NIST 800-171 R-3.1.3
Control the Flow of CUI
Official citation: 3.1.3
Class: core · Severity: high
Statement of the obligation — verify against source
3.1.3
What it means
Control where CUI is allowed to travel within and between systems, based on approved rules, separate from the question of who may access it. Flow controls include keeping export-controlled data off the open Internet, blocking outside traffic that pretends to be internal, and limiting transfers between organizations; they are enforced at boundary devices such as firewalls, gateways, routers, and proxies. Moving information across security domains adds risk, so define enforcement points and, where needed, one-way flows or trustworthy regrading mechanisms.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.