Documentation Index

Fetch the complete documentation index at: https://kb.northerndatasolutions.com/llms.txt

Use this file to discover all available pages before exploring further.

AC.L2-3.1.20[b]

  • Published on Apr 28, 2026
  • 1 minute(s) read
  • CT
 Prev Next

AC.L2-3.1.20[b] — Access Control (External Connections)

Domain: Access Control (AC)  |  Practice: AC.L2-3.1.20  |  Objective ID: 3.1.20[b]  |  Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2

Assessment Objective:

The use of external systems is identified.

Executive Summary (For Leadership and the Board)

CMMC objective AC.L2-3.1.20[b] sits inside the Access Control domain (AC.L2-3.1.20 — External Connections) and reads: The use of external systems is identified.. Document how external systems are used in relation to CUI — what data is shared, what access is granted, and what the business justification is. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.

Under DFARS 252.204-7012, AC.L2-3.1.20[b] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.

Business Question

What Leadership Must Confirm

Do we have a documented, owned, and current implementation for the requirement that the use of external systems is identified?

A named control owner exists, the implementation is documented in the SSP, and a defined review cadence is in force.

Can we produce evidence that this objective is operating effectively across every CUI-bearing system in scope?

Artifacts (logs, tickets, config exports, attestations) are collected on a defined cadence and tied back to AC.L2-3.1.20[b].

What happens if this control fails or drifts out of compliance?

A documented detection, escalation, and remediation path exists, with the vCSO as the executive backstop.

Can we prove this objective to a C3PAO?

The evidence package — policy, configuration, monitoring output, and recertification records — is pre-built and mapped directly to AC.L2-3.1.20[b].

Related articles
  • AC.L2-3.1.20[a]
    Compliance > CMMC (NIST 800-171) > CMMC 2.0 Assessment Objectives
  • AC.L2-3.1.2[a]
    Compliance > CMMC (NIST 800-171) > CMMC 2.0 Assessment Objectives