GRCWatch
Sign inStart free trial

AC.L2-3.1.20: Verify and Control External Connections

External connections expose your organization to supply chain risks and unauthorized access. CMMC Level 2 control AC.L2-3.1.20 requires you to verify and actively limit who and what can connect to your systems from outside your organization. This control is critical for protecting sensitive unclassified information (CUI) in the defense industrial base.

What this means

You must establish policies and technical controls that verify the identity and legitimacy of external connections before allowing access to your information systems. This means implementing mechanisms to authenticate external users and systems, limiting the number and scope of external connections, monitoring ongoing access, and promptly disabling connections that are no longer needed or authorized.

How to comply

  1. 1.Document all approved external connections and the business justifications for each
  2. 2.Implement network controls (firewalls, VPNs, secure gateways) to restrict and monitor external access
  3. 3.Require multi-factor authentication for all external user connections
  4. 4.Establish a process to review and re-authorize external connections on a defined schedule
  5. 5.Disable or terminate connections immediately when they are no longer required
  6. 6.Log and audit all external connection attempts and activities
  7. 7.Use encryption for all external data transmissions

Evidence auditors look for

  • External connection policy document listing approved systems and users
  • Firewall rules and network access control lists (ACLs) restricting external traffic
  • VPN configuration documentation with authentication requirements
  • List of active external connections with authorization dates and business purpose
  • Connection review and re-authorization logs (at least quarterly)
  • Multi-factor authentication implementation records
  • Firewall and security gateway logs showing connection attempts and denials

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates external connection inventory, tracks authorization expiration dates, and flags stale connections for removal—eliminating manual spreadsheet management and ensuring you never miss a re-certification deadline.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 (Access Control Policy)AC.L2-3.1.2 (Authorized Access)SI.L2-3.14.1 (Information System Monitoring)