SC.L1-3.13.5 — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

What this control requires

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Source: CMMC L1 v2.13 SC.L1-3.13.5 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.13.5 (official control text).

Why this matters

Public-facing systems like web servers, email gateways, and VPN endpoints are attractive attack targets. If compromised, they can become launchpads into your internal network where sensitive data and critical systems reside. A demilitarized zone (DMZ) creates a buffer that isolates these internet-exposed components from your internal network. Attackers who breach a DMZ system hit another security boundary before reaching internal resources. This layered defense drastically reduces the blast radius of a successful perimeter attack and prevents lateral movement into protected systems containing CUI.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls