AC.L2-3.1.3 requires organizations to control the flow of CUI in accordance with approved authorizations. On paper, it sounds straightforward: make sure CUI only goes where it's supposed to go. In practice, this control is one of the most frequently cited findings in CMMC assessments.
The reason is that most organizations interpret this as a technical configuration problem. Set the right firewall rules, configure DLP policies, restrict file sharing. Those are necessary steps. But the control requires more than configuration. It requires that the organization can demonstrate how CUI flow is authorized, how those authorizations are documented, and how violations are detected and addressed.
When a C3PAO evaluates AC.L2-3.1.3, they're not just checking whether your firewall rules exist. They're evaluating a chain of evidence:
Authorization documentation. Who approved the CUI data flows in your environment? Is there a documented authorization that maps which systems, users, and pathways are permitted to handle CUI? Most organizations have implicit authorizations ("engineering has always had access to the design files") but no documented approval from an authorizing official.
Technical enforcement. Are the approved flows actually enforced technically? This means network segmentation, access control lists, DLP policies, email transport rules, and file sharing restrictions that align with the documented authorizations. The key word is "align." If your documentation says CUI stays within a specific subnet, but your network configuration allows traffic outside that subnet, you have a finding.
Monitoring and detection. How does the organization know when CUI flows outside approved channels? This requires logging, alerting, and a response process. An assessor will ask: "If an employee emailed a CUI-bearing file to a personal email address, how would you know?" If the answer is "we wouldn't," that's a finding.
Periodic review. Are the authorizations reviewed on a defined schedule? Environments change. New systems are added, employees change roles, business processes evolve. The authorizations that were correct six months ago may not reflect the current state. Assessors want to see evidence of periodic reviews, not just a one-time authorization.
This is the most common gap. The organization has configured technical controls that restrict CUI flow, but nobody formally authorized those flows. There's no document that says "CUI is authorized to flow from System A to System B via encrypted connection, approved by [name] on [date]." Without that documentation, the technical controls exist but the governance structure doesn't.
Many organizations deploy Data Loss Prevention tools and configure policies, then never look at the alerts. A DLP tool that generates findings nobody reviews is worse than no DLP at all, because it creates a false sense of compliance. Assessors will ask to see DLP alert logs and the response actions taken. If the logs show hundreds of unreviewed alerts, that's a finding.
CUI flow control often breaks down at email and collaboration platforms. Organizations lock down file servers and network shares, but employees can still email CUI attachments to external addresses, share files via Teams or Slack to unauthorized users, or upload documents to personal cloud storage. Transport rules, conditional access policies, and sensitivity labels are the controls that close these gaps.
Start with the documentation, not the technology. Map every authorized CUI flow in your environment: where CUI enters, where it's processed, where it's stored, and where it exits. Get formal approval from your authorizing official (typically the system owner or a senior leader). Then validate that your technical controls enforce those documented flows and nothing else.
Build monitoring around the boundaries. If CUI is authorized to live in three systems, monitor the egress points of those systems for unauthorized transfers. Review those monitoring logs on a defined schedule and document the reviews.
Finally, build the review cycle. Set a quarterly or semi-annual review of CUI flow authorizations. When systems change, when new tools are deployed, when organizational structure shifts, the authorizations need to be re-evaluated. The review doesn't need to be elaborate. It needs to be documented and consistent.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.