Skip to main content
NetStable
Level 2 AC.L2-3.1.3

Control the flow of CUI in accordance with approved authorizations

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

πŸ“– What This Means

This practice requires organizations to ensure that Controlled Unclassified Information (CUI) only moves between systems and users based on approved permissions. Think of it like a security checkpoint where only authorized personnel can pass through with specific items. For example, in a hospital, only doctors and nurses can access patient records, and only certain staff can transfer those records between departments. Similarly, in your organization, CUI should only flow where it’s explicitly allowed, preventing unauthorized access or leaks. This helps maintain confidentiality and ensures that sensitive information doesn’t end up in the wrong hands.

🎯 Why It Matters

Uncontrolled flow of CUI can lead to data breaches, exposing sensitive information to unauthorized users. For instance, in the 2017 Equifax breach, poorly managed data flow allowed hackers to access millions of sensitive records, costing the company over $1.4 billion. From a DoD perspective, ensuring CUI flows only through approved channels is critical to protecting national security and maintaining trust with defense contractors. Failure to implement this control can result in costly fines, loss of contracts, and reputational damage.

βœ… How to Implement

  1. 1. Use Identity and Access Management (IAM) tools in AWS/Azure/GCP to define role-based access controls for CUI.
  2. 2. Configure Data Loss Prevention (DLP) policies to monitor and restrict CUI transfers.
  3. 3. Enable logging for all data transfers involving CUI using cloud-native logging services (e.g., AWS CloudTrail, Azure Monitor).
  4. 4. Set up network segmentation and Virtual Private Clouds (VPCs) to isolate CUI traffic.
  5. 5. Regularly review and update access permissions to ensure they align with approved authorizations.
⏱️
Estimated Effort
Implementation: 2-3 days for basic setup; ongoing monitoring: 2-4 hours/month. Skill Level: Intermediate.

πŸ“‹ Evidence Examples

IAM Policy Document

Format: PDF
Frequency: Quarterly
Contents: Role-based access permissions for CUI
Collection: Export from cloud provider console

Firewall Configuration Screenshot

Format: PNG
Frequency: Annually
Contents: Rules restricting CUI flow
Collection: Capture from firewall management interface

Access Logs

Format: CSV
Frequency: Monthly
Contents: Records of CUI transfers
Collection: Export from logging tool

DLP Policy Report

Format: PDF
Frequency: Quarterly
Contents: Summary of CUI flow restrictions
Collection: Generate from DLP tool

Training Records

Format: Excel
Frequency: Annually
Contents: Staff trained on CUI flow policies
Collection: Export from HR system

πŸ“ SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.3 ("Control the flow of CUI in accordance with approved authorizations"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control the flow of cui in accordance with approved authorizations. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control the flow of cui in accordance with approved authorizations. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • β€’ Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • β€’ Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • β€’ Map user roles to system access levels
  • β€’ Ensure this control covers all systems within your defined CUI boundary where control the flow of cui in accordance with approved authorizations applies
  • β€’ Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • πŸ“„ Access Control Policy
  • πŸ“„ IAM configuration documentation
  • πŸ“„ Access request and approval records
  • πŸ“„ Evidence artifacts specific to AC.L2-3.1.3
  • πŸ“„ POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

πŸ’¬ Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented policy for controlling CUI flow?

βœ… YES β†’ Proceed to Q2
❌ NO β†’ GAP: Create a policy document outlining approved authorizations for CUI flow. Timeline: 1 week.

Question 2: Are IAM roles configured to restrict CUI flow in cloud environments?

βœ… YES β†’ Proceed to Q3
❌ NO β†’ GAP: Configure IAM roles in AWS/Azure/GCP. Timeline: 2 days.

Question 3: Are firewall rules in place to control CUI flow on-premise?

βœ… YES β†’ Proceed to Q4
❌ NO β†’ GAP: Set up firewall rules to restrict CUI traffic. Timeline: 1 day.

Question 4: Are logs being maintained for CUI transfers?

βœ… YES β†’ Proceed to Q5
❌ NO β†’ GAP: Enable logging for CUI transfers. Timeline: 1 day.

Question 5: Have staff been trained on CUI flow policies?

βœ… YES β†’ Compliance confirmed.
❌ NO β†’ GAP: Conduct training for staff. Timeline: 1 week.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete IAM role configuration

Why this happens: Overlooking specific permissions for CUI flow.
How to avoid: Regularly review and test IAM roles.

2. Missing firewall rules

Why this happens: Focusing only on cloud environments.
How to avoid: Audit on-premise firewall configurations.

3. Inadequate logging

Why this happens: Not enabling logging for all CUI transfers.
How to avoid: Centralize logging across all systems.

4. Outdated policies

Why this happens: Failing to update policies regularly.
How to avoid: Schedule quarterly policy reviews.

5. Lack of staff training

Why this happens: Assuming technical controls are sufficient.
How to avoid: Conduct annual training sessions.

πŸ“š Parent Policy

This practice is governed by the Access Control Policy

View AC Policy β†’

πŸ“š Related Controls

AC.L2-3.1.1 - Limit system access to authorized users AC.L2-3.1.2 - Limit system access to types of transactions and functions AC.L2-3.1.4 - Separate duties of individuals to reduce risk of malevolent activity
Previous
AC.L2-3.1.22
Back to AC
Next
AC.L2-3.1.4