SC.L2-3.13.5 — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

What this control requires

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Source: CMMC L2 v2.13 SC.L2-3.13.5 / NIST SP 800-171 R2 3.13.5 (official control text).

Why this matters

Public-facing systems—web servers, email gateways, customer portals—are constant attack targets. Without isolation, a compromised public server becomes a beachhead into your internal network where sensitive CUI and business systems reside. This control mandates a demilitarized zone (DMZ): a quarantined network segment where public services run, separated by firewalls that strictly limit what can traverse into internal networks. Proper DMZ architecture ensures that even if an attacker breaches your public-facing application, they remain trapped in the outer zone, unable to pivot to file servers, databases, or workstations containing controlled unclassified information.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls