03.10.04: Withdrawn

03.10.04 in NIST SP 800-171 Rev. 3 is withdrawn, so you do not implement a standalone control for it. You still need to account for it explicitly in your System Security Plan (SSP) and assessment mapping by marking it “Withdrawn,” documenting “Not Applicable (Withdrawn by NIST),” and confirming your POA&M and evidence strategy doesn’t accidentally treat it as a gap. ¹

Key takeaways:

• Treat 03.10.04 as a documentation and scoping requirement, not an engineering task. ¹
• Your job is to prevent assessment confusion: clean mappings, clear “withdrawn” rationale, and no POA&M items tied to it. ¹
• Keep proof: SSP control matrix entries, assessor notes, and governance sign-off that the requirement is withdrawn. ¹

A withdrawn requirement creates a predictable failure mode during CUI audits: teams either (1) ignore it and look sloppy in their SSP/control matrix, or (2) build unnecessary controls and still fail because the documentation is inconsistent. Requirement 03.10.04 in NIST SP 800-171 Rev. 3 is explicitly labeled “Withdrawn,” which means NIST removed it from the active requirement set. ¹

For a Compliance Officer, CCO, or GRC lead, the practical question is simple: how do you represent “withdrawn” correctly across your SSP, assessment approach, and POA&M so an assessor can trace your compliance posture without friction. This page gives you an operator-focused playbook: applicability decisioning, what to write in the SSP, what evidence to retain, how to handle tooling and third-party questionnaires, and what auditors tend to challenge.

If you run GRC workflows in Daydream (or any equivalent system), this is also a hygiene requirement: your control library and mappings must reflect the withdrawn status so you don’t create false gaps, false remediation work, or misleading metrics.

Regulatory text

Excerpt: “NIST SP 800-171 Rev. 3 requirement 03.10.04 (Withdrawn).” ¹

What the operator must do

Because the requirement is withdrawn, the operational requirement is: document the withdrawn status and remove it from your implementation and remediation scope, while preserving traceability in your compliance artifacts. You are aiming for a clean assessor experience:

• The requirement appears in your control matrix as Withdrawn.
• There is no technical or procedural implementation claimed for 03.10.04.
• There is no POA&M item attempting to “fix” 03.10.04.
• Your assessment method acknowledges it as withdrawn, so testing steps are not invented. ²

Plain-English interpretation (what “Withdrawn” means in practice)

“Withdrawn” means NIST removed this requirement from Rev. 3. Your organization is not expected to design, implement, or test a discrete safeguard for 03.10.04 as written, because there is no active requirement text to implement.

Your obligation shifts to governance and documentation correctness:

• Don’t claim coverage for something that doesn’t exist.
• Don’t leave the line item blank (blank looks like an omission).
• Don’t carry a “gap” for it (a gap implies a requirement still exists).
• Do ensure your SSP and assessment artifacts show that you recognized it and handled it intentionally. ¹

Who it applies to

Entity types

This guidance applies to organizations that must align to NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), commonly:

• Federal contractors and subcontractors
• Any nonfederal organization operating systems that handle CUI for a federal mission or contract flow-down ¹

Operational context

You will touch this requirement in three places:

1. SSP/control matrix: requirement-to-implementation mapping and applicability notes
2. Assessment preparation: internal testing and assessor walkthrough mapping aligned to assessment expectations ³
3. POA&M governance: ensuring only real requirements become remediation workstreams ¹

What you actually need to do (step-by-step)

Step 1: Update your control library entry for 03.10.04

• Set status to Withdrawn ¹.
• Disable any inherited “expected evidence” templates for this item.
• Add a short standard note that your organization uses consistently:
  “Not applicable: Requirement withdrawn in NIST SP 800-171 Rev. 3; no implementation or assessment required.” ¹

Practical tip: If your tooling forces a pass/fail, treat “Withdrawn” as a third state. If the tool cannot, mark “N/A” and encode “Withdrawn” in the rationale field.

Step 2: Fix the SSP mapping so it is unambiguous

In your SSP (or SSP control matrix appendix), create an entry for 03.10.04 with:

• Requirement identifier: 03.10.04
• Implementation: “Withdrawn”
• Responsible owner: “GRC / Compliance” (ownership is about documentation control, not engineering)
• Applicability rationale: “Withdrawn in Rev. 3”
• Related references: pointer to the Rev. 3 publication ¹

What assessors want: a traceable matrix. A withdrawn line item is normal if it is explicit and consistent across artifacts.

Step 3: Remove or prevent POA&M items tied to 03.10.04

• Search your POA&M backlog for “03.10.04” or the old control title (if any legacy mapping exists).
• Close items that exist only to satisfy 03.10.04, with closure reason: “Requirement withdrawn in Rev. 3; remediation not required.”
• If a POA&M item is real but was mis-tagged, re-tag it to the correct active requirement and preserve the audit trail in the ticket comments. ¹

Hangup: Teams sometimes leave a “gap” open because dashboards demand perfection. That creates noise and can confuse leadership and assessors.

Step 4: Align your assessment approach (internal or independent)

Even though there’s no test to perform for a withdrawn requirement, you still need to ensure your assessment package does not imply missing evidence.

• In your assessment procedures index, list 03.10.04 as “Withdrawn; no test performed.”
• If you are using NIST SP 800-171A-derived methods, add an assessor note: “No determination required; withdrawn in the base requirement set.” ³

Step 5: Control crosswalk hygiene (avoid downstream contradictions)

If you maintain crosswalks (e.g., to ISO 27001, NIST SP 800-53, or internal policies), validate:

• No policy cites “03.10.04” as a requirement to meet.
• No procedure references “03.10.04” in step text or training materials.
• No third-party due diligence questionnaire response claims you meet 03.10.04 through a specific control.

If your commercial or customer questionnaires ask about it, answer plainly: “Withdrawn in Rev. 3; not applicable,” and offer the SSP excerpt if needed. ¹

Step 6: Governance sign-off (lightweight but real)

Create a short record that compliance leadership approved the withdrawn treatment:

• Decision: “03.10.04 is Withdrawn; tracked as N/A (Withdrawn)”
• Date/version of SSP updated
• Approver: CISO, ISSM, or GRC lead (whoever owns SSP accuracy)

This prevents re-litigation during personnel changes.

Required evidence and artifacts to retain

You are retaining evidence of correct handling, not evidence of technical operation.

Minimum artifacts:

• SSP control matrix entry showing 03.10.04 marked Withdrawn with rationale ¹
• Control library record or GRC system screenshot/export showing “Withdrawn” status
• POA&M extract/search results demonstrating there are no open items for 03.10.04 (or closure notes if you retired one)
• Assessment notes (internal or external) stating “Withdrawn; no test” consistent with your assessment approach ³
• Change log: ticket or SSP revision history reflecting the update and approver sign-off

Daydream operationalization (earned mention): store the “Withdrawn” rationale once as a standardized control note, then propagate it to SSP mappings and assessment packets so every export stays consistent across customers, auditors, and internal stakeholders.

Common exam/audit questions and hangups

Expect these questions and prepare crisp responses:

1. “Why is 03.10.04 marked N/A?”
   Answer: “It is withdrawn in NIST SP 800-171 Rev. 3; there is no implementation text to satisfy.” ¹

2. “Show me where you documented that.”
   Provide SSP control matrix entry and the mapping rationale.

3. “Did you replace it with another control?”
   You generally should not invent replacements. If your internal control set covers similar intent (from a legacy program), you can mention it as an internal safeguard, but keep it separate from claiming compliance to 03.10.04. ¹

4. “Why does your POA&M still reference it?”
   This is a credibility hit. Clean it up before the audit.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it happens	What to do instead
Leaving 03.10.04 blank in the SSP	People assume “withdrawn” means “ignore”	List it and mark Withdrawn with rationale. 1
Creating a compensating control	Teams hate “unmapped” items	Don’t build controls to satisfy a non-requirement; focus on active requirements. 1
Keeping a POA&M gap open	Tooling metrics pressure	Close or re-map tickets; document the closure basis.
Inconsistent labeling (“N/A” in one place, “Partial” in another)	Multiple owners and exports	Standardize terminology: “Withdrawn / N/A (Withdrawn)” everywhere.
Assessors see a test step for it	Copy-pasted test plans	Remove test procedures; add “no test performed.” 3

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific requirement.

The practical risk is second-order: assessment friction and credibility. Withdrawn requirements become a trap for documentation quality. An assessor who finds inconsistent mappings may broaden sampling or question the reliability of your SSP and POA&M governance, which can create knock-on findings under other active requirements. ²

Practical 30/60/90-day execution plan

Use this as an execution sequence rather than a calendar promise.

First 30 days (Immediate cleanup)

• Locate every place 03.10.04 appears: SSP, GRC tool, spreadsheets, ticketing, customer questionnaires.
• Update SSP/control matrix entry to “Withdrawn” with a one-line rationale. ¹
• Remove any assessment test steps for 03.10.04 and replace with “Withdrawn; no test.” ³
• Sweep POA&M for mis-tagged items and close or re-map.

Next 60 days (Standardize and prevent regression)

• Create a standard “Withdrawn requirement handling” procedure for your GRC team:
  • Naming conventions (Withdrawn vs N/A)
  • Required fields (rationale, citation, approver)
  • Export checks before audits
• Add a quality gate to SSP updates: any requirement state other than “Implemented” must have rationale and owner.

Next 90 days (Operationalize in tooling and reporting)

• Automate consistency checks in Daydream (or your GRC platform): flag any withdrawn requirement that shows “Partial,” “Planned,” or has a POA&M item attached.
• Train control owners and program managers: “Withdrawn is not a gap; don’t open remediation.”
• Re-run your internal assessment packaging to confirm exports align with NIST SP 800-171A-style expectations for clarity and traceability. ³

Frequently Asked Questions

If 03.10.04 is withdrawn, can we delete it from the SSP?

Don’t delete it if your SSP template lists all requirements. Keep the line item and mark it “Withdrawn” with a short rationale so assessors see you handled it intentionally. ¹

Should 03.10.04 appear as “Not Applicable” or “Withdrawn”?

Use “Withdrawn” wherever the system supports it. If you must use “N/A,” include “Withdrawn” in the rationale field to preserve meaning and traceability. ¹

Do we need evidence (logs/screenshots) for a withdrawn requirement?

Keep evidence of the decision and mapping, not operational logs. The key artifacts are SSP mapping, assessment notes, and POA&M hygiene showing no false gaps. ²

What if a customer flow-down or questionnaire still asks about 03.10.04?

Respond that it is withdrawn in NIST SP 800-171 Rev. 3 and provide your SSP excerpt if needed. If they require a control anyway, treat it as a contractual requirement separate from NIST 800-171 compliance labeling. ¹

How do we handle legacy mappings from Rev. 2 where this might have existed differently?

Keep a revision note in your control mapping history that 03.10.04 is withdrawn in Rev. 3, and re-map any real controls to active Rev. 3 requirements. Avoid carrying forward Rev. 2 assumptions into Rev. 3 assessment packages. ¹

Can a withdrawn requirement still create an audit finding?

You are unlikely to be found noncompliant for not implementing a withdrawn requirement, but inconsistent documentation (SSP vs POA&M vs assessment artifacts) can trigger findings about governance, accuracy, or readiness. ²

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171 Rev. 3; Source: NIST SP 800-171A

3. NIST SP 800-171A