AC.L2-3.1.3—Control CUI Flow
Level 2
800-171: 3.1.3
>Control Description
Control the flow of CUI in accordance with approved authorizations.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •How do you define and document authorized information flows for CUI?
- •What is your process for reviewing and approving information flow authorizations?
- •Who is responsible for maintaining the information flow control policy?
- •How do you handle requests to modify authorized information flows?
Technical Implementation:
- •What technical mechanisms control information flow (DLP, network segmentation)?
- •How do you implement information flow controls at network and application layers?
- •What technologies prevent unauthorized CUI transmission?
- •How do you monitor and enforce information flow policies?
- •What logging captures information flow violations?
Evidence & Documentation:
- •What documentation demonstrates your access control policies and procedures?
- •What access control matrices or permissions documentation can you provide?
- •What access request and approval records can you show?
- •What access review documentation demonstrates periodic reviews?
- •What audit logs demonstrate access control enforcement?
- •What screenshots or configuration exports show access control settings?
Ask AI
Configure your API key to use AI features.