a targeted search across:

  • Policies and standards
  • Procedures and runbooks
  • Control testing workpapers
  • Customer/security questionnaires
  • Contract exhibits and security addenda
  • Third-party onboarding templates

Goal: No operational document should instruct staff to meet “03.08.06” as if it were enforceable.

5) Establish lightweight change control so this doesn’t recur

A withdrawn control is a forcing function: your program needs a repeatable way to manage revisions.

  • Add a “framework revision management” step to your GRC operating procedure.
  • Define who approves mapping changes (GRC lead + security owner).
  • Record the change ticket and the effective revision source. 1

If you use Daydream, treat this as a library hygiene task: keep the requirement present but flagged as withdrawn, and schedule a periodic evidence check that confirms your SSP/control matrix still reflects the current revision. 1

Required evidence and artifacts to retain

Auditors can’t “observe” a withdrawn control. They will ask for proof that your program is current and consistent. Retain:

Required artifacts (practical minimum)

  • Control matrix entry for 03.08.06 marked “Withdrawn” with rationale and citation. 1
  • SSP excerpt showing the same treatment (withdrawn/not applicable) and no conflicting statements. 1
  • Change record (ticket or memo) showing who updated mappings and when, tied to NIST SP 800-171 Rev. 3. 1
  • Search results or attestation that testing scripts and policy references were updated (export from document search, GRC platform report, or reviewer sign-off).
  • Framework source link in your repository pointing to the official publication/landing page. 1

Common exam/audit questions and hangups

Expect these, and pre-answer them in your artifacts:

  1. “Why is 03.08.06 marked N/A?”
    Answer with: “Withdrawn in NIST SP 800-171 Rev. 3,” and show the citation. 1

  2. “Are you following Rev. 3 or an earlier revision?”
    Be consistent across SSP, contracts, and customer commitments. If a customer contract references an earlier revision, document the contract-specific deviation and maintain a separate crosswalk.

  3. “How do you ensure withdrawn requirements are not still tested?”
    Provide your test script search result, updated assessment plan, and version-controlled workpapers.

  4. “Do any third parties claim compliance to 03.08.06?”
    This can happen when a third party uses an outdated questionnaire. Your remediation is to update templates and require third parties to align to the correct revision language.

Frequent implementation mistakes and how to avoid them

Mistake Why it hurts How to avoid it
Deleting 03.08.06 entirely from the matrix Assessors see gaps in numbering and assume missing work Keep the row, mark “Withdrawn,” add the source citation. 1
Leaving an old implementation statement in the SSP Creates an inconsistency: “withdrawn” but still “implemented” Run a structured search and require a second-person review before publishing SSP updates.
Continuing to test it Wastes time and can produce false findings Remove test procedures and lock your test library to the Rev. 3 set. 1
Letting third-party questionnaires reference it Third-party responses become non-comparable and confusing Update questionnaires and contract exhibits; add a revision header “NIST SP 800-171 Rev. 3.” 1

Enforcement context and risk implications

No public enforcement cases were provided for this specific requirement in the supplied sources. Practically, the risk is indirect:

  • Contractual risk: Customers may question your readiness if your SSP appears outdated or internally inconsistent.
  • Assessment risk: A withdrawn requirement mishandled can create “paper findings” that consume time and trigger corrective-action churn.
  • Program risk: Poor revision control suggests weak governance around CUI obligations even if technical safeguards are strong. 1

Practical 30/60/90-day execution plan

You asked for a plan you can run quickly; use these phases as a checklist.

First 30 days (stabilize and align)

  • Confirm the authoritative text that 03.08.06 is withdrawn and store it in your compliance library. 1
  • Update the control matrix row for 03.08.06 to “Withdrawn,” with rationale and citation. 1
  • Search SSP, test procedures, and policies for “03.08.06” and eliminate conflicts.
  • Create a single change record that ties all edits together for auditability.

Days 31–60 (clean downstream dependencies)

  • Update internal templates: POA&M template, control test scripts, evidence request lists, and risk/control self-assessment questionnaires.
  • Review third-party security questionnaires and contract exhibits for legacy references; publish an updated version labeled to NIST SP 800-171 Rev. 3. 1
  • Train control testers and internal audit on how withdrawn items should appear in workpapers.

Days 61–90 (operationalize revision management)

  • Add a “framework revision review” step to your GRC calendar and ownership model.
  • Implement a simple quality gate: no SSP publication without a control matrix-to-SSP reconciliation check.
  • If you use Daydream, configure a recurring evidence task that confirms 03.08.06 stays tagged as withdrawn and no tests are attached to it. 1

Frequently Asked Questions

If 03.08.06 is withdrawn, do we remove it from our SSP entirely?

Usually no. Keep the identifier in your mapping if your SSP/control matrix expects sequential IDs, and mark it “Withdrawn” with a citation to NIST SP 800-171 Rev. 3. 1

Could an assessor still ask about 03.08.06?

Yes, especially if they see it referenced in an older template or a customer questionnaire. Your response is to show the withdrawn status and demonstrate your revision control and documentation consistency. 1

What evidence is “enough” for a withdrawn requirement?

A clear control matrix entry, consistent SSP language, and a change record that shows you intentionally handled the withdrawal typically covers it. Tie each artifact back to NIST SP 800-171 Rev. 3. 1

Our prime contract references an older NIST SP 800-171 revision. What do we do?

Follow the contract’s stated baseline, then maintain a crosswalk showing how your current program maps to that baseline. Keep 03.08.06 documented according to the revision you are contractually obligated to follow, and document the rationale. 1

How should third-party risk teams handle withdrawn controls in questionnaires?

Update the questionnaire to the current revision and remove withdrawn items from scored sections. If you keep them for traceability, label them “Withdrawn” and exclude them from pass/fail scoring. 1

What’s the fastest way to prevent “ghost control” testing?

Lock your test procedure library to the current control set and run periodic keyword searches for retired control IDs in workpapers and templates. Keep the search output or reviewer sign-off as evidence. 1

Footnotes

  1. NIST SP 800-171 Rev. 3

Frequently Asked Questions

If 03.08.06 is withdrawn, do we remove it from our SSP entirely?

Usually no. Keep the identifier in your mapping if your SSP/control matrix expects sequential IDs, and mark it “Withdrawn” with a citation to NIST SP 800-171 Rev. 3. (Source: NIST SP 800-171 Rev. 3)

Could an assessor still ask about 03.08.06?

Yes, especially if they see it referenced in an older template or a customer questionnaire. Your response is to show the withdrawn status and demonstrate your revision control and documentation consistency. (Source: NIST SP 800-171 Rev. 3)

What evidence is “enough” for a withdrawn requirement?

A clear control matrix entry, consistent SSP language, and a change record that shows you intentionally handled the withdrawal typically covers it. Tie each artifact back to NIST SP 800-171 Rev. 3. (Source: NIST SP 800-171 Rev. 3)

Our prime contract references an older NIST SP 800-171 revision. What do we do?

Follow the contract’s stated baseline, then maintain a crosswalk showing how your current program maps to that baseline. Keep 03.08.06 documented according to the revision you are contractually obligated to follow, and document the rationale. (Source: NIST SP 800-171 Rev. 3)

How should third-party risk teams handle withdrawn controls in questionnaires?

Update the questionnaire to the current revision and remove withdrawn items from scored sections. If you keep them for traceability, label them “Withdrawn” and exclude them from pass/fail scoring. (Source: NIST SP 800-171 Rev. 3)

What’s the fastest way to prevent “ghost control” testing?

Lock your test procedure library to the current control set and run periodic keyword searches for retired control IDs in workpapers and templates. Keep the search output or reviewer sign-off as evidence. (Source: NIST SP 800-171 Rev. 3)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream