AC.L1-3.1.20 — Verify and control/limit connections to and use of external systems.
What this control requires
Verify and control/limit connections to and use of external systems.
Source: CMMC L1 v2.13 AC.L1-3.1.20 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.1.20 (official control text).
Why this matters
External systems — contractor laptops, partner networks, personal devices, cloud services, even other internal systems that don't process CUI — represent uncontrolled entry points into your environment. Without verification and limits, an adversary can pivot from a compromised personal tablet or unsecured cloud tenant directly into systems holding CUI. This control requires you to identify every external connection, enforce technical guardrails, and document acceptable use so that data doesn't leak through unmonitored channels or unvetted endpoints.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L1-3.1.20.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →