Requirement
AC.L2-3.1.3 – Control the flow of CUI in accordance with approved authorizations.
This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.
Understanding the Requirement
This requirement expects you to define and enforce how Controlled Unclassified Information (CUI) moves within your environment and to external parties, only in ways you have explicitly approved. Under NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, you must specify information flow policies, identify who and what can send/receive CUI, authorize approved channels (e.g., specific users, devices, locations, partner domains), and enforce protections like encryption when CUI leaves your tenant.
Policies and Procedures Needed
Publish an Information Flow Control Policy that defines CUI handling, approved transmission channels, and allowed recipients/partner domains. Include procedures for CUI classification and labeling, mandatory encryption for external transmission, external sharing approvals, and exceptions/waivers. Define authorized devices (managed and compliant), approved apps, and geographic/network access boundaries. Establish onboarding/offboarding steps for users and guests with CUI access, periodic access reviews for groups and external users, and monitoring/response procedures for DLP alerts and audit findings.
Technical Implementation in Microsoft 365
- Microsoft Purview Information Protection (Sensitivity Labels): Create a “CUI” label that applies encryption, content marking, and usage restrictions. Configure the label to allow only a designated Entra ID (Azure AD) security group (e.g., “CUI Authorized Recipients”) to access content. Publish a label policy that makes labeling mandatory for Outlook, Word, Excel, and PowerPoint, sets “CUI” as required for applicable users/sites, and requires justification to remove/downgrade labels.
- Exchange Online (Mail Flow) and Message Encryption: Create transport rules that detect the “CUI” label and automatically apply Microsoft Purview Message Encryption (OME) or require S/MIME. Add rules that block or quarantine outbound CUI email to non-approved domains, while allowing to specific partner domains. Require TLS for all external mail and reject messages if TLS is not negotiated.
- SharePoint Online/OneDrive for Business (External Sharing Controls): Use site-level sensitivity labels to designate CUI sites/libraries. For those sites, disable external sharing or restrict it to an allowlist of partner domains. Set default link type to “Specific people,” require link expiration, and disable “Anyone” links. For unmanaged devices, set SharePoint access to “Limited” and combine with Conditional Access “Use app enforced restrictions” to block download/print/sync for CUI content.
- Conditional Access (Entra ID): Require compliant devices and approved client apps to access Exchange Online, SharePoint, OneDrive, and Teams that handle CUI. Apply session controls to limit downloads from unmanaged devices. Block legacy authentication. Optionally limit access to trusted locations/geo for high-risk scenarios. Enforce MFA for all CUI-access roles and users.
- Intune (Endpoint and App Protection): Enforce device compliance (BitLocker, secure boot, OS version, firewall/AV status) and mark compliant devices. Apply App Protection Policies (MAM) to Office mobile apps to encrypt org data at rest, block save-to-personal storage, and restrict cut/copy/paste to managed apps only. Use configuration profiles to harden Office desktop apps (disable PST export and restrict add-ins where appropriate).
- Access Governance, Monitoring, and Alerts: Use Entra ID Access Reviews to periodically certify membership of the “CUI Authorized Recipients” group and any guest users in CUI-related teams/sites. Enable the Unified Audit Log and create alert policies for DLP matches, label changes, external sharing, and transport-rule hits. Review DLP incident reports in Purview and document response actions.
Example in a Small or Medium Business
A 120-person engineering firm supports a federal prime and handles CUI in designs and test results. IT creates a “CUI” sensitivity label with encryption that limits access to the “CUI Authorized Recipients” group and publishes a policy requiring labeling before sending email from the engineering and compliance teams. In Exchange Online, transport rules enforce OME when the “CUI” label is present and block mail to any external domain except two approved partners. SharePoint admins create a dedicated CUI site labeled “CUI,” turn off external sharing except for the two partner domains, and set “Specific people” links with expiration and blocked download from unmanaged devices. A Conditional Access policy requires compliant devices and approved Office apps for all CUI resources, while Intune ensures devices meet encryption and OS standards and applies App Protection to prevent saving CUI to personal storage. Monthly Entra ID Access Reviews confirm that only current staff and authorized partner users remain in the CUI groups, and Purview DLP alerts notify IT if someone attempts to email CUI to an unapproved recipient.
Summary
By combining clear policy (what is CUI, who may handle it, where it can go, and with what protections) with Microsoft 365 controls (labels and encryption, DLP, Conditional Access, Intune compliance, sharing restrictions, and ongoing reviews), you create defined and enforceable information flows. Designated sources and destinations are implemented via security groups, partner domain allowlists, and device compliance. Approved authorizations are embedded in sensitivity labels, mail flow rules, and site sharing policies, while enforcement occurs automatically across email, files, and devices with monitoring and alerting to prove compliance. Together, these measures meet AC.L2-3.1.3 by ensuring CUI only moves through approved channels and remains protected at rest and in transit.
