Reference: CMMC v2.13
Family: SC
Level Introduced: 2
Title: Public-Access System Separation [CUI Data]
Practice:
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Further Discussion:
Separate the publicly accessible systems from the internal systems that need to be protected. Do not place internal systems on the same network as the publicly accessible systems and block access by default from DMZ networks to internal networks.
One method of accomplishing this is to create a DMZ network, which enhances security by providing public access to a specific set of resources while preventing connections from those resources to the rest of the IT environment. Some OSAs achieve a similar result through the use of a cloud computing environment that is separated from the rest of the company’s infrastructure.
Example
The head of recruiting at your company wants to launch a website to post job openings and allow the public to download an application form [a]. After some discussion, your team realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the server separately from the company’s internal network and make sure the network on which it resides is isolated with the proper firewall rules [b].
Potential Assessment Considerations
• Are any system components reachable by the public (e.g., internet-facing web servers, VPN gateways, publicly accessible cloud services) [a]?
• Are publicly accessible system components on physically or logically separated subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such as DMZs) [b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.