03.01.03 —

What this control requires

Source: NIST SP 800-171 R3 §03.01.03 (official control text).

Why this matters

Information Flow Enforcement controls where Controlled Unclassified Information travels within and between systems, independent of user access permissions. This control prevents CUI from transiting insecure paths—such as unencrypted internet connections, unauthorized external services, or systems outside the security boundary. Without flow enforcement, even properly authenticated users might inadvertently route sensitive data through channels that expose it to interception, exfiltration, or unauthorized third parties. Adversaries exploit weak flow controls to extract data through covert channels, DNS tunneling, or by spoofing internal source addresses. Properly implemented, this control ensures CUI only moves through approved, inspected, and encrypted pathways where the organization maintains visibility and policy enforcement.

What evidence assessors expect

Assessors typically look for: configuration export, PDF, screenshot, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls