3.1.3 — Where CUI Can Flow
What It Says
Section titled “What It Says”Control the flow of CUI in accordance with approved authorizations.
What It Actually Means
Section titled “What It Actually Means”You need to know three things and enforce all three:
- Where CUI comes from — which systems, people, and networks send CUI into your environment
- Where CUI goes — which internal systems handle it and which external destinations are approved
- What stops it going anywhere else — firewalls, DLP, proxies, network segmentation
The word that matters here is enforce. A policy saying “don’t email CUI to personal accounts” isn’t enough. You need DLP rules that block it. A policy saying “CUI stays on the internal network” isn’t enough. You need firewall rules that enforce it.
This is one of the most commonly failed requirements because it demands both knowledge (where does CUI flow?) and technical controls (how do you stop unauthorized flows?).
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are flow control policies defined? | Documented rules for where CUI can and can’t go |
| 2 | Are CUI sources and destinations identified? | You know which systems create, receive, and store CUI |
| 3 | Are enforcement mechanisms in place? | Firewalls, DLP, proxies — not just policy documents |
| 4 | Are flow authorizations actually enforced? | Unauthorized transfers get blocked, not just logged |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Information flow control policy, system security plan, network diagrams showing CUI flow paths, firewall rules, DLP policy configs, proxy settings, list of approved flow authorizations, audit logs
People they’ll talk to: Network admins, information security staff, system developers
Live demos they’ll ask for: “Try to email a CUI document to a personal email address — show me it’s blocked.” “Try to copy CUI to a USB drive — show me what happens.”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Show me where CUI originates in your environment and where it’s allowed to flow.”
- “What technical mechanisms enforce your flow control policies?”
- “Can you demonstrate that an unauthorized CUI transfer is actually blocked?”
- “How do you handle CUI flow to cloud services and email?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”No DLP. Relying on policy alone without technical enforcement. The assessor will ask for a live demo.
Email is a free-for-all. CUI attached to emails going to personal accounts, partners, or unencrypted destinations.
Cloud storage blind spots. CUI uploaded to personal Dropbox, Google Drive, or unapproved cloud services.
Flat network. CUI flows freely across the entire network with no segmentation or zone boundaries.
Shadow IT. Users moving CUI through WhatsApp, personal file sharing, or tools the security team doesn’t know about.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.13.1 — Guard the Boundaries | Monitors communications at network boundaries |
| 3.13.6 — Deny Everything by Default | Default-deny firewall rules that support flow control |
| 3.13.8 — Encrypt in Transit | Encrypting CUI when it moves between systems |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: AC.L2-3.1.3 | SPRS Weight: 1 point | POA&M Eligible: Yes