AC.L2-3.1.20

AC.L2-3.1.20: External Connections

Verify and control connections to external information systems, and explain how you prevent unauthorized data flow.

This is the hardest AC control for most small contractors. It’s not about blocking everything external. It’s about being deliberate about what external systems you’re connected to, approving those connections, and proving you’ve prevented CUI leakage. Home office workers, cloud services, and contractor access all create external connection risk that assessors focus on.

Family Access Control
Practice AC.L2-3.1.20
Difficulty Hard
Key evidence External system approval process + approved external systems list + technical enforcement

What the assessor is actually evaluating

The NIST language says “verify and control/limit connections to and use of external information systems.” The assessor is checking four things:

Do you have a deliberate process for approving external connections? Not a casual decision. A formal process where someone evaluates an external system, assesses the risk of CUI exposure, and decides whether to approve it and under what conditions.

Can you list all approved external connections? This is where contractors usually struggle. Can you produce a list of every external system your organization uses? Slack, Google Drive, Microsoft 365 cloud services, VPNs, cloud backups, contractor networks, third-party APIs. If you can’t list them all, you can’t control them.

How do you prevent CUI from leaking to unapproved systems? Technical controls matter here. This might be network segmentation, data loss prevention (DLP) policies, conditional access restrictions, or application-level controls. The assessor wants to see that CUI can’t reach an external system unless you’ve intentionally allowed it.

What about edge cases like home office workers? If someone’s working from home with a contractor laptop, that laptop is an external system. What controls prevent them from copying CUI to their personal Google Drive, uploading to personal Dropbox, or printing to a personal printer? This is the specific gotcha from real assessments. These controls overlap with AC.L2-3.1.21 (portable storage restrictions) and the boundary protections described in SC.L2-3.13.1.

What a realistic SSP definition looks like

Example SSP Language: AC.L2-3.1.20

[Organization Name] controls connections to external information systems through a documented External System Approval Process. All external systems that CUI-handling systems connect to, or that personnel may use while handling CUI, must be approved by the IT Director prior to use.

Approved external systems include: [specify], e.g., Microsoft 365 (cloud authentication, Outlook, OneDrive), Slack (approved for non-CUI collaboration), [any third-party APIs or integrations], VPN for remote access. Unapproved systems include Google Drive, personal Dropbox, personal email accounts, and social media.

For approved systems that are cloud-based or operated by external parties, we require data encryption in transit, authentication controls, and audit logging. Contract reviews or Business Associate Agreements document the controls the external system provides.

Technical controls prevent CUI from reaching unapproved external systems. For remote workers, we enforce data loss prevention (DLP) policies that block uploads to non-approved cloud storage. Personal devices are not permitted. Organization-provided devices have USB restrictions preventing data export to unapproved portable storage. Printing is disabled on remote devices.

We monitor external system usage through network monitoring and endpoint tools. Attempts to access unapproved systems are logged and reviewed.

The critical part: you’ve named approved systems, explained why they’re approved, and described the technical enforcement that prevents unauthorized external connections. Network monitoring and logging of external access attempts ties to AU.L2-3.3.2 (audit monitoring for suspicious activity).

How to present your evidence

Evidence checklist
  • External System Approval Policy with formal review process
  • Approved External Systems list with descriptions of each system and use case
  • Data Loss Prevention (DLP) policies preventing CUI export to unapproved systems
  • Conditional Access policies restricting system access from external networks
  • Application restrictions or removable media blocking on devices accessing CUI
  • Evidence of external system contract reviews or BAAs
  • Monitoring logs showing attempts to access unapproved external systems

Approved external systems list. This is your foundation. List every external system, including cloud services, APIs, third-party connections, and VPNs. For each one, note whether CUI can flow to it and under what controls. This list should be thorough and honest. If you use Slack, Google Drive, or other cloud services, they need to be on here or your control fails.

Your external system approval policy. The formal process for evaluating and approving external connections. Who evaluates them, what criteria are used, and how decisions are documented.

DLP or content restriction policies. If using Microsoft 365, show the DLP rules preventing email with CUI to external recipients. Show app-level restrictions preventing copying from protected applications. Show USB restrictions on remote devices.

Conditional access policies. Policies that restrict CUI system access based on where the connection is coming from. For example, blocking access from untrusted networks or requiring MFA for external connections.

Device restrictions for remote workers. Proof that personal devices can’t connect. Proof that organization devices have USB disabled, printing disabled, and camera/microphone disabled when accessing CUI.

Monitoring logs. Evidence that you monitor for external system access attempts. Show SIEM logs or firewall logs demonstrating that unapproved external connections are logged.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "What external systems do you connect to?"
"[Pull up the external systems list] Microsoft 365 for email, OneDrive for approved file storage, Slack for collaboration, VPN for remote access. Those are approved. [Show DLP policy] Google Drive and personal cloud storage are blocked."
Assessor: "How do you prevent CUI from being uploaded to unapproved cloud services?"
"[Pull up the DLP policy] We have rules that detect CUI keywords and block uploads to unapproved services. [Show a recent log of blocked attempts] Here's yesterday's attempts. Blocked. We also restrict USB access and disable copy-paste to cloud services in certain applications."
Assessor: "You mentioned remote workers. What stops a remote worker from copying CUI to their personal Google Drive?"
"Personal devices aren't allowed to access CUI systems. [Pull up the policy] Only organization-provided devices. Those devices have Google Drive and other unapproved cloud services blocked at the firewall level. Plus DLP prevents uploads. Plus USB is disabled. If they try to copy to a USB drive, it won't work."
Assessor: "What if someone manually disconnects from the VPN and tries to access their Gmail from a CUI device?"
"The device can't reach Gmail without VPN. [Pull up conditional access policy] We restrict access to CUI systems to corporate networks or through the approved VPN. If they disconnect from VPN, they lose access. Gmail is blocked at the network level anyway."

Common failures

What gets flagged

No external systems list. You use Microsoft 365, Slack, and Dropbox but you don't have a formal list of approved systems. The assessor asks about Dropbox and you don't have a documented decision about it. This is a finding.

External systems aren't actually controlled. Your policy says Google Drive is unapproved, but employees can still access it from CUI devices. If the assessor opens a browser and navigates to Google Drive, that's a failed control.

No DLP or content controls. Your policy says CUI can't be shared externally, but there are no technical controls preventing it. DLP policies, conditional access, or application-level controls need to be in place.

Cloud services aren't addressed in the SSP. Many contractors mention approved systems but gloss over cloud services. Your SSP needs to explicitly address which cloud services are approved, how you prevent CUI from being shared to unapproved ones, and what monitoring you do.

Home office workers treated the same as office workers. A remote worker's device is an external system. If you don't have controls preventing them from printing to a personal printer, from USB devices, or from uploading to personal cloud storage, this control fails.

No monitoring of external connections. You block some things but you don't monitor for attempts. If someone tries to access an unapproved system, you should be logging that.

What makes assessors move on satisfied

Documented external systems list that's complete and honest. Approval process for new external connections. Technical controls preventing CUI from reaching unapproved systems (DLP, network restrictions, device controls). Monitoring for unauthorized external access attempts. Specific controls for remote workers and home office environments. That's a strong answer, and it shows you understand that CUI boundary protection extends across your entire network.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages your network or cloud infrastructure, they need to help you define and enforce external system controls.

What’s typically on you:

  • Defining which external systems are approved
  • Approving new external connections
  • Making policy decisions about cloud services, remote work, etc.

What’s typically on the MSP:

  • Implementing DLP policies
  • Configuring conditional access and network restrictions
  • Enforcing device controls (USB, printing, etc.)
  • Monitoring external system access attempts
  • Providing logs of blocked external access attempts

In the assessment, your MSP should be ready to demonstrate the technical controls. They should show DLP rules, conditional access policies, firewall logs, and device restrictions. They should explain how they prevent CUI from flowing to unapproved systems.

From the assessment room

Assessors probe this control by asking about specific cloud services and external systems. Have a clear list of approved external systems and a clear explanation of what's blocked. Know your technical controls (DLP, firewall, web filtering, device controls). Be honest about what your organization uses. Don't claim you block something you don't actually block. Assessors will test cloud services by attempting to access them during the assessment. Be ready.

A note on the cloud services conversation

The toughest assessor conversation I've seen on this control is about cloud services. Many contractors use OneDrive, Google Drive, Slack, and other services without formal approval. Your SSP needs to be honest about what you use. If you use it, it's either approved (with documented controls around CUI) or blocked (with technical enforcement proving it's blocked). The worst answer is "we don't allow it" with no evidence that it's actually blocked. Assessors test this. Have the controls ready to demonstrate.

This page covers AC.L2-3.1.20 from NIST SP 800-171 Rev 2 (3.1.20). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.21: Portable Storage Use All Practices AC.L2-3.1.19: Encrypt CUI on Mobile Devices →