NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.20 — Use of External Systems
Prohibit the use of external systems unless the systems are specifically authorized. Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: {{ insert: param, A.03.01.20.ODP.01 }}. Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after: Verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied and Retaining approved system connection or processing agreements with the organizational entities hosting the external systems. Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.
CMMC Practice Mapping
Assessment Objectives
- the following security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are established: {{ insert: param, A.03.01.20.ODP.01 }}.
- the use of external systems is prohibited unless the systems are specifically authorized.
- authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied.
- the use of organization-controlled portable storage devices by authorized individuals on external systems is restricted.
- authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after retaining approved system connection or processing agreements with the organizational entity hosting the external systems.
Practitioner Notes
External systems — like a contractor's laptop, a partner's cloud environment, or a personal home computer — are not under your control. You need to formally decide which external systems are allowed to touch your data and put restrictions on them.
Example 1: In Azure AD Conditional Access, create a policy under Security → Conditional Access → New Policy that blocks sign-in from devices not marked as compliant in Intune. Set the condition to Device state → Exclude → Device marked as compliant. This means only company-managed machines can access your Microsoft 365 environment, blocking personal devices and contractor laptops that haven't been enrolled.
Example 2: Write an External Systems Use Policy that lists every external system or service authorized to interact with your CUI. For each one, document the security requirements it must meet (e.g., encryption, MFA, logging). Maintain a signed Interconnection Security Agreement (ISA) or a memorandum of understanding with each external party. Your assessor will want to see these agreements.