Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.20 – Verify and control/limit connections to and use of external information systems.
Understanding the Requirement
This control requires an organization to identify when users or systems connect to external information systems (for example personal smartphones, hotel computers, or cloud file services), verify that those connections and uses are allowed, and then control or limit them so that Controlled Unclassified Information (CUI) is not processed on unauthorized systems. The objective is to maintain an inventory of external connections and uses, validate compliance with security requirements, and apply technical and policy controls to prevent unauthorized access or data movement. This guidance aligns with the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework and is focused on preventing CUI from being stored or processed on non-approved systems unless a documented exception that meets security requirements exists.
Technical Implementation
- Inventory and policy baseline: Maintain a simple inventory of approved devices and external systems (including allowed cloud services). Publish a clear BYOD and remote access policy that states employees must not process CUI on non-approved devices and describes the exception process.
- Network segmentation and guest isolation: Use VLANs or separate SSIDs to isolate corporate resources from guest/consumer traffic. Ensure guest Wi‑Fi is on a separate network with no access to internal file shares or management interfaces.
- Network access control (NAC) / 802.1X: For larger sites, deploy 802.1X with RADIUS to ensure only domain-joined or authenticated corporate devices can access the corporate LAN. For very small networks, use MAC filtering combined with a whitelist of company devices and strong Wi‑Fi WPA2/WPA3 encryption.
- Endpoint posture checks and Conditional Access: Enforce endpoint compliance before granting access. For Microsoft 365 customers, enable Conditional Access to restrict access to domain-joined or compliant devices, require MFA, and block legacy authentication. Use posture checks from VPN or cloud gateways to block non-compliant endpoints.
- Mobile device management (MDM) and containerization: Require MDM for any smartphone/tablet connecting to corporate email or cloud storage. Use MDM to enforce PINs, full-disk encryption, and restrict copy/paste or sync of corporate files to personal clouds. Use managed containers for corporate data on BYOD.
- Logging, monitoring and exception handling: Log connections to cloud storage and remote access systems, alert on unusual syncs or downloads, and require a documented, approved exception for any external device that will process CUI. Periodically review approved devices and revoke access when devices fall out of compliance.
Example in a Small or Medium Business
Acme Engineering handles CUI for government contracts and recently rolled out a policy banning CUI on personal devices. The IT team created an approved device list and used a small cloud access security broker (CASB) plus Microsoft Conditional Access to block OneDrive sync from unregistered machines. When an engineer tries to sync her corporate OneDrive to a personal laptop, the CASB blocks the sync and displays a message explaining the policy and how to request an exception. For mobile access, Acme requires employees to enroll phones in MDM, which enforces a PIN and device encryption; only enrolled phones can receive corporate email via Exchange Online. The network is segmented: guest Wi‑Fi used by contractors is isolated and cannot reach file servers or VPN concentrators. IT runs weekly logs to spot attempted access from unknown devices and a simple ticket-based exception process allows temporary, audited access for approved contractors who meet security checks. Managers and IT review the approved device inventory quarterly to remove stale entries and reduce risk.
Summary
Combining clear policy (no CUI on personal devices unless approved) with technical controls—network segmentation, NAC/802.1X or MAC whitelisting, Conditional Access, MDM, and monitoring—lets SMBs reliably identify, verify, and control connections to external information systems. These measures prevent unauthorized processing of CUI, provide an auditable exception process, and keep your corporate resources accessible only to approved, compliant devices.
