“Verify and control/limit connections to and use of external systems.” — NIST SP 800-171 Rev. 2, 3.1.20
If there’s one control that highlights how much your cybersecurity depends on trust, it’s this one.
Control 3.1.20 requires organizations to verify and control their connections to external systems—in other words, to know exactly who their systems are talking to, and to make sure those connections are necessary, approved, and secure.
This might sound like something your IT team or service provider handles, but this control goes deeper than firewall rules or VPN tunnels. It’s about who you trust, why you trust them, and how that trust is managed.
During an assessment, a C3PAO evaluates whether your organization has:
We’re not just checking if your provider uses secure technology—we’re checking if you know what those connections represent and have made conscious, informed decisions about them.
From a shared responsibility perspective, this control sits squarely on the OSC. Your service providers can manage and maintain technical configurations, but the authorization of those connections—the decision to allow them—must come from your organization. This can be nuanced when coordinating with multiple vendors, who themselves may present multiple cloud or service solutions to your organization.
Many organizations work with multiple external providers: a cloud hosting company, an MSP managing endpoints, a specialized enclave provider, perhaps even a third-party consultant who accesses systems for compliance work.
Each of these relationships creates a point of connection—and a potential point of risk.
When things go well, these partnerships form the backbone of your compliance journey. But when responsibility isn’t clear, they can quickly become liabilities.
That’s why trust in cybersecurity must be structured and documented, not assumed.
Leaders must be able to answer:
If you can’t answer those questions confidently, your trust is based on assumption—not verification.
As a leader, you don’t need to understand every line of a firewall configuration, but you do need to ensure your organization has defined rules for connecting to external systems.
This typically includes:
Your SRM plays a key role here. It should show that your organization authorizes external connections, while providers enforce and manage them.
That balance reflects a healthy trust relationship: both sides understand their roles, and neither assumes the other “has it handled.”
When C3PAOs review these relationships, they look for evidence that you’ve taken ownership of authorization and oversight. If you can articulate why each connection exists, who approved it, and how it’s monitored, it demonstrates both control and maturity.
Cybersecurity isn’t just about protection, it’s about governance.
You can’t have strong governance without clear, documented trust.
Every external system you connect to represents a relationship, and every relationship carries shared risk. Managing that risk is your responsibility.
Your service providers can build, secure, and maintain the connection—but only you can decide whether it should exist.
The organizations that do best in assessments are those that can say, “Yes, we trust our providers—and here’s exactly why.”
That’s the kind of confidence that doesn’t just pass an audit. It protects your mission.