Control connections to external systems

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

• ✓A short policy that says "only company-managed devices may access FCI; personal devices must use the approved web portal only."
• ✓Conditional Access in M365 / Context-Aware Access in Google blocking unknown devices from reaching the FCI folder.
• ✓VPN configuration if remote workers connect to an on-prem file server.
• ✓A list of external SaaS systems that have your FCI (e.g. an accounting tool that processes invoices) and their security agreements.
• ✓Disabling email forwarding to external addresses in M365 / Workspace.

Common ways small shops fail this

• ✗Founders / owners working out of personal Macs that have never been enrolled in any management.
• ✗Auto-forwarding of project emails to a personal Gmail "so I can read on the road."
• ✗USB drives moving between the shop PC and someone's home machine.
• ✗Free / unmanaged cloud storage (personal Dropbox, iCloud) syncing FCI folders to non-company devices.
• ✗Subcontractors uploading FCI to their own SaaS tools without an agreement.

How to fix it in a weekend

1. 1Disable email auto-forwarding to external domains in your tenant settings.
2. 2Block personal-device access to the FCI folder via Conditional Access (M365 P1) or Context-Aware Access (Workspace).
3. 3Issue or designate a specific company device for every person who works with FCI — even if it's their main laptop, just register it.
4. 4Inventory every external SaaS tool that touches FCI; either get a written security agreement or stop using it.
5. 5Add a two-sentence "no personal devices" line to your one-page boundary description.

FAQ

Related references