Demilitarized Zone (DMZ)

A DMZ (Demilitarized Zone) is a network segment that sits between your internal network and the internet, providing an additional layer of security for systems that need to be accessible from outside your organization. Web servers, email servers, and VPN gateways are typically placed in the DMZ, where they can serve external users without giving those users direct access to your internal network.

The DMZ is protected by firewalls on both sides — one facing the internet and one facing your internal network. If a system in the DMZ is compromised, the attacker still has to breach the inner firewall to reach your internal systems and data.

Why It Matters

Proper network segmentation, including DMZ architecture, is part of the system and communications protection requirements under CMMC. Keeping internet-facing services isolated from your CUI environment reduces the attack surface significantly.