Put anything the public can reach — web servers, mail relays, guest Wi-Fi — on a separated subnetwork, not your internal network.
What it actually means
Publicly accessible components — a public web server, a guest network, a mail gateway — must sit in a separate subnetwork, a DMZ, that is physically or logically isolated from the internal network where CUI lives. If a public box gets compromised, the attacker lands in the DMZ, not next to your CUI.
Pass or fail — an assessor needs a "yes" to each
- Are publicly accessible systems on a separate subnetwork / VLAN, not on the internal CUI network?
- Is traffic between the DMZ and the internal network filtered and restricted?
What to have ready
- Network diagram showing the DMZ / segmentation
- Firewall or VLAN rules between the public segment and the internal network
Where teams trip up
- A public-facing server sitting on the same flat LAN as workstations and CUI
- Guest Wi-Fi bridged into the internal network
Also a Level 1 (FCI) requirement and a 5-point control. If you host nothing publicly accessible, document that — but guest Wi-Fi and any internet-reachable service still count.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →