CMMC AC.1.003 – Limit External Connections

CMMC AC.1.003 – Limit External Connections

Requirement text: AC.1.003: Verify and control/limit connections to and use of external information systems.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of Federally Contracted Information, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. 

Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.

Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of Federally Contracted Information across an organization, the organization may have systems that process Federally Contracted Information and others that do not. And among the systems that process Federally Contracted Information there are likely access restrictions for Federally Contracted Information that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

CMMC CLARIFICATION
Make sure to control and manage connections between your company network and outside networks, such as the public internet or a network that does not belong to your company. Be aware of applications that can be run by outside systems. Control and limit personal devices like laptops, tablets, and phones from accessing the company networks and information. You can also choose to limit how and when your network is connected to outside systems and/or decide that only certain employees can connect to outside systems from network resources

Example
You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done. Part of the proposal includes Federal Contract Information, or FCI. FCI is information that you or your company get from doing work for the Federal government. Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.

Get Audit Ready

How to pass? Keep your company network and computers separated from other businesses or the home network. Have your own internet router and don’t let other companies share it. Only use company computers for working on Federal contracts, never home computers, and never public computers.

How to fail? Sharing a WI-FI network with another business in the same building, so that their computers can communicate with your computers. If someone was network savvy, they could use this to eavesdrop on your internet browsing, or try to hack your computer directly. Using a personal laptop or tablet to work on a Federal contract. This puts sensitive information onto a device that isn’t secure.

References
• FAR Clause 52.204-21 b.1.iii
• NIST SP 800-171 Rev 1 3.1.20
• CIS Controls v7.1 12.1, 12.4
• NIST CSF v1.1 ID.AM-4, PR.AC-3
• CERT RMM v1.2 EXD:SG3.SP1
• NIST SP 800-53 Rev 4 AC-20, AC-20(1)

    • Related Articles

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...
    • CMMC AC.1.001 – Limit Information System Access

      Requirement text: AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Access control ...
    • CMMC AC.2.006 - Limit Storage Devices

      Requirement text: AC.2.006: Limit use of portable storage devices on external systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2  Limits on the use of organization-controlled portable storage devices in external systems include complete ...
    • CMMC SC.3.184 - Prevent Remote Devices from Split Tunneling Network Connections

      Requirement text: SC.3.184: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). DISCUSSION ...
    • CMMC AC.3.020 - Control Mobile Connections

      Requirement text: AC.3.020: Control connection of mobile devices. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is ...