← Custodia
Practice 11 of 15·FAR 52.204-21(b)(1)(xi)·SCSystem & Communications Protection

SC.L1-b.1.xi

Separate publicly accessible systems

Anything publicly accessible — your company website, a public quote portal, a public file-sharing site — must live on a subnetwork separate from the internal network where FCI lives. In practice for small shops: your website is hosted by a SaaS provider (which is already separate), and you don't run public services on the office LAN.

Official text

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

FAR 52.204-21(b)(1)(xi), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • Website hosted by a third-party provider (Vercel, Netlify, Squarespace, WordPress.com) instead of a server in the office.
  • If you do host on-prem: a DMZ or dedicated VLAN for public-facing systems, separate from the LAN.
  • Guest Wi-Fi on its own subnet / VLAN.
  • Public-facing portals (e.g. a customer quote form) running in a separate cloud environment from the FCI tenant.
  • Configuration screenshot showing the public subnet cannot reach the internal subnet.

Common ways small shops fail this

  • Running the company website off a server in the office, on the same network as the FCI file server.
  • Guest Wi-Fi bridged into the main LAN.
  • A public file-share box (FTP, NAS) sitting on the office LAN.
  • A self-hosted CRM / quoting tool exposed to the internet from the office.
  • IoT devices (cameras, smart TVs) on the same VLAN as work computers.

How to fix it in a weekend

  1. 1Move the company website to a SaaS host (you almost certainly already have this). Confirm nothing is hosted in the office.
  2. 2Put Guest Wi-Fi on its own VLAN that cannot reach the company LAN.
  3. 3If you run any public service from the office, move it to the cloud or stand up a dedicated VLAN.
  4. 4Move IoT / cameras / smart TVs onto Guest Wi-Fi.
  5. 5Add the separation to your one-page network diagram.

FAQ

What if I don't run any publicly accessible systems at all?+

Then this practice is trivially MET. Note in your boundary document that no publicly accessible systems live on the company network (the website is SaaS-hosted, no public services run from the office) and you're done.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

FAR 52.204-21

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)