Public-access System Separation
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
What an assessor scores, the objectives
SC.L2-3.13.5 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.publicly accessible system components are identified
- b.subnetworks for publicly accessible system components are physically or logically separated from internal networks
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For SC.L2-3.13.5, an assessor uses these:
System and commun ications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; enterprise security architecture documentation; system audit logs and records; other relevant documents or records
System or network administrators; personnel with information security responsibilities; system developers; personnel with boundary protection responsibilities
Mechanisms implementing boundary protection capability
What it means, in context
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud - based technologies. NIST SP 800 -41 provides guidance on firewalls and firewall policy. SP 800 -125B provides guidance on security for virtualization technologies.
196 Separate the publicly accessible systems from the internal systems that need to be protected. Do not place internal systems on the same network as the publicly accessible systems and block access by default from DMZ networks to internal networks. One method of accomplishing this is to create a DMZ network, which enhances security by providing public access to a specific set of resources while preventing connections from those resources to the rest of the IT environment. Some OSAs achieve a similar result through the use of a cloud computing environment that is separated from the rest of the company’s infrastructure. Example The head of recruiting at your company wants to launch a website to post job openings and allow the public to download an application form [a]. After some discussion, your team realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the server separately from the company’s internal network and make sure the network on which it resides is isolated with the proper firewall rules [b]. Potential Assessment Considerations • Are any system components reachable by the public (e.g., internet- facing web servers, VPN gateways, publicly accessible cloud services) [a]? • Are publicly accessible system components on physically or logically separated subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such as DMZs) [b]?
What passing evidence looks like
Public facing systems separated from the CUI network: the website hosted outside (a hosting provider), or the DMZ, shown on the diagram and in firewall rules.
Common ways contractors fail SC.L2-3.13.5
- !Five points and usually already true for small shops: the website lives at a hosting provider, not on the office network. Say it explicitly with the hosting arrangement named, that IS the subnetwork separation.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove SC.L2-3.13.5, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
SC.L2-3.13.5 questions, answered
How many points is CMMC requirement SC.L2-3.13.5 worth?+
SC.L2-3.13.5 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.
Can SC.L2-3.13.5 be placed on a POA&M?+
No. SC.L2-3.13.5 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does SC.L2-3.13.5 belong to?+
SC.L2-3.13.5 is in the System & Communications Protection (SC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.13.5
- FAR Clause 52.204-21 b.1.xi