NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(29)Separate Subnets to Isolate Functions

Implement {{ insert: param, sc-07.29_odp.01 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, sc-07.29_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.

Practitioner Notes

Use separate subnets to isolate different system functions — a web tier, an application tier, a database tier, a management tier — so a compromise in one area does not spread to others.

Example 1: In your data center, create separate VLANs for each functional tier. Use ACLs on your core switch to control traffic between tiers. The web tier can only reach the application tier on specific ports, and the application tier can only reach the database tier on the database port.

Example 2: In AWS, deploy a three-tier architecture with public subnets for load balancers, private subnets for application servers, and isolated subnets for databases with no internet gateway. Use Security Groups to enforce least-privilege network access between tiers.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability