Evidence – AC.L2-3.1.20
Verify and Control Connections to External Systems
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.20, which requires verification and control of connections to external systems.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Connections to external systems are identified and approved
- Unauthorized external connections are restricted
- Access to external systems is controlled by policy and configuration
Evidence Artifacts
1. External Connection Controls
Evidence demonstrating controlled external connections may include:
- Restrictions on connecting to external cloud services
- Conditional Access policies governing third-party or external access
- Approval requirements for integrations or external connections
Examples of acceptable sources:
- Microsoft Entra ID Conditional Access policies for external access
- Microsoft 365 tenant settings restricting third-party integrations
- Google Workspace Admin Console external access and app controls
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
External system connections must be explicitly approved and controlled to prevent unauthorized data exchange.