This post gives small businesses a practical compliance checklist and step-by-step implementation advice to meet FAR 52.204-21 / CMMC 2.0 Level 1 control AC.L1-B.1.III — the requirement to control the use of external information systems — using the Compliance Framework as the organizing structure.
What the requirement means in practice
At its core, AC.L1-B.1.III expects organizations handling Federal Contract Information (FCI) to prevent uncontrolled use of external information systems (personal devices, public cloud apps, unmanaged endpoints) to access, process, or store contract-related data. Under the Compliance Framework, this translates to a combination of policy (who can use what), technical enforcement (how access is allowed or blocked), and monitoring (how use is verified and audited). Your objective is to allow only authorized users, devices, and services to access contract data and to make those controls demonstrable for audits and self-assessments.
Practical implementation steps
1) Policy, inventory, and approval workflow
Start with a written policy that defines "external information systems" (e.g., unmanaged laptops, personal smartphones, consumer cloud storage) and an approval process for exceptions. Maintain an up-to-date inventory of approved devices and cloud services. For small businesses, that inventory can be a CSV/CMDB that records device owner, device type, OS version, MDM status, and approval date. Implement a simple approval ticket template (email or ticketing system) that documents business justification, data types involved, and mitigation (e.g., encryption, remote wipe capability).
2) Technical controls to enforce approved use
Use technical controls that align with your Compliance Framework mappings: require multi-factor authentication (MFA) everywhere, enforce device compliance checks, and block access from unmanaged or non-compliant devices. Example configurations: in Azure AD, create a Conditional Access policy that requires device compliance (Intune) and MFA for access to Microsoft 365; in Google Workspace, configure "Block access from unmanaged devices" and require endpoint verification; for cloud storage, implement allowed-app lists and OAuth app whitelisting. On endpoints, enable full disk encryption (BitLocker on Windows, FileVault on macOS), enforce screen lock and password complexity via MDM (Microsoft Intune, Jamf, or a lightweight MDM), and install endpoint detection & response (EDR) agents such as CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint to detect suspicious activity. For remote access, use company-managed VPNs with certificate-based authentication or Zero Trust access brokers; avoid permitting direct access from public Wi‑Fi without VPN and device posture checks.
3) Data controls and application restrictions
Implement Data Loss Prevention (DLP) rules for cloud email and storage to prevent uploading or sharing of contract data to consumer services (e.g., block sending attachments to Gmail or saving to Dropbox). Configure SharePoint and OneDrive sharing to restrict external sharing by default and require recipient verification. Where possible, use containerized apps for BYOD rather than allowing full device access — e.g., managed email profiles with app-level encryption and selective wipe, or mobile application management (MAM) to prevent copy/paste to unmanaged apps. For small shops without enterprise DLP, enforce company policy to prohibit use of consumer file sync for contract documents and require use of company-approved, encrypted file share (SFTP or managed cloud with E3/E5 controls).
Operational monitoring, incident readiness, and review
Logging and regular review are essential. Enable audit logging for authentication, file sharing, and admin actions in cloud services and retain logs long enough to investigate incidents (start with 90 days for users, 1 year for privileged actions if storage is limited). Forward critical logs to a lightweight SIEM or cloud log service (Azure Sentinel, Splunk, or a managed logging service) and configure alerts for suspicious access from unmanaged devices, successful logins from unusual geolocations, or mass downloads. Pair monitoring with a simple incident response playbook that includes remote wipe of compromised devices, credential rotation, and notification steps for contracting officers when FCI is suspected to be exposed.
Real-world small business scenarios
Scenario A — 10-person subcontractor using unmanaged Dropbox and personal email: Inventory shows 6 users using personal Dropbox. Immediate actions: (1) Block Dropbox OAuth for company accounts and add Dropbox to the deny list in your cloud access control; (2) provision a company-managed SharePoint/OneDrive site and migrate contract files; (3) enable MFA and conditional access to block unmanaged devices; (4) retrain staff with a short policy memo and require removal of contract files from personal accounts within 7 days, documented via signed attestation.
Scenario B — Employees using personal phones to check work email: Implement MDM/MAM with Microsoft Intune or Google endpoint management. Configure MAM policies to prevent copy/paste and file save to personal apps, enforce device encryption and screen lock, and enable selective wipe. If full MDM is not feasible, require enrollment in basic mobile management and forbid access from phones that do not meet minimum OS/patch levels. Log all mobile access and include mobile device incidents in the IR plan.
Risks of not implementing the control and compliance tips
Failure to control external systems increases risk of data exfiltration, supply chain compromise, loss of contracts, and potential reporting obligations under FAR 52.204-21 if FCI is impacted. Practical tips: prioritize controls that give the greatest risk reduction first (MFA + blocking unmanaged devices), keep implementation documentation (policies, exception tickets, device inventory) for auditors, and automate enforcement where possible to reduce administrative overhead. Use vendor-provided default security settings (e.g., Office 365 secure defaults) as a baseline, and keep a quarterly review cadence for device inventory and approved-app lists.
Summary: Control of external information systems under AC.L1-B.1.III can be achieved by combining clear policy, an inventory and approval workflow, technical enforcement (MFA, MDM/MAM, conditional access, encryption, DLP), and logging/incident readiness — all of which are achievable for small businesses with low-cost tools and disciplined operational practices. Implement the checklist steps above, document decisions and exceptions, and you will substantially reduce risk and be prepared to demonstrate compliance under the Compliance Framework.
