Skip to main content

AC.L2-3.1.20Verify and limit external system connections

Verify and control/limit connections to and use of external systems.

Verbatim NIST SP 800-171 Rev 2 requirement text (3.1.20).

SPRS weight: 1 ptNot POA&M-eligible — must fix before assessmentAlso in CMMC Level 16 assessment objectives

How it's scored

1 point deducted from your SPRS score if unmet.

AC.L2-3.1.20 can never sit on a POA&M, regardless of your score: it is one of the six requirements 32 CFR 170.21(a)(2) excludes from Plans of Action & Milestones at conditional certification. It must be fully implemented before a Level 2 assessment can succeed.

What an assessor checks: the 6 assessment objectives

NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks AC.L2-3.1.20 MET only when every applicable objective is satisfied — and examines evidence, not assertions.

ObjectiveDetermination statement
3.1.20[a]connections to external systems are identified.
3.1.20[b]use of external systems is identified.
3.1.20[c]connections to external systems are verified.
3.1.20[d]use of external systems is verified.
3.1.20[e]connections to external systems are controlled/limited.
3.1.20[f]use of external systems is controlled/limited.

Where do you stand on AC.L2-3.1.20?

The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.

Get your free Muster Score →

Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.