The Cybersecurity Maturity Model Certification (CMMC) practice AC.L2-3.1.3 requires defense contractors to control the flow of Controlled Unclassified Information (CUI). But what does this mean, exactly? Keep reading to learn more about what compliance with this CMMC practice entails.
CMMC Practice AC.L2-3.1.3: the Basics
According to the CMMC practice AC.L2-3.1.3, “Control CUI Flow,” companies within the Defense Industrial Base (DIB) must “Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.”
Let’s begin by unpacking the meaning of the different elements of the CMMC practice identification number:
- AC means that this practice belongs to the CMMC family Access Control
- L2 means that AC.L2-3.1.3 is required for CMMC Level 2 certification (and also for level 3, since CMMC is a cumulative model)
- 3.1.3 is the NIST SP 800-171 Rev 2 or NIST SP 800-172 security requirement number (remember that these are two of the origin documents for the Cybersecurity Maturity Model Certification)
What Is Information Flow Control?
When it comes to CMMC, information flow control regulates where information can travel within a system and between systems (for example, between a computer and the internet).
In practice, most organizations control their information flow using two types of devices: firewalls and proxy routers.
A firewall is a security device or software whose primary function is to monitor incoming and outgoing network traffic based on a set of predetermined rules.
Firewalls analyze small units of information (known as data packets) and determine whether to allow or block them based on these rules.
A proxy server, on the other hand, sits between a device and the internet. When a device (known as client) makes a request to access a website or other online resource, the request passes through the proxy server first. This process maintains the anonymity of users and filters out potentially malicious content.
Some information flow control measures that can be enacted using the technology described here include:
- Keeping export-controlled information from being transmitted in the clear to the internet
- Blocking outside traffic that claims to be from within the organization
- Restricting requests to the internet that are not from the internal web proxy server
- Limiting information transfers between organizations based on data structures and content
How To Comply With AC.L2-3.1.3
In order to verify that you meet the requirements of AC.L2-3.1.3, the CMMC assessor will use different methods (such as examination, interviews, and tests) to determine if the following applies to your organization:
- Information flow control policies are defined
- Methods and enforcement mechanisms for controlling the flow of CUI are defined
- Designated sources and destinations (for example, networks, individuals, and devices) for CUI within the system and between interconnected systems are identified
- Authorizations for controlling the flow of CUI are defined
- Approved authorizations for controlling the flow of CUI are enforced
In most cases, all the above can be achieved through a combination of software and devices such as firewalls, proxy servers, and app-enforced restrictions. The specific configuration of these solutions will depend on factors such as your CMMC scope and the size of your network.
Of course, every situation is unique and in some cases customized deployments or more complex architectural solutions are necessary. The good news is that at Brea Networks, LLC / CMMCCompliance.us we are fully equipped to create bespoke solutions to meet your CMMC compliance needs.
Contact us today to learn more about our services and discover why we are the CMMC compliance partner preferred by Small and Midsize Businesses (SMBs).
To learn more about this topic, read NIST SP 800-41, ”Guidelines on Firewalls and Firewall Policy“ and NIST SP 800-125B “Secure Virtual Network Configuration for Virtual Machine (VM) Protection.”
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
