This post explains how to implement subnetworks (public DMZs and private subnets) for publicly accessible components to meet the intent of FAR 52.204-21 and CMMC 2.0 Level 1 control SC.L1-B.1.XI, with actionable steps, small-business examples, technical specifics, and evidence you can present during an audit.
Implementation overview and compliance mapping
The Compliance Framework requirement expects organizations to separate publicly reachable systems (web servers, application gateways, APIs) from internal systems that store or process sensitive government data. Practically this means deploying a defined public subnetwork (sometimes called a DMZ) with explicit inbound/outbound rules and tight routing so that publicly accessible hosts do not have direct access to internal subnets that contain controlled unclassified information (CUI) or sensitive internal services. For audit purposes map this activity to SC.L1-B.1.XI and to the FAR clause by documenting architecture diagrams, rulesets, and test results that demonstrate the separation.
Practical implementation steps (high level)
Start by scoping: identify all publicly accessible components, the protocols/ports they require, and any backend dependencies. Design a CIDR plan for your network: for example, in a small AWS deployment you might use 10.0.0.0/16 for the VPC, with 10.0.1.0/24 for public subnets (ALB/NAT/edge servers), 10.0.2.0/24 for application/private servers, and 10.0.3.0/24 for management/bastion hosts. Ensure public subnets are associated with the Internet Gateway and private subnets route outbound via a NAT gateway (if needed) so internal hosts never have a public IP. Document the design and the rationale as compliance evidence.
Technical configuration details and examples
Configure security controls at multiple layers: perimeter firewall or cloud security groups/NSGs, subnet route tables, host-based firewalls, and application-level restrictions. Example AWS pattern: allow inbound 80/443 to the ALB security group from 0.0.0.0/0; allow ALB to forward to application servers by referencing the ALB SG in the application server SG (no 0.0.0.0/0). Route tables: public subnet → IGW; private subnet → NAT gateway. Example CIDR rules: public subnet 10.0.1.0/24 (IGW), private subnet 10.0.2.0/24 (NAT). On-prem VLAN example: VLAN 10 = Public DMZ (edge), VLAN 20 = Internal; ACLs on the firewall allow only required ports from VLAN 10 to VLAN 20 and only to specific backend service IPs/ports.
Here are a couple of concrete rule examples you can adapt: Security group rule for ALB: Allow TCP 443 from 0.0.0.0/0 to SG-ALB. Application server SG: Allow TCP 443 from SG-ALB only. NSG example (Azure): Inbound rule priority 100: Allow TCP 443 from Internet to subnet 10.1.0.0/24 (application gateway subnet); Inbound rule priority 200: Deny all from Internet to 10.1.1.0/24 (internal app subnet). Host-based firewall (small Linux server) example: use UFW or iptables to only allow SSH from the management IP: e.g., iptables -A INPUT -p tcp --dport 22 -s
Monitoring, testing, and evidence collection
Turn on flow and audit logging to prove segmentation is working: VPC Flow Logs (AWS), Azure NSG flow logs, firewall logs, and host logs should be captured and retained per your policy. Perform internal network scans and periodic penetration tests that validate there is no direct path from the public subnet to sensitive internal subnets except via documented, controlled services. Capture: network diagrams with IP ranges, security group/ACL screenshots, route table configs, NAT/IGW attachments, flow logs showing traffic patterns, and test reports. For the Compliance Framework, package these artifacts in a control folder and reference them in your System Security Plan or equivalent documentation.
Small-business scenarios: if you run a customer-facing web app on a single cloud account, create one VPC with separate public and private subnets as outlined and put databases in the private subnet with no public IP. If you host on-premises and use a co-located web server, place the web server in a DMZ VLAN and proxy traffic to backend services across a firewall with strict ACLs; use a bastion host for administrative access. For low-budget options, managed services (like AWS Elastic Load Balancer + private RDS) simplify separation because managed services can sit in private subnets while the ALB handles public traffic.
Risks of not implementing segmentation include increased attack surface, lateral movement by attackers from a compromised public host to internal systems, exposure of CUI or contractor-sensitive data (leading to contract penalties under FAR), and failed audits. Operational impacts include harder incident containment, longer recovery times, and potential breach notification obligations. From a compliance perspective, lack of evidence of segmentation or failing segmentation tests are common findings that can delay contract awards or trigger remediation mandates.
In summary, implement a clear public/private subnet architecture, enforce least privilege via security groups/ACLs and routing, enable logging and periodic testing, and keep an auditable trail of design decisions and test results to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 SC.L1-B.1.XI. For small businesses the key is to keep the design simple, document everything, and use cloud-managed primitives (VPCs, ALBs, NSGs) or a small, auditable on-prem firewall configuration to demonstrate compliance without unnecessary complexity.
