CUI subcontractor transfer requirements under NIST SP 800-171 Rev. 2 and CMMC 2.0 Level 2 require an organization to identify where CUI may travel, approve the sources and destinations, and technically enforce those approved paths. For AC.L2-3.1.3, a compliant response demonstrates that CUI cannot be sent to a subcontractor, cloud service, user device, network, or external recipient through unapproved channels and that approved internet transfers are encrypted.
What does AC.L2-3.1.3 require?
AC.L2-3.1.3 requires an organization to control the flow of CUI in accordance with approved authorizations. The practice is not satisfied by a general statement that employees must protect sensitive information. The organization must define permitted CUI flows, document who authorizes them, configure safeguards that enforce them, and retain evidence that the safeguards operate as intended.
For an RFP response, distinguish this practice from access control. Access control determines whether a person can open a file or application. Information flow control determines whether that CUI can move from one location to another: from a Microsoft 365 tenant to a subcontractor, from an internal enclave to the internet, from an engineering workstation to removable media, or from one connected system to another.
Which CUI sources, destinations, and transfer paths must be identified?
Identify every location from which CUI originates, every approved destination, and the method used to transfer it. Sources and destinations include people, groups, endpoints, systems, networks, cloud services, shared repositories, mobile devices, printers, and subcontractor environments. The inventory should cover both planned business workflows and technically possible paths that must be prohibited.
| CUI source | Approved destination | Approved method | Required enforcement |
|---|---|---|---|
| Microsoft SharePoint CUI site | Authorized subcontractor user | External sharing to named guest account | Microsoft Purview sensitivity label, MFA, guest restriction, download controls |
| CUI enclave workstation | Government customer portal | HTTPS upload using managed browser | TLS 1.2 or higher, conditional access, web proxy logging |
| Internal file repository | Approved subcontractor SFTP server | SFTP over SSH with named account | Firewall allowlist, key-based authentication, transfer logging |
| CUI application database | Internal reporting system | API over private network segment | Network segmentation, service-account restrictions, API audit logs |
A useful boundary is the CUI system boundary described in the organization’s System Security Plan (SSP). Flows within that boundary still need authorization when they cross security zones or systems. Flows outside the boundary, especially to subcontractors and external cloud services, require explicit scrutiny because the receiving environment must be authorized to receive and safeguard the CUI.
What are approved authorizations for CUI subcontractor transfer requirements?
An approved authorization is a documented business and security decision that permits a defined CUI flow. It should name the data category, originating system, receiving organization or system, transfer method, approving authority, safeguards, and expiration or review date. A blanket approval to “share files with partners” is not specific enough to show controlled flow.
Authorization may be captured in a subcontract, data-sharing agreement, task order, workflow approval, ticket, system configuration standard, or data flow register. The strongest approach combines those artifacts: contractual language establishes the subcontractor’s obligation, a transfer authorization records the business need, and technical configuration enforces the permitted route.
For example, Meridian Civic Systems, a 180-person IT and professional services contractor, supports a federal program using Microsoft 365 GCC High, Azure Government, and a segmented Fortinet firewall environment. Its proposal team needs to provide a CUI-bearing requirements traceability matrix to a 35-person subcontractor. The program manager opens a ServiceNow request identifying the file, subcontractor legal entity, two named recipients, SharePoint GCC High guest-sharing method, and task-order need. The information system security manager approves the request after confirming the subcontract includes applicable safeguarding language and the recipients have MFA-enabled managed accounts. The approval expires at task completion, and Purview prevents those recipients from forwarding, printing, or sharing the file externally.
How should technical controls enforce approved CUI flows?
Policy defines intent; technology prevents bypass. AC.L2-3.1.3 expects methods and enforcement mechanisms appropriate to the organization’s architecture. Common measures include network segmentation, firewalls, router access control lists, proxy servers, secure email gateways, data loss prevention, cloud sharing restrictions, endpoint controls, encryption, and centralized logging.
All CUI permitted to traverse the internet should be encrypted in transit. In practical terms, use TLS 1.2 or higher for web applications and portals, SFTP or SSH for managed file transfer, and approved encrypted email or secure collaboration capabilities when email is authorized. Do not approve consumer file-sharing platforms, personal email, unencrypted FTP, public links, or ad hoc removable-media transfers for CUI.
FortiGate policy example: CUI enclave to approved SFTP destination Source interface: CUI_VLAN_120 Destination interface: WAN Source address: CUI-SFTP-TRANSFER-SERVER Destination address: SUBK-SFTP-198.51.100.42 Service: TCP/22 Action: ACCEPT NAT: Enabled Log allowed traffic: All Sessions Schedule: BusinessHours-0600-2000 All other outbound traffic from CUI_VLAN_120: DENY and log
The configuration above is evidence only when it corresponds to an approved business flow. Firewall rules without an owner, review date, or documented purpose can create uncontrolled pathways rather than compliance.
How do policies and procedures support controlled CUI transfers?
Your information flow control policy should define CUI, approved transfer methods, prohibited channels, encryption expectations, roles, approval thresholds, subcontractor verification, monitoring, exception handling, and records retention. Supporting procedures should explain exactly how staff request a new flow and how administrators implement, test, review, and remove it.
For proposal writers, describe the operating model rather than merely naming a policy. Evaluators should be able to see who approves a transfer, how technical staff apply the decision, what logs demonstrate enforcement, and how the organization reacts when an attempted transfer violates policy.
What is the step-by-step implementation path for AC.L2-3.1.3?
- Define the CUI boundary. Identify systems, users, networks, applications, and repositories that create, store, process, or transmit CUI.
- Map current and required flows. Document CUI movement within the environment, between zones, to government systems, and to subcontractors or cloud services.
- Classify each flow. Mark each path as approved, prohibited, temporary, or requiring remediation. Record the business owner and CUI category.
- Set authorization criteria. Require confirmation of recipient need-to-know, contractual coverage, receiving-environment suitability, approved encryption, named users, and a defined end date.
- Configure enforcement controls. Implement firewall allowlists, proxy restrictions, conditional access, DLP policies, sharing limitations, endpoint controls, and encrypted transfer methods.
- Test permitted and denied paths. Verify that authorized users can complete approved transfers and that unauthorized domains, personal accounts, public links, and unauthorized devices are blocked or alerted.
- Collect operational evidence. Retain approvals, data flow diagrams, system configurations, screenshots, test results, and relevant audit logs.
- Review and revoke. Review active flows at least annually and upon contract changes, personnel departures, subcontractor changes, or system migrations.
What evidence should an RFP response include for this control?
Provide evidence that connects policy, authorization, enforcement, and verification. A concise control narrative can state that the organization maintains a CUI flow register, approves external transfers through a documented workflow, restricts outbound traffic using firewalls and proxies, applies encryption for internet transmission, and reviews configurations and authorizations on a defined cadence.
A second worked example is a 90-person consulting firm using Jira Cloud Enterprise, Box Enterprise, and a managed Palo Alto Networks firewall. The firm prohibits CUI in Jira attachments because its approved CUI repository is Box Enterprise with customer-managed encryption keys and named external collaboration. Its DLP policy blocks uploads of files labeled CUI//SP-PROPIN to Jira, personal webmail, Dropbox, and Google Drive. When a subcontractor needs a deliverable, the delivery manager requests a Box folder invitation for named personnel; the subcontractor receives read-only access, MFA is required, and Box activity logs are reviewed monthly. That workflow shows both an approved path and active prevention of unauthorized alternatives.
AC.L2-3.1.3 compliance checklist
- Document the policy governing CUI flow control and encrypted external transmission.
- Maintain a current inventory of CUI sources, destinations, systems, networks, and connected services.
- Map internal, external, cloud, government, and subcontractor CUI flows.
- Define approved and prohibited transfer methods.
- Require documented authorization before enabling a new external CUI flow.
- Verify subcontractor eligibility, contractual obligations, named recipients, and need-to-know.
- Configure firewalls, proxies, DLP, sharing controls, and endpoint restrictions to enforce approved paths.
- Encrypt CUI sent across the internet using approved protocols and services.
- Log transfer activity and retain evidence of approvals, configurations, and periodic reviews.
- Test that unauthorized channels are blocked and remove access when a task order or relationship ends.
Frequently asked questions about CUI flow control
Does AC.L2-3.1.3 require a separate authorization for every CUI file sent to a subcontractor?
Not necessarily. An authorization may cover a recurring, well-defined workflow if it identifies the approved data type, systems, recipients, method, safeguards, owner, and review period. Higher-risk or unusual transfers should receive transaction-specific approval.
Can we send CUI to a subcontractor by email?
Only if email is an approved and technically protected flow. The organization should require encrypted transmission, approved recipient domains or named accounts, access controls, logging, and contractual confirmation that the subcontractor can safeguard the CUI. Personal email and unencrypted email are not acceptable CUI transfer paths.
Is a firewall enough to meet NIST 800-171 AC.L2-3.1.3?
No. A firewall is one enforcement mechanism. The practice also requires defined policies, identified sources and destinations, approved authorizations, and evidence that controls enforce the authorized flows. Cloud collaboration, email, endpoint, and user-to-user transfer paths also require control.
Do subcontractors need access to our CUI enclave?
No. A subcontractor may receive CUI through a separately authorized collaboration space, secure portal, managed SFTP service, or other controlled method. The selected path should provide only the access required for the work and should not expose the broader enclave.
What logs should we retain for CUI transfer authorization?
Retain approval tickets or records, firewall and proxy logs, secure file-transfer logs, cloud sharing audit logs, DLP alerts, configuration change records, and evidence of periodic review. Retention periods should align with contractual, legal, and organizational records requirements.
Next step: Before submitting your RFP response, map each promised subcontractor CUI exchange to a named authorization, technical enforcement point, and evidence artifact in your SSP.