3.13.5 — Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks

If you have anything publicly accessible -- a web server, a customer portal, an email gateway -- it needs to live in a separate network segment (a DMZ) so that if it gets compromised, the attacker cannot walk straight into your internal network where CUI lives.

Example 1: Configure a DMZ on your firewall with three zones: WAN (untrusted), DMZ (semi-trusted), and LAN (trusted). Place your public-facing web server in the DMZ. Create firewall rules that allow inbound HTTPS from WAN to DMZ, but block all direct traffic from DMZ to LAN. If the web server needs to query an internal database, allow only that specific port from the DMZ server's IP to the database server's IP.

Example 2: If you are using cloud services, leverage Azure Network Security Groups (NSGs) to isolate public-facing resources. Place your web app in a public subnet with an NSG that allows only port 443 inbound, and your backend services in a private subnet with an NSG that allows traffic only from the web app's subnet.