December 3, 2025
Understanding External Connections
Here's another one of the most misunderstood controls in CMMC, and this is a requirement for both L1 and L2! Let's start with the control and its associated assessment objectives (AOs) from the L1 and L2 Assessment Guides:
AC.L1-B.1.III – EXTERNAL CONNECTIONS [FCI DATA]
AC.L2-3.1.20 – EXTERNAL CONNECTIONS [CUI DATA]
Verify and control/limit connections to and use of external systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
First, what exactly is an external system?
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements.... This requirement also addresses the use of external systems for the processing, storage, or transmission of FCI/CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.
Ah, interesting. I've seen SSPs that claim there are no external connections, but it's because they misunderstood, thinking it had to be something like a VPN to a third-party network. I've also seen people complaining "We have to list every website?!!?" Nope, you're going too far the other way. (Hint: The whole lnternet is *never* in scope. Run when someone says this. It means they don't understand the controls.)
So what really qualifies as an external system for this control and how?
It's about the data. Does this external system process, store or transmit (p/s/t) protected data (FCI or CUI)?
So you need to look at all the authorized cloud services in your organization and decide which ones are used to p/s/t your data, and which ones are used for which types of data (e.g., Public, Company Proprietary, Customer Data, FCI, CUI, PHI, PII)
Common examples of external systems are Adobe CS, Dropbox, AutoCAD, ERP, Accounting, etc.
To meet this control and its AOs, you need to:
- conduct security assessments on all external systems to determine which data type(s) may be p/s/t there
- maintain a list of approved external systems and which data type(s) may be p/s/t there
- post the list in a place where all employees can reference it
- include the contents and location of this list in employee training
- demonstrate how you control/limit connections to and use of these external systems (firewall, anyone?)
Et voilà! Now you understand external connections.
Still not sure? Ping me!
A Lead CCA’s Breakdown of How to Prepare for a Level 2 Assessment
If you missed this webinar, the recording is available on YouTube
A practical discussion on what organizations can do to prepare for CMMC Level 2 assessments — directly from a Lead CCA’s perspective.
Key Takeaways:
- How to structure and organize your readiness efforts before engaging with a C3PAO
- Common pitfalls that slow down assessment progress (and how to avoid them)
- Real-world tips to make your assessment process more efficient and effective
Sincerely,
Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107