GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.13.5: Public Access Network Separation

Control 3.13.5 requires organizations to implement subnetworks that physically or logically separate publicly accessible system components from internal networks. This segmentation is critical for protecting sensitive data and limiting lateral movement during security incidents. Proper network isolation reduces attack surface and ensures public-facing systems cannot directly access confidential resources.

What this means

This control mandates network architecture that prevents direct communication between public-facing systems and internal infrastructure. Organizations must implement DMZs (demilitarized zones), VLANs, firewalls, or cloud security groups to create isolated network boundaries. Only authorized traffic flows between network segments through controlled access points, ensuring that a compromise of a public component cannot automatically grant access to internal systems.

How to comply

  1. 1.Design network topology with physically or logically separate subnetworks for public-facing components
  2. 2.Deploy firewalls or network access control lists (ACLs) to restrict traffic between public and internal networks
  3. 3.Implement VLANs or virtual network segmentation for logical separation when physical isolation is not feasible
  4. 4.Document network architecture and data flows between public and internal segments
  5. 5.Configure ingress/egress rules that permit only necessary communication channels
  6. 6.Implement bastion hosts or jump servers for administrative access to internal systems from public networks
  7. 7.Monitor and audit traffic crossing network boundaries for unauthorized attempts
  8. 8.Test segmentation controls regularly through network assessments and penetration testing

Evidence auditors look for

  • Network diagrams showing DMZ architecture and segmentation boundaries
  • Firewall rule documentation and access control list configurations
  • VLAN assignments and network segmentation policy
  • Cloud security group configurations isolating public subnets from private resources
  • VPN or bastion host configurations for administrative access control
  • Network access control policies and change management records
  • Penetration test reports validating network isolation effectiveness
  • Traffic flow analysis and monitoring logs confirming segmentation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates network architecture documentation and continuously monitors firewall rules and security group configurations to verify public-private network separation remains in place and compliant.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.13.1 — Information System Boundaries3.13.2 — Boundary Protection Mechanisms3.13.3 — Boundary Protections Monitoring3.13.4 — Unauthorized Remote Access