3.1.20 — Control connections to external systems | NIST 800-171 Control

Decide and limit how outside systems and services connect to yours.

What it actually means

Verify and control or limit connections to and use of external systems — partner networks, personal devices, third-party cloud services. Define which external systems may connect and how, and restrict the rest. This is also a Level 1 (FCI) requirement.

Pass or fail — an assessor needs a "yes" to each

Have you defined which external systems may connect to or be used with your systems?
Are unapproved external connections restricted?

What to have ready

Policy on external-system connections
Configuration restricting external connections (tenant rules, firewall, conditional access)

Where teams trip up

Unmanaged personal devices freely accessing CUI systems
No stance on third-party cloud usage

Also a Level 1 (FCI) requirement.

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.1.21 — Portable storage on external systems 3.1.1 — Limiting access 3.13.1 — Boundary protection

← Back to the Control Library