Data Flow Mapping for CMMC Level 2 and Your Entire Compliance Strategy

by

A digital illustration showing a secure CUI data flow concept for CMMC Level 2. A central padlock with a U.S. flag design is surrounded by directional arrows connecting icons representing cloud storage, government systems, industry, and firewalls. A person sits at a workstation viewing a data flow diagram.

Data Flow Mapping for CMMC Level 2: Why Mapping CUI Flow Determines Your Entire Compliance Strategy

If you can’t see where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) travel in your workflows, you can’t scope your obligations—period. This data flow mapping guide gives you a clear, repeatable way to map data flows, define system boundaries, and stop misclassification before it derails your contract.

Executive Summary

  • Controlling how CUI flows inside and outside your environment determines scope, architecture, tooling, and cost.
  • Design a focused CUI enclave so requirements only follow where CUI actually goes, reducing complexity and spend.
  • Document, enforce, and evidence approved flow paths to satisfy AC.L2-3.1.3 and pass a CMMC Level 2 assessment.

1. Introduction: Data Flow—the Most Underestimated Requirement

Organizations that pass CMMC Level 2 know exactly where CUI is allowed to go and can prove it never goes anywhere else. Information flow control is not just another checkbox—it shapes your boundary, controls, and cost.

2. What “Data Flow Control” Means in CMMC (AC.L2-3.1.3)

Control the flow of CUI in accordance with approved authorizations. Assessors expect to see:

  • Defined information flow control policies;
  • Defined enforcement mechanisms;
  • Designated sources and destinations for CUI;
  • Defined authorizations for CUI flow;
  • Consistent enforcement of those authorizations.

3. Why Data Flow Mapping Determines Scope (and Cost)

  • Wherever CUI goes, the requirements follow; wherever CUI does not go, they do not.
  • Minimize where CUI flows by designing a tight enclave to reduce cost, complexity, and certification burden.

4. Real‑World CUI Flow Examples

Engineering contractor handling CAD files

  • Receives via DoD SAFE; downloads into secure enclave storage; accesses via VDI; returns through DoD SAFE.
  • Map storage → VDI → rendering engines → encrypted transmission.

Services subcontractor handling performance reports

  • Receives via encrypted email; stores in secure SharePoint enclave; shares with PMs and primes; archives per retention.
  • Prevent leakage to general tenants, personal devices, or unapproved tools.

Prime contractor distributing CUI to subcontractors

  • Flow‑down DFARS 252.204‑7012 to all subs and verify NIST 800‑171 implementation before sharing CUI.
  • Map all external flows and authorizations to subs and government portals.

5. What C3PAOs Look For in CUI Data Flow Mapping

  • Complete CUI flow documentation (diagram + narrative).
  • Accurate system boundary: every system that stores/processes/transmits CUI is in scope.
  • Configured transfer paths match actual implementations (no shadow IT).
  • Enforcement mechanisms (firewalls, proxies, DLP, etc.) match policy and are evidenced.

6. Technologies Used to Enforce Flow Control

  • Firewalls to block unauthorized inbound/outbound traffic.
  • Proxy servers to restrict and broker web access paths.
  • Encrypted tunnels/VPNs for remote or inter‑organizational flows.
  • Boundary protection devices (routers, guards, gateways).
  • Content filtering/DLP and metadata validation.

7. Build an Accurate CUI Data Flow Map (Step‑by‑Step)

  1. Identify intake points (e.g., DoD SAFE, encrypted email, portals, SFTP, physical media).
  2. List systems that process/store/transmit CUI (e.g., GCC High/Azure Gov/AWS GovCloud, secure file servers, approved tools).
  3. Identify authorized users and roles.
  4. Map internal flows: ingest → repository → users/tools → exports → archive → IR pipeline.
  5. Map external flows: subcontractors (with flow‑downs), government deliverables, cloud services (FedRAMP Mod‑equivalent).
  6. Document enforcement on each arrow: firewall, proxy, DLP, access control, encryption, authentication.
  7. Validate evidence against AC.L2‑3.1.3 assessment objectives.

8. CUI Data Flow Mapping Diagram (Reference)

The following visual shows authorized CUI pathways and enforcement overlays at each boundary:

Line‑art CUI data flow diagram showing Partner, Enclave, and Government zones with labeled pathways, controls, and a workstation displaying a flow map.

9. Practical Enforcement Examples

  • Prevent export‑controlled CUI from leaving the enclave unencrypted.
  • Block outside traffic masquerading as internal traffic (strict egress control).
  • Force all web access through an internal proxy; no direct outbound browsing.
  • Limit transfers based on content, metadata, or classification.

10. Documentation Required + Assessor Checklist

Artifact / Activity Ready? (☐/☑)
Access control policy with information flow sections
Information flow control policy
System Security Plan (SSP) updated with flow details
System design documentation (architecture + boundaries)
Configuration settings showing enforcement details
Audit logs demonstrating blocked/denied flows
List of authorized CUI sources and destinations
Interview readiness: admins, network engineers, developers, ISSM/security
Test readiness: firewall/proxy enforcement, DLP triggers, access log reviews

11. Common Mistakes to Avoid

  • Mapping workflows instead of data flows—map what the data does.
  • Forgetting automated flows like indexing, backup, sync engines, AV uploads.
  • Assuming cloud platforms are automatically compliant; verify FedRAMP Moderate equivalency under DFARS 252.204‑7012.
  • Not controlling subcontractor flows; primes must flow down requirements and verify 800‑171.
  • Failing to document enforcement mechanisms with evidence, not just diagrams.

12. The Bottom Line

Data flow control is the backbone of CMMC Level 2.
If you can’t demonstrate clear, enforced, authorized CUI flows, you cannot pass your assessment — no matter how good your other controls are.

You need:

  • A tight CUI enclave
  • A precise data flow map
  • Documented policies and mechanisms
  • Consistent enforcement
  • Evidence aligned to AC.L2‑3.1.3 assessment objectives

Do this right, and everything else becomes easier.
Do it poorly, and compliance becomes expensive — or impossible.

Conclusion

Controlling and documenting the flow of CUI is not just another CMMC requirement—it is the architectural foundation of your entire compliance program. When you understand exactly where CUI enters, moves, is processed, and leaves your environment, every other control becomes more predictable, more defensible, and dramatically less expensive to implement.

Organizations that succeed at CMMC Level 2 aren’t the ones with the flashiest tools—they’re the ones with disciplined data flow mapping, clear boundaries, tight enforcement mechanisms, and rock‑solid evidence that aligns to AC.L2‑3.1.3. When you master CUI flow, you master scoping. And when you master scoping, you control cost, complexity, and risk across your entire enterprise.

CUI doesn’t move without your authorization—or your visibility. That’s the mark of a mature defense contractor.

Call to Action

If you want to stop guessing about scope, eliminate hidden compliance risks, and design a defensible CUI enclave that assessors will trust:

Schedule a Data Flow Mapping Workshop with our compliance team.
We’ll walk you step‑by‑step through mapping your CUI intake points, internal flows, enforcement paths, and boundary controls—so you know exactly what’s in scope and why.

Need help building your CUI enclave?
We’ll design a secure, compliant architecture aligned to NIST 800‑171 and CMMC Level 2 requirements.

Want a readiness review before your assessment?
We provide evidence validation, enforcement testing, and gap remediation to ensure nothing gets overlooked.

Get clarity. Reduce scope. Pass the assessment.
Start with your CUI flow—and everything else will fall into place.

Comprehensive Reference List (Cited Sources)

Primary CMMC & NIST References

  1. Department of Defense – CMMC Level 2 Assessment Guide (v2.13, 2024)
    Provides requirement descriptions, assessment methodology, and full AC.L2‑3.1.3 details.
    [dodcio.defense.gov]
  2. CMMC Toolkit Wiki – Practice AC.L2‑3.1.3 Details
    Contains security requirements, assessment objectives, and official DoD CIO references.
    [cmmcwiki.org]
  3. CMMC Compliance US – “What You Need to Know About AC.L2‑3.1.3” (2023)
    Explains core concepts of controlling CUI flow using firewalls, proxies, and policy enforcement.
    [cmmccompliance.us]
  4. Security Catapult – AC.L2‑3.1.3 Guidance
    Practical discussion of technical enforcement and NIST SP 800‑171 R2 information flow requirements. [catapult.m…rchisc.com]
  5. DIB SCC CyberAssist – AC.L2‑3.1.3 Control CUI Flow
    Aggregates references, best practices, and authoritative guidance on CMMC Level 2 flow controls. [ndisac.org]
  6. Cuick Trac – Enforcing Approved CUI Flow with System‑Level Controls (2025)
    Provides real examples of system‑level enforcement and common assessment gaps. [cuicktrac.com]

About the Author

Daniel Ihonvbere, CISM, CISSP, specializes in CMMC, NIST 800‑171, and DFARS‑aligned security programs for SMBs in the DIB. He focuses on clear governance, defensible evidence, and audit‑ready practices that teams can sustain year‑round.

Connect with Daniel on LinkedIn for CMMC insights | www.techprognosis.com

Disclaimer

This content is for general education and awareness only. Daniel and Tech Prognosis are not a C3PAO, CCP, or CCA and do not provide certification or assessment services. For official certification decisions, organizations must engage an authorized Cyber‑AB C3PAO and follow the CMMC Assessment Process (CAP).

Share
Share
Share