NIST SP 800-171
Control 3.13.5
Implement Subnetworks for Publicly Accessible Components
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
What This Means in Plain English
Web servers, email gateways, and other systems accessible from the internet must be in a DMZ -- a separate network segment that prevents direct access to your internal network if the public-facing system is compromised.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- DMZ architecture isolating all public-facing services from the internal network
- FortiGate firewall rules enforcing strict traffic controls between DMZ, internal, and external zones
- Reverse proxy configurations preventing direct access to internal application servers
- Separate VLAN for publicly accessible components with restricted internal connectivity
- ComplianceArmor network documentation showing DMZ boundaries and allowed traffic flows
Assessment Guidance
Assessors will verify DMZ implementation, test that compromised DMZ hosts cannot directly access internal networks, review firewall rules between zones, and confirm that all public-facing services are in the DMZ.
Common Implementation Gaps
- No DMZ -- public-facing servers on the internal network
- DMZ with overly permissive rules allowing internal network access
- Web servers directly connected to internal databases
- Public-facing services not inventoried
- DMZ firewall rules not reviewed regularly
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-7 |
| PCI DSS | Req 1.3 - Restrict inbound and outbound traffic |
Need Help Implementing 3.13.5?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment