Evidence – AC.L2-3.1.19

Control the Flow of CUI in Accordance with Approved Authorizations

Control Overview

This document describes the evidence used to demonstrate implementation of AC.L2-3.1.19, which requires the organization to control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.

This evidence supports the control response documented in the System Security Plan (SSP).

Evidence Objectives

Evidence for this control demonstrates that:

• Approved methods for sharing CUI are defined
• CUI is not transmitted to unauthorized users or systems
• Technical controls restrict unauthorized data flows

Evidence Artifacts

1. Approved CUI Sharing Controls

Evidence demonstrating controlled CUI flow may include:

• Configuration restricting external sharing of files containing CUI
• Controls preventing CUI transfer to personal or unmanaged services
• Enforcement of approved collaboration and storage locations for CUI

Examples of acceptable sources:

• Microsoft 365 GCC High external sharing restrictions (SharePoint, OneDrive, Teams)
• Microsoft Purview or information protection sharing controls
• Google Workspace Admin Console Drive sharing and external access settings

Evidence Retention

Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.

Notes

CUI flow controls must ensure that information is only shared using approved, authorized methods and destinations.