Control Connections to External Systems
Official citation: 3.1.20
Class: core · Severity: high
Statement of the obligation — verify against source
3.1.20
What it means
Verify, control, and limit how your systems connect to and use external systems — ones you don't directly supervise, such as personally owned devices, public or commercial computers, and cloud services (IaaS, PaaS, SaaS). Set terms and conditions for their use (at minimum, which applications they may reach), and where you can't establish such terms, restrict your personnel from using them. Confidence that an external system has adequate controls can come from third-party assessments or attestations. Note that 'external' can even mean other internal systems that don't handle CUI.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.