03.01.20 — (a) Prohibit the use of external systems unless the systems are specifically authorized. (b) Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: {{ insert: param, A.03.01.20.ODP.01 }}. (c) Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after: (d) Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.

What this control requires

(a) Prohibit the use of external systems unless the systems are specifically authorized. (b) Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: {{ insert: param, A.03.01.20.ODP.01 }}. (c) Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after: (d) Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.

Source: NIST SP 800-171 R3 §03.01.20 (official control text).

Why this matters

External systems—personally owned devices, contractor laptops, public kiosk computers, or partner-managed platforms—introduce risk vectors outside your direct security control. When authorized users access CUI from these systems, you lose visibility into endpoint hygiene, patch levels, and malware status. Attackers frequently pivot through poorly secured personal devices or third-party systems to breach controlled environments. This control establishes explicit authorization gates and baseline security requirements before any external system touches your data. Without formal policies and technical enforcement, shadow IT proliferates, CUI leaks to unmonitored endpoints, and incident response becomes impossible when you cannot inventory what devices actually processed sensitive information.

What evidence assessors expect

Assessors typically look for: PDF, signed letter, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls