AuditRubric
cmmc-sc-2 High priority System & Comms Protection / Network Segmentation

Implement subnetworks for publicly accessible system components

System components that must be accessible from the internet, such as web servers, API gateways, and email servers, should reside in a network segment (often called a DMZ or screened subnet) that is physically or logically separated from the internal network where FCI is processed. This architecture ensures that a compromised public-facing component cannot directly reach your internal systems: attackers must breach a second security boundary to access FCI.

12h estimated effort
network-security network-segmentation dmz firewall

Implementation steps

  1. 1

    Identify public-facing system components

    List all system components that must accept connections from the internet: web servers, API endpoints, email servers, VPN concentrators, and any other externally accessible services. These components need to be isolated from internal systems handling FCI.

    confluence excel
  2. 2

    Design and implement DMZ architecture

    Place public-facing components in a DMZ network segment separated from your internal network by a firewall or equivalent control. In cloud environments, use separate VPCs or subnets with security group rules that restrict traffic between the public tier and internal tiers. The DMZ should be able to reach the internet and specific internal services it needs, but not freely roam the internal network.

    aws-vpc azure-vnet palo-alto cisco-asa
  3. 3

    Define and enforce inter-zone traffic rules

    Configure firewall rules that explicitly permit only the specific traffic that must flow between the DMZ and internal network (for example, a web server in the DMZ calling an internal application server on a specific port). Block all other traffic between zones. Log all inter-zone traffic for monitoring.

    palo-alto aws-security-groups azure-firewall
  4. 4

    Ensure FCI systems are not in the DMZ

    Verify that systems or storage that contain FCI are not in the public-facing DMZ segment. If a public-facing system needs to access FCI data, the data should be retrieved from an internal system through a controlled interface, not stored directly on the public-facing component.

    aws-vpc confluence

Evidence required

Network segmentation diagram

A current network diagram showing DMZ and internal network segments and the controls between them.

  • - Network architecture diagram with DMZ labeled
  • - VPC/subnet diagram with security group rules

Inter-zone firewall rules

Evidence of firewall or security group rules controlling traffic between DMZ and internal segments.

  • - Firewall rule export showing inter-zone rules
  • - AWS security group rules between public and private subnets

Verification that FCI is not in DMZ

Evidence confirming that FCI is not stored on public-facing DMZ components.

  • - Data flow diagram showing FCI location
  • - Configuration review showing DMZ systems do not store FCI

Related controls

cmmc-sc-1

Monitor, control, and protect communications at network boundaries

Boundary Protection

cmmc-ac-3

Verify and control connections to external information systems

External Connections