← Index
Wireframe In Progress

Compliance Posture

Round 1 Created 2026-05-23 Section Decide · Compliance Product Ultra v1 (conceptual)
Desktop
DecideComplianceNIST 800-171 3.1.3 — Control flow of CUI
Overall · NIST 800-171
94.2%
+1.2pp vs last assess
Controls satisfied
94 / 100
3 new this cycle
Partial
3
action required
Violated
3
2 critical · 1 high
Last assessment
4h ago
auto · daily
Frameworks
5 loaded
Filter frameworks…
NIST 800-171 r3 33100
3.1 · Access control 122
3.1.3 · CUI flow control 1·
3.2 · Awareness & training 3
3.3 · Audit & accountability 9
3.4 · Configuration mgmt 9
3.5 · Identification & auth 111
3.6 · Incident response 3
3.7 · Maintenance 6
3.8 · Media protection 9
3.9 · Personnel security 2
3.10 · Physical protection 6
3.11 · Risk assessment 3
3.12 · Security assessment 4
3.13 · System & comm. protection 216
3.14 · System integrity 7
NERC CIP v6 245
PCI-DSS 4.0 252
ISO 27001:2022 (A.13) 12
CIS Controls v8 118
Controls · NIST 800-171 / 3.1
22
All Violated 1 Partial 1 Satisfied 20
3.1.1 Limit system access to authorized users access control · 2 zones Satisfied
3.1.2 Limit functions to authorized roles RBAC · admin / analyst Satisfied
3.1.3 Control flow of CUI per approved authorization violated · gap-241 referenced Violated
3.1.4 Separate duties of individuals RBAC + zone segregation Satisfied
3.1.5 Principle of least privilege 22 rules · 0 excessive Satisfied
3.1.6 Non-privileged for non-security functions user/server separation enforced Satisfied
3.1.7 Prevent non-privileged from privileged functions partial · 1 audit log gap Partial
3.1.8 Limit unsuccessful logon attempts enforced · 5 attempts / 15min Satisfied
3.1.9 Privacy & security notice banner enforced · all zones Satisfied
3.1.10 Session lock with pattern-hiding display enforced · 15 min idle Satisfied
3.1.11 Terminate session after inactivity enforced · 30 min idle Satisfied
3.1.12 Monitor & control remote access VPN zone · MFA enforced Satisfied
NIST 800-171 r3 · 3.1.3

Control flow of CUI per approved authorization

Status · violated 5 zones in scope 7 evidence rules 1 gap referenced · gap-241 last assessed 4h ago

Statement

NIST SP 800-171 rev 3 · 2023

Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations. Information flow control regulates where information can travel within an organizational system and between systems based on characteristics of the information and the path. Enforcement occurs at boundary devices through rules that compare information sources, destinations, and content.

Properties

6 attributes
family3.1 — Access Control priorityHigh (foundation control) CUI categoriesAll · default audit cycleQuarterly last assessed2026-05-23 · auto cross-mappedCIS 13.6 · ISO A.13.1.3 · PCI 1.2

Evidence · what satisfies (or violates) this control

7 evidence items · 1 gap
Zone SERVER zone defines inbound policy from DMZ trust 75 · policy id zp-204 model · zones.yaml
Policy Default-deny from DMZ → SERVER (except :443) restricts CUI inbound paths model · policy-014
Rule core-fw-01 rule 140 · allow tcp DMZ → SERVER :443 enforces approved HTTPS path discover · core-fw-01
Rule core-fw-01 rule 141 · allow tcp DMZ → SERVER :80 enforces approved HTTP path discover · core-fw-01
Gap core-fw-01 rule 142 · allows DMZ → :3306 VIOLATION · CUI flow unauthorized · gap-241 discover · violates policy-014
Rule core-fw-01 rule 143 · default deny SERVER inbound backstop discover · core-fw-01
Policy SERVER → DMZ egress · deny by default restricts CUI outbound paths model · policy-018

In scope — affected zones

5 zones · trust ≥ 50
SERVER trust 75 · 3 devices 1 gap
SERVER-2 (DR) trust 75 · 2 devices Satisfied
ADMIN trust 100 · 2 devices Satisfied
USER (corp) trust 50 · 3 devices Satisfied
USER-2 (branch) trust 50 · 2 devices Satisfied

Remediation

1 CR drafted
CR-186 · auto-generated · pending CISO approval
Modify core-fw-01 rule 142 · close MySQL exposure from DMZ
on push + verify → control reverts to satisfied