SC.L1-3.13.5/b.1.xi Public-Access System Separation

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Source: FAR Clause 52.204-21 b.1.xi, NIST SP 800-171 Rev 2 3.13.5

Discussion: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies

Assessment Objectives:

Determine if:

• [a] publicly accessible system components are identified; and
• [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; enterprise security architecture documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].

Test: [SELECT FROM: Mechanisms implementing boundary protection capability].

SPRS Score: 5

POA&M Allowed: No