Skip to main content
NetStable
Level 2 AC.L2-3.1.20

Verify and control/limit connections to and use of external systems

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to monitor and restrict how their internal systems connect to external systems (like cloud services, vendors, or partner networks). It's about ensuring that only authorized external connections are allowed and that they're used properly to prevent data leaks or unauthorized access. Think of it like a bouncer at a club—only approved guests get in, and their activities are watched while inside. For example, if your company uses a cloud storage provider, this control ensures only employees who need it can access it, and their file transfers are logged. Another example: restricting which websites employees can visit from work computers to prevent malware infections.

🎯 Why It Matters

Uncontrolled external connections are a top attack vector—60% of breaches originate from third-party vulnerabilities (Verizon DBIR 2023). A defense contractor had CUI stolen when an employee's compromised personal Dropbox account synced with work files. The DoD cares because uncontrolled external access can lead to data exfiltration, supply chain attacks, or lateral movement by adversaries. A single misconfigured API connection to a vendor could expose your entire network. Average breach cost for SMBs is $3.9M (IBM), not including lost contracts from compliance failures.

How to Implement

  1. 1. In AWS/Azure/GCP, enable VPC Flow Logs and route all traffic through a cloud firewall (AWS Network Firewall/Azure Firewall)
  2. 2. Configure Service Control Policies (AWS) or Azure Policy to restrict which external SaaS APIs can be accessed
  3. 3. Implement Cloud Access Security Broker (CASB) like Microsoft Defender for Cloud Apps to monitor external SaaS usage
  4. 4. Require VPN or PrivateLink for all cloud-to-on-prem connections (no public internet)
  5. 5. Set up alerts for unusual external data transfers (e.g., >500MB to personal storage)
⏱️
Estimated Effort
2-3 days for basic implementation (mid-level network admin), plus ongoing monitoring. Cloud-native setups are faster (1 day with pre-built templates).

📋 Evidence Examples

Firewall Rule Export

Format: CSV/PDF
Frequency: Quarterly or after changes
Contents: All rules allowing outbound traffic, with business justification for each
Collection: Export from firewall admin console

CASB Alert Logs

Format: Screenshot/PDF report
Frequency: Monthly
Contents: Shows blocked unauthorized SaaS access attempts
Collection: Export from CASB dashboard

External Access Policy

Format: Word/PDF
Frequency: Annual review
Contents: Defines approved external systems and access procedures
Collection: Policy document signed by CISO

VPN Connection Logs

Format: SIEM export
Frequency: Weekly
Contents: Timestamps, users, and external IPs for all VPN connections
Collection: Automated SIEM report

Third-Party Risk Assessment

Format: Excel/PDF
Frequency: Annual per vendor
Contents: Security reviews of vendors with system access
Collection: Questionnaire completed by vendor

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.20 ("Verify and control/limit connections to and use of external systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.20 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to verify and control/limit connections to and use of external systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.20 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to verify and control/limit connections to and use of external systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.20 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where verify and control/limit connections to and use of external systems applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.20
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we maintain an up-to-date list of all authorized external systems (cloud/SaaS/vendors) with business justification?

✅ YES → Proceed to Q2
❌ NO → GAP: Create an external system inventory spreadsheet with owner, purpose, and data types shared. Complete within 2 weeks.
Remediation:
Template: Columns should include Vendor Name, System Purpose, Data Classification, Access Method, Owner

Question 2: Are all outbound connections logged and reviewed for anomalies?

✅ YES → Proceed to Q3
❌ NO → GAP: Enable firewall/VPN logging and configure SIEM alerts for large data transfers. Implement within 30 days.
Remediation:
Quick Win: Use free Wazuh SIEM to start collecting firewall logs immediately

Question 3: Is access to external storage (Dropbox, Google Drive) blocked or monitored?

✅ YES → Proceed to Q4
❌ NO → GAP: Configure firewall to block personal storage domains or deploy CASB. Critical for CUI environments - complete in 14 days.
Remediation:
Emergency Fix: Temporarily block *.dropbox.com at firewall while implementing CASB

Question 4: Do we re-verify third-party system security annually?

✅ YES → Proceed to Q5
❌ NO → GAP: Send security questionnaires to all vendors with access. Complete within 60 days.
Remediation:
Template: Use standardized CAIQ questionnaire from CSA

Question 5: Are employees trained on approved external system usage annually?

✅ YES → COMPLIANT
❌ NO → GAP: Add external system policies to security awareness training. Next scheduled training must include this.
Remediation:
Quick Fix: Add 10-minute module to existing training with quiz questions

⚠️ Common Mistakes (What Auditors Flag)

1. Allowing 'any any' outbound firewall rules

Why this happens: Ease of use over security
How to avoid: Implement default-deny outbound policy with explicit allow rules

2. No monitoring of SaaS-to-SaaS connections

Why this happens: Focus only on traditional network perimeters
How to avoid: Deploy CASB to monitor OAuth connections between cloud apps

3. Missing documentation for vendor access

Why this happens: Informal arrangements with trusted partners
How to avoid: Require MOU for all third-party access detailing security requirements

4. Not testing external connection controls

Why this happens: Assuming 'set and forget' configurations work
How to avoid: Quarterly tests: Try accessing blocked services and verify alerts trigger

5. Personal devices accessing CUI via unapproved cloud apps

Why this happens: Lack of mobile device policies
How to avoid: MDM solution to prevent unauthorized app installations on work devices

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.19 (Remote access controls) AC.L2-3.1.22 (Control CUI posted on external systems) SI.L2-3.14.7 (Monitor external service providers)
Previous
AC.L2-3.1.19
Back to AC
Next
AC.L2-3.1.21