NIST SP 800-171 Rev 2 requirement 3.13.5 mandates that organizations implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Publicly accessible components include web servers, DNS servers, email gateways, VPN concentrators, and any other system element reachable from the public internet. The separation is typically achieved through a demilitarized zone (DMZ) architecture using firewalls, routers with access control lists, or virtual LAN (VLAN) configurations that enforce boundary controls between the public-facing segment and the internal network. This practice ensures that if a publicly accessible component is compromised, an adversary does not gain direct, unfettered access to internal systems where CUI resides. The requirement applies regardless of whether the separation is accomplished through dedicated hardware or logical network controls, as long as the isolation is verifiable and enforced.
Where it stops · what it isn't
- —This practice does not define specific firewall rule sets or access control policies governing traffic between the DMZ and internal networks — those are addressed by SC-L2-3.13.1 (boundary protection).
- —This practice does not govern the encryption of data in transit between network segments — that is covered by SC-L2-3.13.8.
- —This practice does not address wireless network segmentation specifically — wireless controls fall under SC-L2-3.13.15.
- —This practice does not require the elimination of all connectivity between the DMZ and internal networks; it requires controlled, enforced separation rather than complete isolation.
- —This practice does not cover internal segmentation between CUI systems and non-CUI internal systems — it is specifically scoped to publicly accessible components versus internal networks.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.