NIST SP 800-171
Control 3.1.3
Control CUI Flow
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Control the flow of CUI in accordance with approved authorizations.
What This Means in Plain English
You must control how CUI moves through your systems and networks. This means preventing CUI from flowing to unauthorized systems, networks, or people, and ensuring data goes only where it is approved to go.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- FortiGate firewall rules and ACLs controlling traffic flow between network segments
- Data Loss Prevention (DLP) policies in Microsoft 365 preventing unauthorized sharing of CUI
- Microsoft Information Protection labels classifying and restricting CUI document flow
- Network segmentation isolating CUI enclaves from general-purpose networks
- Email transport rules blocking CUI from being sent to external unauthorized domains
- Cisco Meraki VLAN configurations enforcing traffic path restrictions
Assessment Guidance
Assessors will review firewall rules and network diagrams showing CUI flow paths, test DLP policies to verify they block unauthorized transfers, verify data classification labels are applied, and check that information flow enforcement mechanisms are functioning correctly.
Common Implementation Gaps
- No defined or documented CUI data flow diagram
- Missing DLP policies allowing CUI to leave the organization via email or cloud storage
- Flat network allowing CUI to traverse uncontrolled segments
- No data classification scheme to identify CUI
- Personal devices accessing CUI without flow controls
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-4 |
| HIPAA | 164.312(e)(1) - Transmission Security |
| PCI DSS | Req 1 - Install and maintain network security controls |
Need Help Implementing 3.1.3?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment