Meeting NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 control SC.L2-3.13.5 requires creating subnetworks and DMZs that logically or physically separate internet-facing services from internal systems handling Controlled Unclassified Information (CUI); this post gives practical, small-business-ready steps to design, implement, test, and document a compliant DMZ and segmented subnet architecture.
Design principles and compliance objectives
At a high level, SC.L2-3.13.5 seeks to reduce risk by isolating public-facing components—web servers, TLS termination, reverse proxies, vendor access points—from internal application and data stores. For the Compliance Framework practice, your objectives are clear: define trust boundaries, implement least-privilege network flows across those boundaries, log and monitor traffic crossing them, and document the controls in your System Security Plan (SSP) with supporting evidence (firewall rule sets, diagrams, test reports). The architecture must be defensible to an assessor and practical for operations.
Common DMZ and segmentation patterns (with small-business examples)
Choose a pattern that fits your environment: (1) classic on-prem DMZ: external firewall -> DMZ VLAN -> internal firewall -> internal VLANs; (2) dual-firewall approach where external and internal firewalls are from different vendors for defense-in-depth; (3) cloud VPC pattern: public subnet (load balancer/ALB) -> private subnets (app servers, databases) with NAT gateways and security groups. Example: a small web development company can host the public marketing site in a DMZ (10.0.1.0/24) while keeping internal servers with CUI in 10.0.2.0/24 and management in 10.0.3.0/28; use an ALB in AWS public subnet that forwards only to app servers in private subnets, with the DB accessible only by app servers on port 5432.
Subnetting, firewall rules and concrete technical controls
Define CIDRs and routing intentionally—examples: DMZ 10.0.1.0/24, Internal apps 10.0.2.0/24, Management/jump host 10.0.3.0/28. Implement a default-deny posture on perimeter and internal firewalls. Example rule set (pseudo): Permit TCP/443 from ANY to 10.0.1.10 (web-proxy) stateful; Permit TCP/443 from 10.0.1.0/24 to 10.0.2.10 (app) only on TCP/8080; Permit TCP/22 (SSH) to 10.0.3.10 (bastion) only from corporate VPN IP ranges and MFA-enforced users; Deny all inbound to 10.0.2.0/24 from Internet. Use NAT or reverse proxy for outward-bound connections from DMZ to internal services where appropriate, and implement WAF in front of web-facing endpoints to provide application layer protection.
Step-by-step implementation for a small business (actionable)
1) Inventory and classify: map which systems are internet-facing and which store/process CUI. 2) Select an architecture pattern and design a network diagram showing firewalls, ACLs, VLANs, subnets, and control points—include IP ranges and zone names. 3) Implement segmentation: create VLANs/subnets, configure routing so DMZ -> internal traffic only flows over explicitly allowed rules, and use management VLANs for administrative access only. 4) Harden DMZ hosts: disable unnecessary services, apply host-based firewalls, enable TLS 1.2+/HSTS, and place a WAF in front of public services. 5) Restrict administrative access to a bastion/jump host in a management subnet, require VPN + MFA, and log all admin sessions. These actions produce the concrete evidence auditors will look for.
Additional technical considerations include using stateful firewalls for perimeter control and stateless ACLs for high-performance filtering where needed, enabling network segmentation technologies such as VLAN tagging (802.1Q), private VLANs for additional isolation, and considering microsegmentation (host-level rules via EDR or software-defined networking) for east-west traffic controls. In cloud, use Security Groups + NACLs: Security Groups for instance-level stateful rules and NACLs as coarse-grained subnet protection.
Monitoring, testing, and evidence collection
Logging and monitoring are core to demonstrating compliance: collect firewall logs, WAF alerts, flow logs (VPC Flow Logs or NetFlow), and host logs to a SIEM or central log store with tamper-evident retention (retain per policy). Conduct segmentation verification: quarterly vulnerability scans, internal segmentation tests (try pivoting from DMZ to internal systems), and annual penetration tests focusing on lateral movement. Evidence package for assessors should include the network diagram, firewall rule export with justifications, jump host access logs showing MFA, vulnerability scan and pentest reports, and documented change controls for rule additions/changes.
Failing to segment effectively increases the risk of lateral movement and CUI exposure: a compromised web server in a flat network can allow attackers to reach internal app servers and databases, leading to data exfiltration, contract loss, penalties, and reputational damage. For small businesses, a single successful breach against an internet-facing service can be catastrophic—segmentation reduces blast radius and increases detection opportunities.
Compliance tips and best practices
Keep these best practices in mind: enforce least privilege for network flows, review firewall rules monthly and perform rule rationalization at least quarterly, automate detection with IDS/IPS tuned to reduce false positives, and embed segmentation verification in change control (no untested rules to production). Document everything in your SSP and track exceptions in a POA&M with risk acceptance and remediation timelines. For vendor remote access, use time-limited firewall rules and ephemeral credentials via a jump host and log both RDP/SSH sessions into the SIEM.
In summary, meeting SC.L2-3.13.5 is an engineering and documentation exercise: design clear trust boundaries, implement least-privilege network rules, harden and monitor DMZ hosts, validate segmentation through testing, and produce a structured evidence package. For small businesses, start simple (separate public and private subnets, a bastion host, default-deny firewall rules, and centralized logging) and iterate toward finer-grained segmentation as your maturity grows—this approach balances security, cost, and compliance.
