SC.L2-3.13.5: Separate Public-Access Systems from Internal Networks
Public-facing systems create unique security risks that demand isolation from your sensitive internal infrastructure. CMMC Level 2 control SC.L2-3.13.5 requires you to implement subnetworks that physically or logically separate publicly accessible components from your core network. This control is essential for any organization handling controlled unclassified information (CUI) that operates internet-facing applications.
What this means
This control requires you to create isolated network segments (subnetworks) for any systems or components that are directly accessible from the internet or public networks. These public-facing systems must be separated from your internal network through either physical segmentation (separate hardware/networks) or logical segmentation (VLANs, firewalls, access control lists). The goal is to contain the blast radius if a public system is compromised, preventing attackers from easily pivoting into sensitive internal systems and data.
How to comply
- 1.Identify all systems and components that are publicly accessible, including web servers, APIs, email gateways, and remote access portals
- 2.Design a network architecture that isolates public-facing systems into a separate subnetwork or demilitarized zone (DMZ)
- 3.Implement physical separation using dedicated network hardware, or logical separation using VLANs, firewalls, and access control rules
- 4.Configure strict firewall rules that control traffic between the public subnetwork and internal networks, allowing only necessary communication
- 5.Deploy monitoring and logging on the boundary between public and internal networks to detect suspicious traffic patterns
- 6.Document your network segmentation architecture, including diagrams showing subnetwork boundaries and traffic flow rules
- 7.Conduct regular testing to verify that public systems cannot access internal resources without explicit authorization
Evidence auditors look for
- Network topology diagrams showing physical or logical separation of public-facing components
- Firewall configurations and access control lists (ACLs) restricting traffic between public and internal networks
- VLAN configurations isolating public systems within their own broadcast domains
- DMZ architecture documentation with defined ingress/egress rules
- Network segmentation test results confirming public systems cannot reach internal resources
- Change management records for network separation implementations
- Security group configurations in cloud environments isolating public instances
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch maps your network architecture to SC.L2-3.13.5 requirements and auto-generates firewall rule documentation, DMZ configuration checklists, and segmentation test templates—cutting implementation time from weeks to days.
See how GRCWatch handles this control automatically
Start free trial