Meeting CMMC Level 1 Requirement | AC.L1-B.1.III – EXTERNAL CONNECTIONS [FCI DATA]

What Is AC.L1-B.1.III – EXTERNAL CONNECTIONS [FCI DATA]

The control reads: Verify and control/limit connections to and use of external information systems.

Understanding External Systems and Their Use with FCI

External systems are systems or devices that your organization does not directly control. This means you can't enforce security settings or ensure they meet your cybersecurity standards. Examples of external systems include: Personal laptops, phones, or tablets used by employees or contractors. Privately owned devices located in commercial spaces or public areas. Cloud services like Dropbox, Google Drive, or third-party apps not managed by your company.

This requirement also covers the use of external systems to store, process, or send Federal Contract Information (FCI). This includes using services such as: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Meeting the Requirement

Your business must set clear rules for when and how external systems can be used. These rules should be documented in your security policies and explain:

• What types of external systems or apps are allowed.
• What employees can or cannot access from personal or unmanaged devices.
• What restrictions apply if you can’t set terms directly with the owner of the external system.

Checklist for Businesses Using Microsoft 365 GCC or GCC High

• Use only company-managed devices for Microsoft 365 access. This can be accomplished using Intune and Conditional Access policies.
• Disable unused remote access methods.
• Restrict cloud file sharing to Microsoft apps.
• Keep an inventory of external connections.

Sometimes, outside individuals like contractors or partners may need to access your systems using their own devices. In those cases, your organization must ensure those external systems are secure enough not to pose a risk. This can be verified through: security audits, attestation reports, and independent third-party assessments

It’s important to note that “external” doesn’t always mean outside your company. For example, if one part of your organization handles FCI and another doesn’t, then from a security perspective, the system that doesn’t handle FCI might be considered “external” to the one that does. You should apply similar caution when managing internal access between systems with different security needs.

It’s important to note that “external” doesn’t always mean outside your company. For example, if one part of your organization handles FCI and another doesn’t, then from a security perspective, the system that doesn’t handle FCI might be considered “external” to the one that does. You should apply similar caution when managing internal access between systems with different security needs.

Example

Your company has been awarded a new contract that involves handling Federal Contract Information (FCI). You remind your team that, in accordance with company policy, they must use only company-issued laptops—not personal laptops, tablets, or other devices—when working remotely on this contract. Additionally, you emphasize the importance of using the approved cloud environment designated for FCI to store and process contract-related data, and not other collaborative platforms that may be used for non-FCI projects.