AC.L1-3.1.20: Verify and Control External Information System Connections
External connections are a critical attack surface for SMBs managing CMMC compliance. AC.L1-3.1.20 requires you to actively verify and limit who and what can connect to your systems from outside your organization. This foundational control prevents unauthorized access and data exfiltration through third-party integrations and remote access points.
What this means
This control mandates that your organization establish and enforce policies that verify all external connections to your information systems before they're permitted. You must document what external systems are connected, who manages those connections, and the business justification for each one. The control requires active monitoring and periodic review to ensure only authorized external connections remain active and that unauthorized connection attempts are detected and logged.
How to comply
- 1.Create a formal policy documenting all approved external connections and the authorization process required for new connections
- 2.Maintain an inventory of all external systems connected to your network, including third-party vendors, cloud services, and remote access points
- 3.Implement technical controls (firewalls, VPNs, network segmentation) that enforce connection restrictions at the perimeter
- 4.Require written approval and documented business justification before any new external connection is established
- 5.Conduct quarterly reviews of active external connections to identify and remove unnecessary or outdated links
- 6.Monitor and log all external connection attempts, including both successful and failed connections
- 7.Establish procedures to revoke external connections promptly when the business relationship ends or the connection is no longer needed
Evidence auditors look for
- External connections policy document with approval procedures and review schedule
- Inventory spreadsheet or asset management system listing all active external connections with justification
- Firewall rules and network access control lists (ACLs) restricting external traffic
- VPN configuration files and remote access approval logs
- Documentation of quarterly connection reviews with sign-off from authorized personnel
- Connection monitoring logs showing successful and denied external access attempts
- Records of deactivated connections with termination dates and authorization
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates external connection inventory management and flags unauthorized connections in real-time, eliminating manual quarterly audits and reducing your control implementation timeline from weeks to days.
See how GRCWatch handles this control automatically
Start free trial