Third-party connections are one of the most common and overlooked attack vectors for small businesses working with the U.S. government; to comply with FAR 52.204-21 and CMMC 2.0 Level 1 (AC.L1-B.1.III) you must be able to map those connections, verify who/what is connecting, and restrict access to only what is necessary — this post gives a practical, step-by-step approach with concrete tool recommendations and small-business examples you can implement this week.
Step 1 — Discover and inventory all third-party connections
Begin by building an authoritative inventory of third-party connections: vendor VPN accounts, SSH/SFTP sessions, cloud IAM roles, API keys, contractor remote desktop, managed service provider (MSP) backdoors, IoT vendor endpoints, and any externally hosted services that integrate with your environment. Tools: run network discovery with Nmap or Masscan to find listening services, collect NetFlow or sFlow records from your edge router, use DHCP/IPAM (NetBox or phpIPAM) to map IPs to devices, and deploy lightweight endpoint inventory agents (Wazuh, osquery, or a commercial product like Lansweeper) to capture outbound connections and installed remote-management software.
Step 2 — Map connections and create a connectivity diagram
Create a simple but accurate connectivity diagram that shows trust boundaries: vendor systems, cloud providers, your DMZ, internal VLANs, management VLANs, and endpoints that process Federal Contract Information (FCI). For small businesses, a spreadsheet combined with NetBox or a simple Visio/Draw.io diagram is sufficient. Include: vendor identity (contracted party), connection type (VPN, API, SSH), endpoints involved, protocols and ports, purpose, authentication method, and approved time windows. This mapping lets you identify unnecessary access and scope enforcement points (firewalls, VPN gateways, jump hosts).
Step 3 — Implement technical restrictions (practical controls)
Apply principle-of-least-privilege technical controls: restrict access with firewall rules and ACLs to specific source IPs or vendor-assigned addresses, VLAN-segment FCI systems and management consoles, require vendor access through a bastion/jump host, enforce MFA for all vendor accounts (Duo, Okta, or native cloud MFA), and replace permanent credentials with time-limited methods (SSH certificates, cloud STS tokens, or AWS IAM roles with short-lived credentials). Tools like pfSense/OPNsense for edge firewalling, WireGuard or OpenVPN for per-vendor VPN tunnels, and Cloudflare Access/ZTNA solutions for SaaS and web apps help provide enforceable, auditable access paths.
Example: HVAC vendor remote access
Instead of giving an HVAC contractor direct access to your corporate network, create an "HVAC" VLAN that only allows the vendor's IPs to access the building automation controllers over the specific management ports, force their sessions through a jump host with MFA, and log all sessions with an audit agent (e.g., Bastion host session recording or OpenSSH audit logs forwarded to a central syslog). This isolates the vendor and prevents lateral movement if the vendor device is compromised.
Step 4 — Verify connections and prove compliance
Verification requires logging and periodic testing. Centralize logs (syslog, Windows Event Forwarding, or a cloud log service) and analyze outbound flows with a SIEM or lightweight aggregator (Splunk, AlienVault OSSIM, Elastic Stack). Periodically run the following checks: verify active VPN sessions and their source IPs, review the list of SSH public keys on critical servers, scan for open management ports from the internet, and validate vendor accounts in IAM for last-used timestamps and MFA status. Keep evidence: screenshots of ACLs, firewall rule exports, logs showing vendor connections, and vendor attestation forms to satisfy auditors.
Step 5 — Operationalize policy and vendor controls
Create a written access policy tied to your inventory: require a change control ticket for any new third-party access, require a documented business justification, set expiration dates on access, and require vendor-signed rules of engagement (ROE) that specify approved IPs, approved tools, session recording, and incident notification timelines. For small teams, enforce this via a simple ticketing workflow (Jira, ServiceNow, or even a dedicated spreadsheet + email approvals) and automate expirations by using time-limited credentials where possible.
Risks and consequences of failing to restrict third-party connections
Failing to map, verify, and restrict vendor connections increases the risk of data exfiltration, ransomware spread via MSP tools, lateral movement into FCI systems, and supply-chain compromise — all of which can lead to contract termination, reporting obligations under FAR 52.204-21, financial loss, and reputational damage. Small businesses are particularly vulnerable because vendors often reuse credentials or have weaker security postures; without segmentation and monitoring, one vendor compromise can become a breach of your FCI.
Summary: meet AC.L1-B.1.III by discovering and documenting all third-party connections, mapping them to trust boundaries, enforcing technical restrictions with VLANs/ACLs/MFA/jump hosts, verifying access with centralized logging and audits, and operationalizing those steps with documented policies and vendor agreements — practical, low-cost tools (Nmap, NetBox/phpIPAM, pfSense/OPNsense, WireGuard/OpenVPN, Wazuh/osquery, and a simple SIEM or log aggregator) let small businesses create auditable controls to satisfy FAR 52.204-21 and CMMC Level 1 while reducing real-world risk.
