AC.L2-3.1.3 — Control the flow of CUI in accordance with approved authorizations.

What this control requires

Control the flow of CUI in accordance with approved authorizations.

Source: CMMC L2 v2.13 AC.L2-3.1.3 / NIST SP 800-171 R2 3.1.3 (official control text).

Why this matters

Information flow control prevents Controlled Unclassified Information (CUI) from traveling to unauthorized destinations—whether that's the open Internet, personal devices, untrusted cloud storage, or external partners lacking proper authorization. Without these guardrails, sensitive procurement data, technical drawings, or contract details can leak through email forwarding, cloud sync services, or compromised endpoints. This control mandates that the organization define where CUI may travel, then enforce those boundaries using technical controls like firewalls, data loss prevention rules, and network segmentation. It's not about who sees the data after it arrives; it's about stopping unauthorized paths before transmission occurs.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls