Control AC.L2-3.1.3 in CMMC 2.0 / NIST SP 800-171 Rev.2 requires that Controlled Unclassified Information (CUI) movement is controlled in accordance with approved authorizations — the practical way to show that is a living data flow map that documents where CUI exists, how it travels, and what controls enforce those flows.
Why AC.L2-3.1.3 matters for your Compliance Framework program
At a high level, auditors and assessors need evidence that CUI is not free to roam: it must be identified, its permitted paths must be explicit, and technical and administrative controls must enforce those paths. A data flow map is the central piece of evidence that ties together inventory, network segmentation, access control, DLP, and the organization’s authorization decisions under the Compliance Framework (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2).
Practical steps to build the data flow map
Discovery and classification
Start with discovery: scan repositories (file shares, SharePoint, G Suite/Workspace, Box, AWS S3, endpoints) with classification tools or manual review to identify files and locations containing CUI. Tag discovered items in a classification inventory (CSV or CMDB fields) with attributes: data type, owner, location, access group, retention, and handling constraints. For a small business, an initial scope might be a single project folder in SharePoint, an S3 bucket, and a handful of employee laptops—document them precisely.
Map construction: nodes, flows, and controls
Create the map in a diagram tool (draw.io, Lucidchart, Miro). Represent each node (user, device, cloud service, partner, printer) and each flow (protocol, port, direction). For each flow include: data classification (CUI), allowed protocols (HTTPS, SFTP), encryption requirements (TLS 1.2+), authentication (MFA required), and enforcement points (firewall, proxy, CASB, DLP). Example: "Engineering laptop → SharePoint (HTTPS port 443) — label enforced via Microsoft Purview DLP; access limited by Conditional Access to compliant devices."
Technical controls to enforce and limit CUI movement
Translate map items into enforceable controls. Network segmentation: put systems that process CUI in a protected VLAN/VPC with firewall ACLs that deny inbound/outbound by default and only permit required flows (example ACL: deny ip any any; then allow tcp from 10.10.10.0/24 to 10.20.20.0/24 eq 443). Use host-based controls: HIPS/EDR, local firewall rules, and MDM to restrict unmanaged devices. For cloud storage, enforce bucket policies or conditional access—example S3 policy conditions that allow access only from company VPC endpoint or source IP ranges, or SharePoint/OneDrive policies that block external sharing for sites labeled CUI.
Detection, monitoring, and validation
Implement DLP and monitoring to validate the map. Deploy DLP rules (Microsoft Purview DLP, Google DLP, or third-party) that detect CUI labels and block or quarantine exfiltration attempts via email, web upload, or removable media. Use a CASB to monitor SaaS behavior, NetFlow/flow logs and Zeek/Suricata for network flows, and centralized logging (Splunk/Elastic) for correlation. For small businesses, start with cloud-native logs (Azure AD sign-in logs, AWS CloudTrail, Office 365 audit logs) and set alerts for anomalous CUI access or transfers (large download from CUI repository, new external share link creation).
Governance, documentation, and evidence for assessors
Document the authorization model: who approved each permitted flow, the business justification, and compensating controls. Keep artifacts: the data flow diagram, the classification inventory, firewall rule sets, DLP policies, conditional access settings, and monitoring alerts with remediation steps. Include routine validation: quarterly reviews, vulnerability scans, and change-control tickets that show approval when a new flow is introduced. For a small business, a single spreadsheet tying each flow to an approval and two evidence items (config export + recent access log) is often sufficient for an assessor.
Real-world small-business scenarios and examples
Scenario 1: A subcontractor team uses Microsoft 365 to store CUI. Solution: label the SharePoint site as CUI, enforce a conditional access policy requiring compliant devices and MFA for access, and create a DLP rule that blocks external sharing of labeled documents. Scenario 2: Engineers use AWS S3 for project artifacts. Solution: restrict the S3 bucket with a policy allowing only the corporate VPC endpoint and enable S3 Object Lock if retention is required; instrument CloudTrail and S3 access logs with alerting for any GetObject from outside the VPC.
Risk of not implementing AC.L2-3.1.3
Failing to control CUI flows risks accidental or malicious exfiltration, regulatory fallout, and lost contracts. Practical consequences include immediate DFARS or contract noncompliance, suspension from DoD contracting, required breach notifications, and erosion of trust. Technically, unsegmented networks and permissive cloud sharing greatly increase attack surface: a compromised low-privilege machine can become a pivot point if CUI movement is not limited and monitored.
Compliance tips and best practices
Minimize CUI footprint: limit where CUI is stored and restrict copies. Use automated labeling (MIP, Google labels) paired with technical enforcement (DLP, CASB). Maintain a change log and POA&M for flows you can’t immediately remediate. Run periodic table-top and penetration tests to validate controls. For evidence readiness, export configurations (firewall rules, IAM policies), keep dated diagrams, and capture screenshot/video of policy tests showing blocked transfers.
Summary: a practical data flow map for AC.L2-3.1.3 is a living artifact that documents CUI nodes and permitted paths, ties each path to explicit authorizations and technical enforcement, and is validated through monitoring and periodic review; implementing it reduces risk, provides audit evidence, and is achievable for small businesses by focusing first on discovery, labeling, and enforcement at the boundary points (cloud controls, firewalls, DLP) and then expanding monitoring and governance over time.
