NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(22)Separate Subnets for Connecting to Different Security Domains

Implement separate network addresses to connect to systems in different security domains.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains that contain information with different security categories or classification levels.

Practitioner Notes

When connecting to different security domains (classified vs. unclassified, production vs. development), each domain gets its own separate subnet with controlled interconnections.

Example 1: If your organization processes both CUI and public data, place CUI systems on a dedicated subnet with stricter firewall rules, stronger encryption requirements, and separate logging. Public-facing systems sit on a completely different subnet with their own security controls.

Example 2: For development and production environments, use separate VLANs with no direct routing between them. Developers cannot access production databases from their development subnet. Code moves between environments only through an approved CI/CD pipeline.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability