NIST SP 800-171 & CMMC 2.0 Control 3.1.20 Requirement:

Verify and control/limit connections to and use of external information systems.

NIST SP 800-171 & CMMC 2.0 3.1.20 Requirement Explanation:

External systems generally include personal smartphones, tablets and laptops. Other examples include a computer in a hotel lobby or a personal cloud storage service. Employees should not be processing “Federal Contract Information” (FCI) or “Controlled Unclassified Information” (CUI) on non-company external systems. An exception to this rule can be made if the device meets your security requirements and has been approved for use.

Example NIST SP 800-171 & CMMC 2.0 3.1.20 Implementation:

Deploy a firewall on your network to separate your systems from external networks. Only allow authorized computers and devices to connect to your corporate network. This can be accomplished using Mac address filtering (on a small network) or technologies like 802.1X on a larger network. Inform employees that they are only authorized to use company-provided devices to store, process, or transmit controlled unclassified information. If you use Microsoft. 365, you can limit access to Microsoft 365 resources to only domain-joined computers.

NIST SP 800-171 & CMMC 2.0 3.1.20 Scenario(s):

- Scenario 1:

It is Sunday morning and Bob has an important report to finish for a federal client. Unfortunately for Bob his password has expired and he can't access his work computer. He is also unable to reach the IT team for a password reset. Bob emails his report containing FCI to his personal email account and finishes the report using his personal computer. He emails the finished report to his manager using his personal email account. Bob has put “Federal Contract Information” (FCI) at risk by using his personal devices and email. Bob's manager warns Bob and informs the security team of the incident.

- Scenario 2:

Bob wants to sync his corporate OneDrive to his personal laptop to bypass the new security controls IT has implemented. When Bob attempts to sync his corporate OneDrive he receives a message saying that the sync was blocked by his administrator. Bob is thus forced to use his corporate laptop.

- Scenario 3:

Bob wants to configure his corporate email on his personal smartphone. When trying to setup email on his phone he receives an error message stating that he needs to set up a pin code and enable encryption on his phone. Bob creates a pin code and enables encryption. He is now able to set up corporate email on his phone because it meets his company's security requirements.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.