Make sure CUI only moves to places it's allowed to go.
What it actually means
Information-flow control means CUI moves only along approved paths. In practice that means restricting where CUI can be sent or copied — blocking it from personal email, unapproved cloud storage, or USB — and enforcing those rules with boundary controls, DLP, or tenant restrictions. The point is that the movement of CUI is governed by policy, not left to chance.
Pass or fail — an assessor needs a "yes" to each
- Are there rules defining where CUI may and may not flow (email, cloud, removable media)?
- Are those rules enforced technically, not just written on paper?
What to have ready
- Information-flow / DLP policy
- Configuration enforcing flow restrictions (tenant rules, DLP, firewall)
Where teams trip up
- CUI freely copyable to personal email or consumer cloud
- Flow rules written down but never enforced
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →