Access Control 3.1.3 (3.1.3)
Control the flow of CUI in accordance with approved authorizations.
Get Full GuidanceWhat Is This CMMC Control?
This control requires organizations to manage and restrict where CUI can travel within their systems and between different systems, networks, or organizations. Unlike access control (who can see data), flow control focuses on where data can go and how it moves between different security boundaries. Organizations must implement technical controls like firewalls, gateways, and filtering mechanisms to enforce approved pathways for CUI movement and prevent unauthorized data transfers across security boundaries.
Control Intent
Prevent unauthorized disclosure or exfiltration of CUI by controlling the pathways and destinations where CUI can travel, ensuring information only flows to approved locations and recipients in accordance with organizational security policies.
Who This Control Applies To
- •Organizations that process, store, or transmit CUI across multiple systems or networks
- •Environments with network boundaries between internal systems and external networks
- •Organizations that share CUI with partners, contractors, or other external entities
- •Systems that connect CUI environments to the Internet or other untrusted networks
- •Multi-tenant or segmented environments where CUI must be isolated from non-CUI data
- •Organizations using cloud services or hybrid infrastructure for CUI processing
Not Applicable When
- •Organization has only a single standalone system with no network connectivity (extremely rare)
- •All systems are at the same security level with no boundary protection requirements (not realistic for CUI environments)
- •Organization does not process, store, or transmit CUI
Key Objectives
- 1Restrict CUI movement to approved pathways between systems, networks, and organizations
- 2Prevent CUI from traversing unauthorized network boundaries or reaching unapproved destinations
- 3Enforce technical controls at boundary protection points to filter and inspect CUI transfers
- 4Ensure CUI flow restrictions account for different security domains and trust levels
Sample Self-Assessment Questions (Partial)
Does your organization transfer CUI between different systems, networks, or locations?
Do you have firewalls or network security devices that control traffic between your internal network and the Internet?
Implementation Approaches (High-Level)
Network Segmentation with Firewall Enforcement
Deploy network firewalls and segmentation to create security zones with enforced flow control rules between CUI and non-CUI environments, and between internal networks and the Internet.
Data Loss Prevention (DLP) Systems
Implement DLP solutions to monitor, detect, and block unauthorized CUI transfers across network boundaries, email, web, and endpoint channels.
Secure Email Gateway and Encryption
Deploy secure email gateways with content filtering and mandatory encryption for CUI transfers to external recipients, ensuring CUI only flows to approved destinations via secure channels.
Cloud Access Security Broker (CASB)
Implement CASB solutions to control and monitor CUI flows to cloud services and SaaS applications, enforcing approved usage and preventing unauthorized cloud-based data transfers.
Virtual Private Networks (VPN) and Encrypted Tunnels
Require VPN or encrypted tunnel usage for all CUI transfers between sites, remote users, and external partners, ensuring CUI flows only through approved secure channels.
Web Proxy and Content Filtering
Deploy web proxy servers with content filtering to control and monitor CUI flows to Internet destinations, blocking unauthorized websites and enforcing approved usage policies.
Removable Media Controls
Implement technical controls to restrict or block CUI transfers to removable media devices (USB drives, external hard drives, optical media) except through approved processes and authorized devices.
Application Whitelisting and Control
Use application whitelisting and control technologies to prevent unauthorized applications from being used to transfer CUI, blocking unapproved file sharing, messaging, or cloud storage applications.
Mobile Device Management (MDM) and Containerization
Deploy MDM solutions with containerization to control CUI flows on mobile devices, separating and protecting CUI from personal data and preventing unauthorized transfers.
Secure File Transfer Protocol (SFTP) and Managed File Transfer (MFT)
Implement SFTP or MFT solutions for authorized CUI transfers to external partners, providing encrypted transmission, access controls, and audit logging of all file transfers.
Network Access Control (NAC)
Deploy NAC solutions to enforce flow control policies based on device posture, user identity, and network location, preventing non-compliant devices from accessing CUI environments.
Evidence & Assessment Notes
Expected Evidence
Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.
Plan of Action & Milestones (POA&M)
If flow control policies are not documented, create POA&M to develop and approve information flow control policies within 30-60 days If network segmentation is insufficient, create POA&M for network redesign and segmentation implementation (may require 6-12 months depending on complexity) If boundary protection devices lack proper flow control configurations, create POA&M to review and update firewall rules within 60-90 days If DLP or CASB solutions are not deployed, create POA&M for technology evaluation, procurement, and implementation (typically 3-6 months) If users can bypass flow control restrictions, create POA&M to implement technical controls (endpoint security, application whitelisting) within 90 days If flow control mechanisms are not monitored or tested, create POA&M to establish monitoring and validation processes within 30-60 days If third-party connections lack flow control enforcement, create POA&M to assess and remediate partner integrations within 60-90 days If cloud services are used without flow control assessment, create POA&M to evaluate cloud usage and implement CASB or equivalent controls within 90 days Prioritize POA&Ms based on risk: focus first on preventing CUI exfiltration to the Internet or unauthorized external parties Consider phased implementation for complex flow control projects, with initial focus on highest-risk pathways Ensure POA&Ms include specific milestones, responsible parties, and validation criteria Plan for user communication and training as part of POA&M implementation to minimize business disruption
Frequently Asked Questions
What is the difference between access control and flow control?
Access control determines who can access CUI (authentication and authorization), while flow control determines where CUI can travel within and between systems. Access control focuses on user permissions; flow control focuses on data pathways and destinations. Both are necessary - access control ensures only authorized users can access CUI, and flow control ensures those users can only send CUI to approved locations.
Does this control require blocking all Internet access from CUI systems?
Not necessarily. The control requires that CUI flows to the Internet or external networks must be in accordance with approved authorizations. Organizations must document which Internet destinations are approved for CUI (e.g., specific cloud services, partner portals) and implement technical controls to enforce those restrictions. Unrestricted Internet access from CUI systems would typically not meet this control.
How does this control apply to email containing CUI?
Email is a common CUI flow pathway that must be controlled. Organizations must implement technical controls (secure email gateways, DLP) to prevent CUI from being emailed to unauthorized external recipients. Approved external email recipients must be documented and authorized. Email containing CUI should be encrypted in transit, and organizations should consider blocking or quarantining CUI emails to unapproved destinations.
Can we satisfy this control with policies and user training alone?
No. This control explicitly requires technical enforcement mechanisms, not just policies. The supplemental guidance references boundary protection devices, firewalls, filtering mechanisms, and other technical controls. While policies and training are important supporting elements, technical controls must be implemented to enforce flow control restrictions and prevent users from accidentally or intentionally violating policies.
How do we handle CUI flows to cloud services and SaaS applications?
Cloud services and SaaS applications must be evaluated and approved before CUI can flow to them. Organizations should implement CASB or similar controls to enforce approved cloud usage and block unauthorized cloud services. Each cloud service receiving CUI should be documented as an approved flow pathway, and technical controls should prevent CUI from reaching unapproved cloud destinations. Consider the cloud provider's security controls and whether they meet CUI protection requirements.
What should we do if we discover unauthorized CUI flows during assessment preparation?
Document the unauthorized flows as a gap and take immediate action to block or restrict them. Investigate how the unauthorized flows occurred and whether any CUI was actually disclosed. Update flow control policies and technical controls to prevent recurrence. If the gap cannot be remediated immediately, create a POA&M with specific milestones and compensating controls. Consider whether the unauthorized flows constitute a CUI incident requiring reporting.
How ConformatIQ Helps With CMMC Readiness
ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.
Ready to Get Full Guidance?
Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.
Request Full GuidanceInformation sourced from NIST SP 800-171 Rev. 2. See full disclaimer.