Access Control 3.1.20 (3.1.20)

Verify and control/limit connections to and use of external systems.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to verify that external systems (like contractor laptops, personal devices, cloud services, or partner networks) meet minimum security standards before allowing them to connect to or access systems that process CUI. Organizations must establish clear rules about what external systems can do, verify those systems have appropriate security controls, and limit connections based on documented terms and conditions.

Control Intent

To prevent unauthorized or insecure external systems from compromising CUI by ensuring that any system connecting to or processing organizational CUI meets minimum security requirements, regardless of whether the organization directly controls that system.

Who This Control Applies To

  • Organizations that allow contractors, partners, or vendors to connect their own devices or systems to organizational networks
  • Organizations using cloud services (IaaS, PaaS, SaaS) to process, store, or transmit CUI
  • Organizations with remote workers using personal devices or home networks to access CUI
  • Organizations with multiple internal systems where some process CUI and others do not
  • Organizations that allow access from partner or coalition networks
  • Organizations using third-party managed services or outsourced IT functions
  • Any system boundary where external entities need access to CUI

Not Applicable When

  • The organization has no external connections of any kind (completely air-gapped with no cloud services, no remote access, no contractor access)
  • All systems and devices are owned, managed, and directly controlled by the organization with no exceptions
  • No CUI is processed, stored, or transmitted on any organizational system

Key Objectives

  • 1Establish and document terms and conditions for external system connections that specify security requirements and acceptable use limitations.
  • 2Verify that external systems implement required security controls before allowing connections to systems processing CUI.
  • 3Control and limit what external systems can access and what activities they can perform when connected to organizational systems.
  • 4Ensure external systems used for CUI processing, storage, or transmission meet the same security standards as internal systems.

Sample Self-Assessment Questions (Partial)

Do contractors, vendors, or partners connect their own devices or systems to your network?

Do employees access work systems from personal devices or home computers?

Implementation Approaches (High-Level)

Network Access Control (NAC) with Device Posture Checking

Deploy NAC solution that verifies device security posture before granting network access, enforcing documented security requirements for external systems.

Conditional Access Policies for Cloud Services

Implement cloud provider conditional access policies that verify device compliance and limit external system access to cloud-hosted CUI based on security posture.

Vendor/Contractor Security Agreements with Technical Verification

Establish formal agreements with external system owners specifying security requirements, verified through third-party assessment, attestation, or technical validation before allowing connections.

Remote Access Gateway with Application-Level Control

Deploy remote access solution that authenticates external systems and limits access to specific approved applications rather than full network access.

Cloud Access Security Broker (CASB) for SaaS Control

Deploy CASB solution to monitor, control, and verify security of external cloud services used to process CUI, enforcing data protection policies.

Mobile Device Management (MDM) for BYOD

Implement MDM solution to verify and enforce security controls on personal devices used to access CUI, with containerization separating work and personal data.

Internal System Segmentation for CUI Boundaries

Implement network segmentation and access controls treating non-CUI internal systems as external to CUI systems, limiting cross-boundary connections.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If external system connections exist without documented terms and conditions: POA&M to develop and implement external system security requirements and agreements within 90 days If external systems connect without verification of security controls: POA&M to implement verification process (attestation, assessment, or technical validation) within 180 days If technical controls do not limit external system access scope: POA&M to implement network segmentation, NAC, or conditional access within 180 days If cloud services process CUI without FedRAMP or equivalent verification: POA&M to migrate to FedRAMP authorized service or obtain equivalent assessment within 12 months If personal devices access CUI without MDM or security verification: POA&M to implement MDM solution and enrollment requirement within 180 days If no process exists for ongoing verification of external system compliance: POA&M to implement periodic re-verification process within 90 days If internal systems access CUI without treating them as external: POA&M to implement internal segmentation and access controls within 180 days Prioritize POA&Ms based on: 1) Volume of unverified external connections, 2) Sensitivity of CUI accessible to external systems, 3) Lack of technical controls versus policy-only restrictions

Related CMMC Controls

3.1.13.1.23.1.33.1.123.1.183.4.63.13.13.13.8

Frequently Asked Questions

Does this control mean we cannot use any cloud services or allow any remote access?

No. This control allows external systems including cloud services and remote access, but requires you to verify they meet security requirements and limit what they can access. You must establish terms and conditions, verify security controls are in place, and implement technical restrictions on access scope. Many organizations successfully use FedRAMP-authorized cloud services and properly secured remote access while meeting this control.

What counts as an 'external system' under this control?

External systems include any system not under your direct supervision and control, such as contractor-owned devices, employee personal devices, partner networks, cloud services (SaaS/PaaS/IaaS), vendor-managed systems, and even internal systems in different security zones that should not have unrestricted access to CUI. The key factor is whether you can directly enforce security controls on the system, not just whether it is physically outside your organization.

How do we verify that external systems have adequate security controls?

Verification can be achieved through third-party assessments (like FedRAMP authorization for cloud services), attestations from external system owners confirming control implementation, technical validation (like NAC posture checking), or requiring compliance certifications (ISO 27001, SOC 2). The verification method should match the risk level - higher risk connections require more rigorous verification than lower risk connections.

Can employees use personal devices to access CUI, and if so, what is required?

Employees can use personal devices to access CUI if you verify the devices meet security requirements and implement controls to protect CUI. This typically requires mobile device management (MDM) to enforce security policies, containerization to separate work and personal data, and conditional access policies limiting what CUI the device can access. Simply allowing personal device access without verification and control violates this requirement.

What happens if we cannot establish terms and conditions with an external system owner?

If you cannot establish terms and conditions with an external system owner, you must impose restrictions on your personnel using those external systems. This might mean prohibiting use of that external system for CUI access, limiting what CUI can be accessed, requiring additional compensating controls, or accepting the risk with documented justification. You cannot simply allow unrestricted use of external systems where security cannot be verified.

Do we need to treat some of our own internal systems as 'external' to other internal systems?

Yes, if you have internal systems with different security levels or CUI access rights. For example, if some systems process CUI and others do not, the non-CUI systems should be treated as external when accessing CUI systems. This requires implementing security boundaries, access controls, and verification between internal security zones, similar to how you would control truly external connections.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.