This post gives actionable, small-business-friendly guidance to architect a secure DMZ and network segmentation that meets NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control SC.L2-3.13.5 β covering objectives, concrete implementation steps, sample configurations, testing, and the risks of inadequate segmentation.
Understanding SC.L2-3.13.5 and the Key Objectives
SC.L2-3.13.5 requires boundary protections including the use of DMZs and network segmentation to separate Controlled Unclassified Information (CUI) and sensitive systems from less-trusted networks (including the Internet and general corporate networks). Key objectives are to limit attack surface, prevent lateral movement, control and log access between segments, and ensure that only explicitly authorized services and ports are reachable across boundaries.
Design Principles for a Secure DMZ and Segmentation
Start with data classification: identify where CUI resides (servers, databases, SaaS) and map flows (who/what needs to talk to CUI). Apply the principle of least privilege to network flows (permit only specific source/destination/protocol/port). Use layered defenses β perimeter firewall and DMZ for internet-facing services, internal segmentation gateways between employee and CUI zones, host-based controls on endpoints, and monitoring at each boundary. Architect for fail-safe defaults: deny by default and open explicitly.
DMZ Specifics and Where to Place Services
Place internet-exposed services (web servers, mail gateways, VPN concentrators) in a DMZ or a cloud public subnet, but never co-locate CUI stores (databases, file shares) in that same zone. For example, a small business might run a public web application in a cloud public subnet behind a WAF and ALB, the application servers in a private app subnet, and the database in a private DB subnet with no internet route. Ensure the DMZ only allows inbound ports necessary (e.g., 80/443 to web tier) and that management access to DMZ hosts is only via a hardened jump host or session manager with MFA and logging.
Practical Implementation Steps (Compliance Framework-specific)
1) Inventory & classify: document which systems process/store CUI and include this in the System Security Plan (SSP). 2) Choose an architecture pattern: on-premises use VLANs + edge firewall + internal next-gen firewall (NGFW) for segmentation; cloud use VPC/VNet with public/private subnets, security groups, NACLs and Transit Gateway/VPC peering. 3) Implement a DMZ: for cloud, create a public subnet for the load balancer/WAF and private subnets for app and DB. 4) Apply access control lists: firewall rules should be explicit (e.g., app subnet -> DB subnet TCP/1433 only from app server IPs), use stateful inspection and limit egress where possible.
Small-business example: AWS pattern
Example architecture: 10.0.0.0/16 VPC. Public subnet 10.0.1.0/24 (ALB + WAF), App subnet 10.0.2.0/24 (EC2 or ECS), DB subnet 10.0.3.0/24 (RDS with no public IP). Security Group rules: ALB SG allow inbound 0.0.0.0/0 TCP 80/443; ALB -> App SG allow TCP 443 from ALB SG; App SG -> DB SG allow TCP 5432 from App SG only. Use SSM Session Manager for admin instead of exposing SSH; enable VPC Flow Logs + CloudTrail and forward to centralized logging (CloudWatch/ELK/Splunk) for retention per your policy.
Firewall rules, admin access, and host controls
Concrete rules: limit inbound to DMZ: permit only 80/443 to web hosts; deny all other inbound. Limit management: allow SSH/RDP only from a management subnet or via a bastion/jump host with MFA; prefer agentless session managers (SSM) or jump hosts that require MFA and are logged. Implement host-level controls (Windows Firewall, iptables) to enforce segmentation if network devices fail. Consider microsegmentation (e.g., VMware NSX, Illumio) if you need east-west control within datacenter clouds.
Monitoring, Validation, and Testing
Logging and continuous monitoring are required to show the segmentation is effective: collect firewall logs, VPC Flow Logs, host IDS/agent telemetry, and centralize them in a SIEM with retention consistent with your compliance obligation. Conduct segmentation validation: run internal vulnerability scans and lateral movement tests (e.g., BloodHound for AD, custom internal pivot tests), and perform periodic pen-tests that include attempts to access CUI from the DMZ and employee networks. Document test results and remediation steps in your SSP and POA&M.
Risks of Not Implementing Proper Segmentation and Compliance Tips
Without segmentation and a properly configured DMZ you expose CUI to lateral movement, credential theft and exfiltration; attackers who compromise a public web server can pivot to internal databases if networks are flat. Non-compliance risks include contract loss, penalties, and damaged reputation. Tips: use templates/scaffolding (cloudformation/ARM/Terraform) to codify secure network baselines, enforce change control for firewall rules, and build checklists for new services so theyβre placed in the correct zone before going live.
Summary: To meet SC.L2-3.13.5 you must: identify CUI flows, design a DMZ that isolates internet-facing services, enforce least-privilege network rules, protect management paths with MFA and jump hosts, implement host controls and monitoring, and validate segmentation through testing β all documented in your SSP and evidence artifacts. For small businesses, leverage managed firewall services or cloud provider primitives (ALB/WAF, security groups, VPC Flow Logs) to implement a robust, auditable segmentation architecture without prohibitive cost.
