How to Deploy Technical Controls (Firewalls, DLP, Segmentation) to Enforce AC.L2-3.1.3 and Control CUI Flow: NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.3

AC.L2-3.1.3 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) requires organizations to control the flow of Controlled Unclassified Information (CUI) so only authorized users, devices, and processes can access or transmit it; this post provides practical, technical steps to enforce that requirement using firewalls, segmentation, and Data Loss Prevention (DLP) for a small business operating under the Compliance Framework.

Why AC.L2-3.1.3 matters and the risk of non-compliance

Failing to control CUI flow exposes a small business to data exfiltration, lateral spread after compromise, contract termination, regulatory penalties, and loss of future federal or DoD work; from a practical perspective, uncontrolled flows mean CUI can be accidentally sent to personal email, stored in uncontrolled cloud folders, or accessed by unmanaged devices. For a small engineering contractor, for example, an unchecked file sync could push drawing files to a consumer cloud account—an immediate compliance breach and intellectual property risk. The objective under the Compliance Framework is strict, documented control of where CUI can move and who/processes may touch it.

Step 1 — Map CUI data flows before applying controls

Begin with a simple but authoritative data flow diagram: list systems that create, store, process, or transmit CUI (workstations, document servers, CAD servers, email, SaaS), the network paths between them, and the authorized destinations (internal servers, approved cloud tenants, partner IPs). Use a spreadsheet to map asset owners, classification labels, required ports/protocols, and retention / egress needs. Example: a small law firm might identify CUI on an on-prem file server (192.168.10.10), accessible only from attorney workstations (VLAN 20) and the firm’s secure backup server in cloud (10.0.5.20 in AWS VPC via VPN). That map drives all firewall rules, VLANs, and DLP policies.

Step 2 — Network segmentation and zoning (practical layout)

Design zones that separate CUI-bearing systems from general-use areas: management VLAN (VLAN 1), CUI servers VLAN (VLAN 50), employee workstations VLAN (VLAN 20), guest Wi‑Fi VLAN (VLAN 100), and vendor/contractor VLAN (VLAN 70). For small businesses: implement these VLANs on your core switch (e.g., Cisco/Juniper/Meraki) and enforce inter-VLAN routing only through a firewall or virtual router where you can apply policy. Example ACL rules on a firewall: allow VLAN20 -> VLAN50 TCP/445 and TCP/3389 only from authorized host subnets; deny VLAN100 -> VLAN50 entirely. Where possible, use access control lists on the switch to limit ARP/ICMP to avoid lateral discovery, and consider host-based firewalls to provide a second layer of segmentation on endpoints.

Firewall rules and egress controls (specific examples)

Implement stateful firewall policies that are as specific as possible: allow only the minimal ports, protocols, and destination IPs for CUI flows. Example pseudocode rules: 1) Allow 192.168.20.0/24 -> 192.168.50.10 TCP/445 (SMB) for file access; 2) Allow 192.168.20.0/24 -> 10.0.5.20 TCP/443 to the approved cloud backup endpoint; 3) Deny 192.168.20.0/24 -> ANY:25 (prevent direct mail relay). For small businesses using iptables on a perimeter Linux gateway, a rule to block outbound SMTP except to the mail relay might be: iptables -A OUTPUT -p tcp --dport 25 -d ! 203.0.113.5 -j REJECT. Egress filtering is critical—if workstations can talk directly to arbitrary external endpoints, CUI can leave unnoticed.

Step 3 — Deploy DLP tuned to CUI types and locations

Deploy DLP in layered mode: endpoint DLP on laptops, network DLP at mail and web gateways, and cloud DLP (CASB/DLP) for sanctioned SaaS. Start by defining detection rules based on your CUI types—keywords, document templates, metadata tags, and regular expressions (e.g., for contract numbers). Practical rule example: block attachments containing “PROPRIETARY” plus more than 50KB when sent to external recipients; quarantine or encrypt outbound archives that match CAD file extensions (.dwg, .dxf) with CUI keywords. For small businesses without enterprise DLP, use email gateway rules (Exchange Online transport rules or Proofpoint) and Microsoft Purview Data Loss Prevention policies to prevent auto-forwarding of labeled CUI to external addresses.

Handling encrypted traffic and false positives

Encrypted traffic limits inspection—implement TLS inspection at a perimeter proxy where policy and privacy allow, or use endpoint DLP to catch client-side uploads. Balance inspection with privacy: exempt HR/legal communications where necessary and document exceptions. Tune DLP gradually: begin in 'monitor' mode for 2–4 weeks, review incidents, adjust regex/thresholds to reduce false positives, then switch to 'block' or 'encrypt' for high-confidence matches.

Step 4 — Identity, device posture, and microsegmentation

Implement identity-aware controls and device authorization: integrate firewall policies with RADIUS/LDAP or an identity provider (e.g., Microsoft Entra) so rules reference user or device identity rather than just IP. Use Network Access Control (NAC) to prevent unmanaged devices from joining the CUI VLAN—enforce posture checks (OS patch level, disk encryption) and place failing devices into remediation VLAN. For workloads on hypervisors or cloud, use microsegmentation (VMware NSX, Azure NSG + Azure Firewall, or AWS Security Groups + NACLs) to limit east-west traffic so that even if a host is compromised, its ability to reach CUI servers is constrained. Small businesses can achieve a practical microsegmentation by strict host firewall baselines (Windows Defender Firewall rules or iptables) and using cloud security groups to lock down server-to-server access.

Step 5 — Monitoring, logging, validation, and documentation

Log all relevant firewall decisions, DLP incidents, and NAC sessions to a central log collector or SIEM (Splunk, Elastic, or cloud-native offerings). Retain logs per your Compliance Framework policy and enable alerts for anomalous egress attempts or repeated DLP matches. Validate segmentation with active testing (nmap for port scans from a workstation VLAN to a CUI server, lateral movement exercises, and simulated exfiltration tests). Document all configurations: VLAN diagrams, firewall rule sets (with rule justification), DLP policy definitions, and NAC posture requirements—these artifacts are essential evidence during assessments for AC.L2-3.1.3.

Practical compliance tips: apply least privilege and deny-by-default network posture; perform change control for any firewall/DLP policy changes; run quarterly reviews of rules to remove stale exceptions; automate backups of device configs; and include DLP/segmentation in incident response playbooks. For small shops, leverage managed services (MSSPs) or cloud vendor templates (Azure Blueprints, AWS Foundational Security) to accelerate safe configurations while keeping documentation in-house.

In summary, meeting AC.L2-3.1.3 requires a clear map of CUI flows, strict segmentation, tightly scoped firewall and egress rules, layered DLP, identity- and posture-aware access, and continuous monitoring with documented evidence. By combining these technical controls and following the practical steps above—tailored to your small business environment—you can substantially reduce the risk of CUI leakage and demonstrate compliance to the Compliance Framework during assessments.