GRCWatch
Sign inStart free trial

CMMC AC.L2-3.1.3: Control the Flow of CUI in Accordance with Approved Authorizations

Controlling Controlled Unclassified Information (CUI) flow is foundational to CMMC Level 2 compliance. This control ensures that data movement across your systems follows documented authorization policies and prevents unauthorized data leakage. Without proper CUI flow controls, you risk non-compliance citations and loss of CMMC certification.

What this means

AC.L2-3.1.3 requires you to implement mechanisms that enforce the authorized movement of CUI throughout your information systems. This means identifying all pathways where CUI travels—whether between applications, across network segments, or to external parties—and ensuring each pathway matches your formal authorization documentation. You must prevent CUI from flowing to destinations or via channels not explicitly approved, whether through technical controls or documented procedures.

How to comply

  1. 1.Document all authorized CUI flows by mapping data sources, destinations, and approved transmission methods in your system security plan
  2. 2.Identify all system interfaces and network boundaries where CUI crosses, and classify each as authorized or unauthorized
  3. 3.Implement technical controls such as firewall rules, data loss prevention (DLP) tools, and access control lists to enforce approved flows
  4. 4.Configure logging and monitoring to track CUI movement and alert on unauthorized flow attempts in real time
  5. 5.Establish and communicate written policies defining acceptable CUI recipients, approved channels, and handling procedures for all personnel
  6. 6.Conduct quarterly reviews of CUI flow authorizations and update them when business processes, organizational structure, or systems change
  7. 7.Test your controls through simulated unauthorized access attempts and document remediation of any gaps discovered

Evidence auditors look for

  • CUI data flow diagrams showing source systems, intermediate systems, and authorized destinations with approval dates
  • Firewall rule sets and network access control lists explicitly permitting only authorized CUI flows
  • DLP tool configurations that block or alert on CUI transmission to non-approved recipients or channels
  • System audit logs showing CUI access and transfer events correlated with authorized personnel and destinations
  • Written authorization matrix documenting which roles, departments, and external parties may receive specific CUI types
  • Change management records showing approval and testing of new CUI flow pathways before deployment
  • Incident response logs demonstrating detection and response to attempted unauthorized CUI flows

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates CUI flow mapping and monitoring by discovering all data pathways in your environment, comparing them against your approved authorizations, and alerting you in real time to unauthorized transfers—eliminating manual log reviews and reducing compliance risk.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 — Authorize AccessAC.L2-3.1.2 — Enforce Access ControlSI.L2-3.14.1 — Information System MonitoringAC.L2-3.1.20 — Protect CUI at Rest and in Transit