Microsegmentation and subnetworks are essential controls for isolating public-facing assets from internal systems so that Federal Contract Information (FCI) and other sensitive resources are not exposed — implementing these controls in line with FAR 52.204-21 and CMMC 2.0 Level 1 (SC.L1-B.1.XI) reduces attack surface, limits lateral movement, and provides auditable evidence of basic safeguarding.
What the requirement means for small businesses
FAR 52.204-21 requires basic safeguarding of covered contractor information, and CMMC 2.0 Level 1 expects demonstrable, low-complexity security practices to protect FCI. Practically, SC.L1-B.1.XI is about putting public assets (websites, API endpoints, mail gateways) in clearly separated network segments and enforcing strict, documented access controls so only necessary traffic reaches those assets and management access is tightly restricted and logged.
High-level implementation approach
Start by creating a DMZ or public subnet for any asset that must be reachable from the internet, and separate private subnets for application servers, databases, and administrative systems. Use one or more of the following enforcement layers: perimeter firewall with explicit allow lists, cloud security groups and network ACLs, host-based firewalls (UFW, Windows Firewall, iptables), and microsegmentation tooling (for containerized or east-west traffic control) — the goal is defense in depth and auditable rules mapping to allowed business flows.
Step-by-step technical implementation (practical)
1) Inventory and classify FCI and systems that process or have access to it. 2) Design network zones: Public (internet-facing), Application (private), Data (isolated DB), Management (admin-only access over a bastion). 3) For cloud deployments: implement a VPC (or equivalent) with public and private subnets, use a NAT Gateway for outbound-only private-subnet internet access, and create security groups that allow only required ports. Example AWS security-group rule for web servers: allow TCP 80/443 from 0.0.0.0/0 to the load balancer only; allow port 22/3389 to a bastion host from the admin office IP range only.
Concrete commands and host rules you can deploy today
For small on-prem or VM deployments, start with host-level rules — examples: UFW to allow only HTTP/HTTPS and SSH from admins:
sudo ufw default deny incoming
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow from 203.0.113.45 to any port 22 proto tcp # admin IP
sudo ufw enable
For AWS quick segmentation with the CLI (example):
aws ec2 create-security-group --group-name public-web-sg --description "Public web servers"
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 443 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 203.0.113.45/32
Microsegmentation choices for small businesses
Full-featured microsegmentation platforms (Illumio, VMware NSX) are effective but costly. For small businesses, combine network segmentation with host-based controls and container network policies: use security groups + NACLs in cloud environments, UFW/iptables or Windows Firewall on hosts, and Calico or Cilium for Kubernetes workloads. If you run containers, enforce network policies that permit only service-to-service ports (for example: web -> app on 8080, app -> db on 5432) and deny all else by default.
Monitoring, documentation, and audit evidence
To satisfy FAR and CMMC auditors, collect and maintain: network diagrams showing subnets and flows, firewall/security group rule dumps (timestamped), change control records for rule updates, logs showing blocked/allowed traffic where available, and evidence of restricted admin access (bastion host logs, MFA logs). Implement continuous monitoring with simple tools: cloud provider flow logs (VPC Flow Logs), SSH bastion logging, and a small SIEM or log collector (Wazuh, Splunk Light) to retain and query events for audits.
Risks of not implementing segmentation
Without proper microsegmentation and clean subnet boundaries, a compromise of a public asset can permit lateral movement to internal servers containing FCI or developer workstations. The result can be exfiltration of FCI, contract noncompliance, financial penalties, lost future contracting opportunities, and reputational damage. From a technical perspective, unsegmented networks make incident containment slow and increase remediation costs.
Compliance tips and best practices
Keep it simple and documented: adopt least privilege for network flows, restrict management plane access to known IPs and MFA-enforced accounts, use a bastion/jump host for admin access, enable automatic patching or a fast patch rollback plan, and implement periodic rule reviews (quarterly). Use infrastructure as code (Terraform, CloudFormation) so rules are versioned and auditable. For evidence collection, produce a one-page control mapping that ties your network design and artifacts to FAR 52.204-21 and SC.L1-B.1.XI controls.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 SC.L1-B.1.XI for public assets is achievable for small businesses through pragmatic subnet segmentation, strict security-group/firewall rules, host-based microsegmentation where needed, and clear documentation and logging — these steps minimize exposure, support auditability, and materially reduce the risk of FCI compromise.
