SC.L1-3.13.5 Public-Access System Separation

CMMC Practice SC.L1-3.13.5 – Public-Access System Separation: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Links to Publicly Available Resources

Discussion [NIST SP 800-171 R2]
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloudbased technologies.
NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies.

Further Discussion
Separate the publicly accessible systems from the internal systems that need to be protected. Do not place internal systems on the same network as the publicly accessible systems and block access by default from DMZ networks to internal networks.
One method of accomplishing this is to create a DMZ network, which enhances security by providing public access to a specific set of resources while preventing connections from those resources to the rest of the IT environment. Some contractors achieve a similar result through the use of a cloud computing environment that is separated from the rest of the company’s infrastructure.