CMMC SC.1.176 – Segment Systems and Networks
Requirement text:
SC.1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.
NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies.
CMMC CLARIFICATION
Separate the publicly accessible systems from the internal systems that need to be protected. Do not place the internal systems on the same network as the publicly accessible systems.
A network or part of a network that is separated (sometimes physically) from an internal network is called a demilitarized zone (DMZ). A DMZ is a host or part of a network put in a “neutral zone” between an organization’s internal network (the protected side) and a larger network, like the internet. To separate a subnetwork physically, your company may put in boundary control devices (i.e., routers, gateways, firewalls). This can also be done on a cloud network that can be separated from the rest of the network.
A DMZ can add an extra layer of security to your company’s LAN, because an external network node can reach only what is permitted to be accessed in the DMZ.
Physical separation might involve a separate network infrastructure, dedicated network equipment with separate LAN segments and a firewall between the internal network and the DMZ segment and a firewall between the DMZ segment and the internet. A logical separation might involve VLAN separation for the DMZ supporting a separate subnet with routing and access controls between subnets.
Example
The head of recruiting wants to launch a website to post job openings and allow the public to download an application form. After some discussion, your team realizes it needs to use a router and firewall to create a DMZ to do this. You host the server separately from the company’s internal network, and make sure the network has the correct security firewall rules. Your company gets a lot of great candidates for the open jobs, and the company’s internal network is protected.
Get Audit Ready
How to pass? Very small companies
probably shouldn’t try to operate servers that are connected to the
internet. Use a web hosting company to host your website. Hire a
security specialist if you need to open access from the internet to any
of your computers so that they can set it up securely.
How to
fail? Modify your firewall so that it allows traffic from the internet
to go to one of your computers or devices. This is called “opening a
port” and exposes your computer to internet attacks.
Reference
• FAR Clause 52.204-21 b.1.xi
• NIST SP 800-171 Rev 1 3.13.5
• CIS Controls v7.1 14.1
• NIST CSF v1.1 PR.AC-5
• NIST SP 800-53 Rev 4 SC-7
• UK NCSC Cyber Essentials
Related Articles
Systems and Communications Protection: SP 800-171 Security Family 3.13
System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...CMMC SC.5.198 - Configure Monitoring Systems to Record Network Packets
Requirement text: SC.5.198: Configure monitoring systems to record packets passing through the organization's Internet network boundaries and other organizational-defined boundaries. DISCUSSION FROM SOURCE: CIS CONTROLS V7.1 Configure monitoring ...CMMC SC.4.228 - Isolate Administration of High-Value Systems
Requirement text: SC.4.228: Isolate administration of organizationally defined high-value critical network infrastructure components and servers. DISCUSSION FROM SOURCE: CMMC Organizations apply systems security engineering concepts and principles to ...CMMC SI.2.216 - Monitor Systems Communications Traffic
Requirement text: SI.2.216: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System monitoring includes ...CMMC SC.1.175 – Monitor and Control Communications
Requirement text: SC.1.175: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems. ...