AC.L2-3.1.3, derived from NIST SP 800-171 Rev 2 requirement 3.1.3, requires organizations to control the flow of CUI in accordance with approved authorizations. This means the organization must define information flow control policies that specify which sources and destinations—networks, individuals, and devices—are permitted to send and receive CUI, both within a system and across interconnected systems. Enforcement mechanisms such as firewalls, data loss prevention (DLP) tools, encrypted tunnels, and network segmentation must be deployed to technically enforce those policy decisions. The practice goes beyond simply granting access (addressed by AC.L2-3.1.1) by governing the pathways and channels through which CUI travels once access is established. Authorizations for each permitted flow must be explicitly defined, documented, and actively enforced by technical controls.
Where it stops · what it isn't
- —Does not govern who is authorized to access CUI—that is the scope of AC.L2-3.1.1 (Limit System Access).
- —Does not address encryption standards for CUI in transit—those are covered under SC.L2-3.13.8 (Implement Cryptographic Mechanisms).
- —Does not cover physical handling or mailing of CUI in non-electronic form—those are addressed under physical protection and CUI marking policies.
- —Does not establish identity verification before access—authentication requirements are addressed in the Identification and Authentication (IA) domain.
- —Does not require audit logging of flow events—that obligation falls under the Audit and Accountability (AU) domain practices.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/access-control