Level 5 CMMC - CMMC Practices

SC.1.176  

Reference: CMMC 1.02

Family: SC

Level Introduced: 1

Practice:
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

CMMC Clarification:
Separate the publicly accessible systems from the internal systems that need to be protected. Do not place the internal systems on the same network as the publicly accessible systems.

A network or part of a network that is separated (sometimes physically) from an internal network is called a demilitarized zone (DMZ). A DMZ is a host or part of a network put in a “neutral zone” between an organization’s internal network (the protected side) and a larger network, like the internet. To separate a subnetwork physically, your company may put in boundary control devices (i.e., routers, gateways, firewalls). This can also be done on a cloud network that can be separated from the rest of the network.

A DMZ can add an extra layer of security to your company’s LAN, because an external network node can reach only what is permitted to be accessed in the DMZ.

Physical separation might involve a separate network infrastructure, dedicated network equipment with separate LAN segments and a firewall between the internal network and the DMZ segment and a firewall between the DMZ segment and the internet. A logical separation might involve VLAN separation for the DMZ supporting a separate subnet with routing and access controls between subnets.

Example
The head of recruiting wants to launch a website to post job openings and allow the public to download an application form. After some discussion, your team realizes it needs to use a router and firewall to create a DMZ to do this. You host the server separately from the company’s internal network, and make sure the network has the correct security firewall rules. Your company gets a lot of great candidates for the open jobs, and the company’s internal network is protected.

3.13.5

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Discussion:
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.

[SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.

Source: NIST Special Publication 800-171 Rev. 2

SC-7

BOUNDARY PROTECTION

Description:
The information system:
    a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
    b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
    c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Supplemental Guidance:
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02