SC.L1-3.13.5: Public-Access System Separation
Protecting your internal network from external threats starts with strategic isolation. CMMC Level 1 control SC.L1-3.13.5 requires you to separate publicly accessible systems from your internal infrastructure using physical or logical segmentation. This fundamental network hygiene measure prevents unauthorized lateral movement and limits blast radius if a public-facing system is compromised.
What this means
This control mandates creating distinct network segments (subnetworks) for any systems, applications, or services that are accessible from the internet or untrusted networks. These public-access systems must be isolated from your internal network through either physical separation (different hardware, air-gapped networks) or logical separation (VLANs, firewalls, network access control lists). The goal is to establish a security perimeter that prevents a compromised public system from directly accessing sensitive internal assets, databases, or employee workstations.
How to comply
- 1.Inventory all systems and applications exposed to the internet or public access, including web servers, email gateways, VPN endpoints, and cloud-hosted services
- 2.Design a network architecture that separates public-access systems into a demilitarized zone (DMZ) or screened subnet
- 3.Implement physical separation where feasible (dedicated hardware, isolated network segments) or use logical controls (VLANs, network access control lists, stateful firewalls)
- 4.Configure firewall rules to restrict communication between public-access subnetworks and internal networks, allowing only necessary traffic on required ports and protocols
- 5.Deploy intrusion detection or prevention systems at the boundary between public-access and internal networks
- 6.Document your network topology, segmentation design, and access control policies
- 7.Test segmentation controls regularly to ensure public systems cannot reach internal resources without authorization
- 8.Monitor and log traffic crossing network boundaries to detect unauthorized access attempts
Evidence auditors look for
- Network diagram showing DMZ or screened subnet architecture with public-access systems isolated from internal networks
- Firewall configuration files documenting rules that restrict east-west traffic between public and internal segments
- VLAN configuration documentation showing logical separation of public-access systems
- Network access control lists (ACLs) limiting inter-network communication
- Intrusion detection/prevention system (IDS/IPS) logs showing monitoring at network boundaries
- Network segmentation test results demonstrating that public-access systems cannot directly communicate with internal resources
- Documented network topology and data flow diagrams
- Change management records for network segmentation updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates network segmentation verification by collecting your firewall configurations, VLAN settings, and access control lists—then validates that public-access systems are properly isolated and flags deviations from your segmentation policy in real-time.
See how GRCWatch handles this control automatically
Start free trial