AC.L2-3.1.20 — Verify and control/limit connections to and use of external systems.

What this control requires

Verify and control/limit connections to and use of external systems.

Source: CMMC L2 v2.13 AC.L2-3.1.20 / NIST SP 800-171 R2 3.1.20 (official control text).

Why this matters

External systems — contractor laptops, personal devices, partner networks, cloud services — sit outside your direct control but often need to touch your CUI. Without verification and connection limits, an attacker compromises a vendor's poorly secured laptop and pivots into your environment, exfiltrating controlled technical data. This control requires you to define who can connect from where, verify those external endpoints meet baseline security standards, and technically enforce boundaries so CUI never leaks to unvetted systems. It protects the integrity of your environment when third parties, remote workers, or cloud platforms enter the picture.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls