AC.L2-3.1.20 · NIST SP 800-171 3.1.20

External Connections

Verify and control/limit connections to and use of external systems.

1 point if not metMust be fully met, cannot POA&M6 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.20 is met only when every one of these 6 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.connections to external systems are identified
  • b.the use of external systems is identified
  • c.connections to external systems are verified
  • d.the use of external systems is verified
  • e.connections to external systems are controlled/limited
  • f.the use of external systems is controlled/limited

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.20, an assessor uses these:

Examine

Access control policy; procedures addressing the use of external systems; terms and conditions for external systems; system security plan; list of applications accessible from external systems; system configuration settings and associated documentation; system connection or processing agreements; account management documents; other relevant documents or records

Interview

Personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system or network administrators; personnel with information security responsibilities

Test

Mechanisms implementing terms and conditions on use of external systems

What it means, in context

External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately - owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third -party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

Control and manage connections between your company network and outside networks . Outside networks could include the public internet, one of your own company’s networks that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that does not belong to your company . Tools to accomplish include firewalls and connection allow/deny lists. External systems not contro lled by your company could be running applications that are prohibited or blocked . Control and limit access to corporate networks from personally owned devices such as laptops, tablets, and phones. You may choose to limit how and when your network is connected to outside systems or only allow certain employees to connect to outside systems from network resources. Example Your company has a project that contains CUI. You remind your coworkers of the policy requirement to use their company laptops, not personal laptops or tablets, when working remotely on the project [b,f]. You also remind everyone to work from the cloud environment that is approved for processing and storing CUI rather than the other collaborative tools that may be used for other projects [b,f]. Potential Assessment Considerations • Are all connections to external systems outside of the assessment scope identified [a]? • Are external systems (e.g., systems managed by OSAs, partners , or vendors ; personal devices) that are permitted to connect to or make use of organizational systems identified [b]? • Are methods employed to ensure that only authorized connections are being made to external systems (e.g., requiring log-ins or certificates, access from a specific IP address, or access via Virtual Private Network (VPN)) [c,e]? • Are methods employed to confirm that only authorized external systems are connecting (e.g., if employees are receiving company email on personal cell phones, is the OSA checking to verify that only known/expected devices are connecting) [d]? • Is the use of external systems limited, including by policy or physical control [f]?

What passing evidence looks like

The external systems list (partner portals, personal devices, other clouds), the verification note or agreement per system, and the sharing restrictions that limit what can flow to them. This requirement can never sit on a POA&M.

Common ways contractors fail AC.L2-3.1.20

  • !Cannot be deferred: this is one of the six POA&M blocked requirements, it must be MET on assessment day.
  • !The prime's portal is an external system you connect to. Name it, and note the connection is limited to that portal over TLS.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.20, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.20 questions, answered

How many points is CMMC requirement AC.L2-3.1.20 worth?+

AC.L2-3.1.20 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can AC.L2-3.1.20 be placed on a POA&M?+

No. AC.L2-3.1.20 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AC.L2-3.1.20 belong to?+

AC.L2-3.1.20 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.20
  • FAR Clause 52.204-21 b.1.iii