CMMC Level 2 CUI Data Flow Diagram Template for Microsoft 365

If a CUI flow diagram feels fuzzy, the whole compliance story feels fuzzy. In Microsoft 365, I want a diagram that shows where Controlled Unclassified Information enters, where it moves, who can touch it, and what controls follow it. That is what makes a CMMC Level 2 template useful instead of decorative.

As of March 2026, CMMC Level 2 still maps to the 110 NIST SP 800-171 Rev 2 requirements, and C3PAO assessments are becoming the default path for most contracts involving CUI. What follows is educational guidance and a practical template approach, not legal or certification advice.

What the diagram needs to prove in Microsoft 365

When I map CUI in Microsoft 365, I don’t start with icons. I start with the system boundary. That includes the tenant, endpoints, mobile devices, admin workstations, backup or archival tools, SIEM/SOAR platforms, and outside vendors that can receive, store, process, or transmit CUI.

Next, I mark trust boundaries. A managed laptop enrolled in Intune sits on one side. A supplier portal, third-party archive, or unmanaged phone sits on another. If CUI crosses that line, I document the path, the control, and the business reason.

For each flow, I show the source, destination, workload, authentication path through Microsoft Entra ID, MFA requirement, encryption in transit, encryption at rest, and logging location. I also identify administrative access, including privileged roles in Exchange Online, SharePoint Online, Teams, OneDrive, and connected security tooling. That detail has to match the SSP, which is why a practical SSP guide is worth reviewing while you draft.

A solid data flow diagram guide makes the same point. The picture only helps when movement and scope are obvious.

If a person, device, app, or vendor can touch CUI, I put it on the diagram.

That usually means email in Exchange Online, collaboration in Teams, storage in SharePoint and OneDrive, endpoint sync, mobile access, alerting, export paths, and any supporting Secure Cloud Architecture controls tied to Endpoint Security and Device Hardening.

The fields I put in every CMMC Level 2 template

Before I fill out the template, I verify what counts as CUI and where it actually lives. That sounds basic, but weak tagging creates weak diagrams. I’ve found this overview of identifying CUI in Microsoft 365 useful for that first pass.

My template includes these fields:

• Flow ID and name: A simple label for each movement of CUI.
• CUI type or label: The marking, category, or handling note tied to the data.
• Source: User, device, mailbox, Team, site, app, or external system where the flow begins.
• Destination: The exact Microsoft 365 workload, endpoint, vendor, or archive where it lands.
• Action: Send, upload, sync, share, view, export, back up, or restore.
• Ingress or egress point: Where CUI enters or leaves the boundary.
• Trust boundary crossed: Managed to unmanaged, tenant to vendor, user to admin path, or internal to external.
• Authentication path: Entra ID, MFA, Conditional Access, service account, or privileged access workflow.
• Protection method: TLS, service encryption, DLP, app protection, device compliance, BitLocker, or session controls.
• Logging and alerting: Unified audit log, Defender, Sentinel, SIEM/SOAR, and alert owner.
• Admin access path: Who can administer the workload, how they connect, and what approval applies.
• Evidence reference: Policy, screenshot, config record, ticket, or SSP section that backs up the flow.

That’s the checklist I rely on because a diagram without metadata turns into guesswork. If OneDrive sync copies CUI to a laptop, the endpoint becomes part of the story. If a mobile app opens the same file, that mobile control path belongs there too. The template should make those facts easy to trace during interviews and document review.

A simple Microsoft 365 CUI flow, with the details assessors look for

Here’s a plain-text scenario I use when I need a quick sample:

1. An engineer on a managed laptop signs in through Entra ID with MFA and creates a CUI file.
2. The engineer sends a Teams message with a SharePoint link, rather than attaching the file to email.
3. The recipient opens the file in SharePoint Online, then discusses changes in Teams.
4. OneDrive sync makes an approved copy available on a compliant endpoint; local encryption and device policy apply.
5. A manager reviews the file from an enrolled mobile device with app protection, while download to personal storage stays blocked.
6. A backup platform archives the SharePoint and Exchange content; its service account, retention path, and encryption settings go on the diagram.
7. Audit events and alerts feed Microsoft Sentinel or another SIEM/SOAR platform.
8. An external vendor receives a limited export through an approved encrypted channel, and that egress path is logged.

I also annotate the admin path. That means break-glass accounts, privileged roles, PIM or approval steps, and any MSP or MSSP access. This CCA perspective on CMMC data flow diagrams reinforces a point I agree with: the diagram should explain normal business movement, not just technical plumbing.

For teams buying Small Business IT or Managed IT for Small Business, this work supports daily Cloud Management and practical Technology Consulting. It also helps with Cloud Infrastructure, Office 365 Migration, aging Data Center Technology, Infrastructure Optimization, Cybersecurity Services, and broader Digital Transformation. If another business unit uses Restaurant POS Support or Kitchen Technology Solutions, I keep those tools outside the CUI boundary unless a real flow exists. That’s what I expect from a Business Technology Partner offering Tailored Technology Services, clear IT Strategy for SMBs, Business Continuity & Security, and truly Innovative IT Solutions.

When I finish a diagram, every arrow answers four things: who moved the data, where it went, how it was protected, and what evidence proves it. That’s the value of a strong CMMC Level 2 template. If one path is vague today, I fix it before an assessor, prime contractor, or customer asks about it.