NIST SP 800-171
Control 3.1.20
Verify and Control Connections to External Systems
CMMC-RP Certified Team
24+ Years Experience
CMMC-AB RPO #1449
Official Requirement
Verify and control/limit connections to and use of external information systems.
What This Means in Plain English
Before connecting your systems to any external network or system, you must verify it meets security requirements. Connections to external systems (partner networks, cloud services, vendor portals) must be controlled and monitored.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- FortiGate firewall policies explicitly permitting only approved external connections
- Third-party risk assessments completed before establishing system interconnections
- Cloud Access Security Broker (CASB) policies controlling access to sanctioned and unsanctioned cloud services
- ComplianceArmor maintaining an inventory of all authorized external system connections
- Regular review of firewall rules and external connection inventory quarterly
Assessment Guidance
Assessors will review the inventory of external system connections, verify that interconnection security agreements exist for each external connection, test that unauthorized external connections are blocked, and check that external connections are regularly reviewed.
Common Implementation Gaps
- No inventory of external system connections
- No interconnection security agreements (ISAs) with partners
- Shadow IT cloud services connecting to CUI data
- No periodic review of external connections
- VPN tunnels to third parties without security requirements
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-20, AC-20(1) |
| HIPAA | 164.308(b)(1) - Business Associate Contracts |
| PCI DSS | Req 12.8 - Manage service providers |
Need Help Implementing 3.1.20?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment Calculate your SPRS score