NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.3 — Information Flow Enforcement
Information flow control regulates where CUI can transit within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking external communications traffic that claims to be sourced from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting CUI transfers between organizations based on data structures and content. Transferring CUI between organizations may require an agreement that specifies how the information flow is enforced (see [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.12.05)03.12.05). Transferring CUI between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting CUI transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- approved authorizations are enforced for controlling the flow of CUI within the system.
- approved authorizations are enforced for controlling the flow of CUI between connected systems.
Practitioner Notes
This is about controlling where your CUI can travel, not just who can see it. Even if someone is authorized to view a file, you still need rules that prevent that file from being emailed to a personal Gmail or uploaded to a random cloud service.
Example 1: On your firewall (e.g., Palo Alto or Fortinet), create an outbound rule that blocks traffic to known consumer cloud storage domains (Dropbox, Google Drive personal, iCloud) from the CUI network segment. Use URL filtering categories like Policies → Security → URL Filtering Profile → Block "Personal Storage".
Example 2: In Microsoft Purview (formerly Compliance Center), go to Data Loss Prevention → Policies → Create Policy and build a rule that detects CUI markings or sensitive content patterns in outbound email. Set the action to block and notify the sender. Apply the policy to your Exchange Online and SharePoint tenants.