Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - SC.L1-B.1.XI – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Understanding the Requirement
This control requires that any systems you expose to the public internet (web servers, APIs, mail relays, VPN portals, etc.) be placed in subnetworks that are separated from your internal corporate network so an Internet-facing compromise cannot directly expose internal resources. These subnetworks are commonly called demilitarized zones (DMZs) and, per the control's objectives, you must identify publicly accessible components and ensure they are physically or logically separated from internal networks. This control is part of FAR 52.204-21 / CMMC 2.0 Level 1.
Technical Implementation
- Inventory and classify public-facing components. Create a short list of systems that must accept inbound connections from the internet (websites, API endpoints, file transfer services). Label each component with purpose, required ports/protocols, and whether it truly needs to be public.
- Design a DMZ with clear boundary controls. Use a dedicated physical interface or VLAN for the DMZ, and place a firewall (or cloud security group) between the DMZ and both the internet and your internal network. The DMZ should have strict ingress/egress rules: only allow the minimum required ports from the internet and only allow tightly scoped traffic to internal servers (for example, web server -> internal DB on port 3306 only).
- Harden and minimize attack surface in the DMZ. Run only necessary services on DMZ hosts, disable interactive logins where possible, enforce least-privilege service accounts, enable automatic patching, and use up-to-date TLS configurations. Remove development tools and unnecessary software from these hosts.
- Control administrative access and remote management. Prohibit direct management of DMZ hosts from the internet. Require administrators to use an internal management VLAN, VPN into the internal network, or a dedicated bastion host that itself is tightly controlled and monitored.
- Network address translation and forwarding rules. Use NAT or a reverse proxy to minimize direct addressing of DMZ hosts from the internet. Forward only required ports (e.g., 80/443 for a website) and avoid exposing management ports (SSH, RDP) to the public internet.
- Monitoring, logging, and regular testing. Forward DMZ logs to a central logging service or SIEM, set up basic IDS/IPS rules for DMZ traffic, and schedule regular vulnerability scans and penetration tests of public-facing systems. Keep evidence of scans and remediation actions for compliance purposes.
Example in a Small or Medium Business
A small marketing agency needs a public website and a customer portal. The IT lead sets up a DMZ by creating a separate VLAN on the existing firewall appliance and places the web server and portal server on that VLAN with private IP addresses. Internet traffic is routed to the DMZ through the firewall, which only allows TCP ports 80 and 443 from the internet and blocks access to all other ports. The portal server requires access to an internal database for customer records, so the firewall rules only permit traffic from the portal server IP to the database server on a single database port. Administrators manage DMZ hosts from the internal network via an authenticated VPN and a jump box; no direct SSH or RDP from the internet is allowed. The agency uses automated patching for DMZ hosts, central log collection to a server on the internal network, and weekly vulnerability scans. After implementation, they document the design and run a tabletop exercise to ensure the team understands incident containment steps if the public server is compromised.
Summary
Separating public-facing components into a DMZ — whether implemented with physical interfaces, VLANs, or cloud network segments — reduces risk by preventing direct access to internal systems, limiting lateral movement, and containing compromise. By inventorying public services, applying least-privilege network rules, hardening and monitoring DMZ hosts, and restricting administrative paths, SMBs meet the control's intent with practical, low-cost measures that significantly improve security posture.
