Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - AC.L1-B.1.III – Verify and control/limit connections to and use of external information systems.
Understanding the Requirement
This control from the FAR 52.204-21 / CMMC 2.0 Level 1 framework requires you to identify which external systems (personal phones, laptops, public Wi‑Fi, cloud storage, etc.) your staff might connect to or use, verify whether those systems meet your security expectations, and enforce controls that prevent unauthorized use for company business—especially for Controlled Unclassified Information (CUI). Practically, you must maintain an inventory of allowed external connections, prohibit use of unmanaged devices for CUI unless explicitly approved, and implement network and endpoint controls that verify device compliance before granting access.
Technical Implementation
- Segment and protect your network: Deploy a perimeter firewall and create separate VLANs or subnets for corporate assets versus guest or unmanaged devices. Ensure the firewall enforces rules that block access from guest or public networks to systems that store or process CUI.
- Implement Network Access Control (NAC): For small offices, use MAC address filtering to restrict which devices join the network. For growing SMBs, deploy 802.1X with a RADIUS server to require device authentication and certificate-based enrollment before granting network access.
- Use an MDM/endpoint compliance system: Enroll all company mobile devices and laptops in Mobile Device Management (MDM) or endpoint management. Enforce device encryption, PIN/passcode, up-to-date OS, and required security settings. Block or quarantine devices that fail compliance checks.
- Limit cloud and email access with conditional policies: Configure conditional access (for example, Microsoft 365 Conditional Access) to allow corporate resources only from domain‑joined or MDM‑compliant devices. Block syncing of corporate OneDrive or Exchange to unmanaged personal devices and prevent use of personal email for CUI.
- Define and enforce a clear BYOD and exception process: Publish a written policy stating that CUI must not be stored or processed on non‑company devices except through a documented approval process. Require security review, MDM enrollment, and written approval for any exception.
- Monitor, log, and verify connections: Enable logging on your firewall, NAC, and identity systems to detect attempts to access corporate resources from unmanaged devices. Periodically review access logs, run vulnerability scans on allowed endpoints, and perform audits to verify that controls are operating as intended.
Example in a Small or Medium Business
Greenfield Engineering (45 employees) handles CUI for a federal subcontractor and needs to stop staff from using personal devices for work. IT deploys a new edge firewall and segments the network into corporate and guest VLANs; the guest VLAN has no access to file servers. They enable 802.1X on their switches and use a small RADIUS server so only authenticated, corporate devices can get on the corporate VLAN. All company laptops and phones are enrolled in an MDM that enforces full‑disk encryption, a PIN, and regular patching; non‑compliant devices are sent to a remediation VLAN. The team configures Microsoft 365 Conditional Access to allow email and OneDrive only from devices that show domain join or MDM compliance, and they block OneDrive sync from unmanaged machines. An employee who attempts to set up corporate email on a personal phone is rejected until the device is enrolled and encrypted; another employee who tried to upload files to personal cloud storage is blocked by a DLP rule. Management documents the exception process for contractors who require temporary access and logs each approved exception with an expiration date.
Summary
By combining clear written policy with network segmentation, NAC (802.1X or MAC filtering), MDM-based endpoint compliance, conditional access controls, and active logging, an SMB can identify external systems, verify their security posture, and limit connections or usage for CUI. These layered technical measures—backed by training and a formal exception process—ensure only approved, compliant devices can access sensitive resources and give you the visibility and controls needed to meet FAR 52.204-21 / CMMC 2.0 Level 1 requirements.
