What's the difference between 'control CUI flow' and 'control system access'?

Access control (AC.L2-3.1.1) is about who can log in. Flow control is about where the data actually goes once they're in. You can have access to a system without being able to touch CUI on it.

Does CUI flow control apply if we store everything in one secure folder?

Yes. Even in a locked folder, you still need to prevent users from copying it to personal email, USB drives, or unsecured cloud accounts. Flow control is about the movement paths, not just the storage location.

How do DLP and sensitivity labels help with this?

DLP rules stop CUI from leaving your environment (email, USB, unauthorized clouds). Sensitivity labels mark CUI so conditional access policies and DLP rules recognize it and block risky moves.

AC.L2-3.1.3

AC.L2-3.1.3: Control CUI Flow

Prevent CUI from moving to unauthorized systems, users, or locations

You control CUI flow so it doesn’t leak to unauthorized systems, users, or locations. This isn’t just about locking down a folder. It’s about closing every path the data could take to escape your boundary.

What the assessor is actually evaluating

Data movement paths. The assessor wants to see you’ve identified every way CUI could move through your environment: email, cloud storage, removable media, print, inter-system transfers, even copy-paste. Then you’ve blocked the ones you don’t want.

Your CUI boundary. CUI flow control enforces the boundary you drew in SC.L2-3.13.1. The assessor checks that CUI can’t drift outside that boundary through careless user actions or misconfigured permissions.

Technical controls in place. DLP rules, email encryption, sensitivity labels, conditional access policies, AppLocker, or USB device restrictions. The control must be active and logged, not just a policy someone wrote.

What users actually do. The assessor will ask what happens when someone tries to forward a CUI email to their personal Gmail, save a labeled file to OneDrive, or copy sensitive data to a USB drive. Your controls should stop it or alert you.

SSP language that works

Example SSP Language: AC.L2-3.1.3

All CUI is classified with a sensitivity label that triggers data loss prevention rules. Users cannot email CUI outside the organization, print CUI, or save labeled files to personal cloud accounts (OneDrive, Dropbox, Google Drive). Conditional Access policies require multi-factor authentication for any system access and block sign-in from unmanaged devices. USB and removable media are disabled for all users handling CUI. We audit CUI flow at least quarterly through DLP reports and maintain a log of blocked and quarantined transfers. Any attempt to move CUI outside the boundary is logged and reviewed by the information security officer.

Why this matters for your assessment

Small contractors often think “we keep CUI in a secure shared folder” and stop there. But the assessor won’t. They’ll ask: Can someone email a file out? Can they copy it to their personal OneDrive? Can they save it to a USB drive or cloud sync? If any of those are yes, you’re not controlling flow.

For most small contractors, the practical implementation is USB read/write blocking (via Intune or Group Policy) and personal cloud storage blocking (usually through DNS filtering or web content filtering that blocks Dropbox, personal Google Drive, personal OneDrive, etc.). As long as those controls are defined in your SSP and actually enforced, that’s sufficient. You don’t need a full Microsoft Purview DLP deployment if simpler controls close the same paths.

GCC High and commercial split. If CUI lives in GCC High and you also have a commercial tenant, the assessor needs to see that CUI can’t flow between them. This means separate accounts for the GCC High tenant (not the same credentials as commercial), and policies preventing autoforwarding from GCC High accounts to commercial accounts. Separate endpoints is ideal but not always required. The key is account separation and policy enforcement that prevents CUI from drifting to the commercial side.

How to present your evidence

Walk the assessor through a real CUI file. Show the sensitivity label. Explain the DLP rules tied to it. Demo what happens when someone tries to email it or copy it somewhere unauthorized. Show the audit logs of attempted and blocked transfers. Pull up your conditional access policies showing what environments CUI users can access. Have your email encryption settings ready.

The assessor wants to see you know your own data movement. Not just the policy. The working implementation.

Common failures

What gets flagged

Failure. You have a DLP policy written in your SSP but it's not actually enabled in Microsoft Purview. The assessor checks the tenant and finds no active rules. You lose this control.

Failure. CUI lives in a secure SharePoint folder with proper permissions, but any user with access can forward it to their personal email. No email rules block it. The boundary isn't enforced.

Failure. You claim users can't print CUI but Group Policy settings aren't applied to all devices. Some machines still allow printing. Enforcement is inconsistent.

What passes

Success. You show an active Purview DLP policy blocking external email for files tagged "CUI." You pull up the policy wizard, show the rule conditions, and point to the block action. You then pull up the DLP reports showing dozens of blocked emails in the last 90 days with quarantine records.

Success. You explain that CUI users can only access systems within your GCC High tenant. Conditional Access policies block sign-in to the commercial tenant entirely. You show the policy applied to the CUI user group.

Q&A: What the assessor asks and what good answers sound like

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "Show me how you prevent CUI from being emailed outside the organization."

"We use Microsoft Purview DLP with a policy that blocks emails containing files with our CUI sensitivity label. When someone tries to send it externally, they get a policy tip warning them, and the email is blocked. [Pull up the DLP rule in Purview.] Here's a report of blocked transfers from the last month. You can see the timestamps and which users triggered the blocks."

Assessor: "What about USB drives and removable media?"

"Removable media is disabled via Group Policy for all users who access CUI. We've applied the policy to the CUI_Users security group, and we audit compliance at least quarterly. [Pull up the GPO settings.] If someone tries to plug in a USB drive, they get an error message and can't access it. We log all attempts in Event Viewer."

Assessor: "How do you handle CUI in a GCC High and commercial Microsoft tenant split?"

"CUI only lives in GCC High. Conditional Access policies block any GCC High user from authenticating to the commercial tenant. If someone tries to sign in to commercial with their GCC High account, it fails automatically. [Show the policy in Conditional Access.] We separate the user groups and apply different policies to each tenant."

Assessor: "What happens if someone copies CUI to their OneDrive?"

"Personal cloud sync like OneDrive is blocked for CUI users. We use Conditional Access policies to restrict sign-in to only managed, approved devices, and those devices have OneDrive personal sync disabled via Group Policy. Files labeled CUI that somehow end up in personal accounts are caught by our DLP rule that scans cloud content. We also use data retention policies to delete labeled files from unauthorized locations automatically."

If you use an MSP or MSSP

Clarify in your SSP who owns CUI flow controls. If your MSP manages your Microsoft 365 tenant, they should manage DLP policies and conditional access. Get a signed statement from them confirming:

What DLP policies they’ve enabled for your organization
What conditional access policies are in place
What they log and monitor for CUI transfers
How often they review DLP reports
What you’re responsible for (end-user training, internal procedures) and what they’re responsible for (technical controls, audits)

You’re still accountable for the control. Make sure you get copies of the audit logs and reports.

This page reflects NIST SP 800-171 Rev 2 requirement 3.1.3 and CMMC Level 2 expectations. Assessment outcomes depend on your specific environment, tools, and implementation details. Always verify your controls work before your assessment.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.5: Least Privilege All Practices AC.L2-3.1.2: Transaction & Function Control →