The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 · Network Architecture · Last reviewed

CMMC Network Segmentation: Requirements, Architecture, and Assessment Evidence

Independent Research · By The Defense Compliance Report Editorial Team · Last reviewed · Regulatory sources verified · Methodology · Editorial Standards

CMMC network segmentation is a way to isolate the systems that handle Controlled Unclassified Information (CUI) from the rest of your network, so the boundary a Level 2 assessment measures is smaller. It is not a named CMMC requirement. It’s an architecture and scoping method you use to satisfy boundary, CUI-flow, and public-system controls — and to reduce how many of your assets an assessor has to evaluate.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice — confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

You opened your network diagram, saw one flat network with your CUI file server sitting next to the front-desk PC and the shop-floor machines, and asked the only question that matters for your budget: does my whole company have to meet CMMC, or just part of it?

Segmentation is how you make the answer “just part of it.” Done right, it can shrink the assessment from your entire company down to a defined enclave, which is where compliance cost actually lives. But here’s the part most vendors won’t say out loud: it does notwall everything else off automatically, and a badly built boundary can cost you money and still collapse under the assessment. Both of those caveats are the whole reason this page exists — so let’s get them right.

We read the primary sources so you can act on them: 32 CFR Part 170 (the CMMC Program Rule), NIST SP 800-171 Revision 2 (the 110 Level 2 security requirements), the Department of Defense’s CMMC Level 2 Scoping Guide and Assessment Guide, the DoD’s official CMMC Program FAQ, the Cyber AB’s CMMC Assessment Process, and DFARS clauses 252.204-7012, -7019, -7020, -7021, and -7025. Where a claim comes from a rule, we cite the rule. Where it’s our editorial judgment, we say so.

Does network segmentation fit your situation? The 60-second read

Network segmentation is the right primary strategy when your CUI footprint is genuinely narrow and separable, and the wrong one when most of your company already touches CUI. The table below is the fast decision. Everything after it is the proof, the architecture options, and the evidence an assessor will actually test.

QuestionBottom line
Is “network segmentation” a named CMMC control?No.It’s a method used to satisfy several boundary, flow, and public-system requirements — and to keep your assessment scope small.
Can I use logical separation, or do I need physically separate networks?Logical separation is allowed. Physical separation (an air gap) is one option, not a universal requirement (CMMC Level 2 Scoping Guide).
Is a VLAN enough?A VLAN can be part of the answer — but the label alone proves nothing. The configuration has to actually stop unauthorized transfer, and you have to be able to test it.
Does segmentation shrink the CUI boundary to only the CUI enclave?Not by itself.Security Protection Assets, some Contractor Risk Managed Assets, Specialized Assets, and certain external services can stay in scope even when they sit outside the CUI VLAN (32 CFR § 170.19).
Does segmentation reduce the 110 Level 2 requirements?No. It reduces how many assets are assessed and how each category is treated. Your CUI Assets are still measured against all 110.
What actually proves the boundary?A consistent asset inventory, network diagram, System Security Plan (SSP), approved-flow rules, firewall/ACL configs, logs, and reproducible allowed-vs-blocked tests.
When is segmentation the wrong call?When CUI is everywhere, shared services make the boundary artificial, or staff would constantly work around it. A broader Level 2 environment can be simpler and more defensible.

Not ready to design architecture yet? Start with the CMMC Level 2 readiness checklist to see where your gaps are, then come back to the boundary decision.

Where CMMC stands right now: The 48 CFR acquisition rule took effect November 10, 2025, starting a four-phase rollout defined in 32 CFR § 170.3(e). Phase 1 runs November 10, 2025 through November 9, 2026 and centers on Level 1 and Level 2 self-assessments, though the DoD may require a C3PAO assessment for specific contracts. Phase 2 begins November 10, 2026, when Level 2 C3PAO certification starts appearing as a condition of award for applicable new contracts (though a certification condition may be deferred to an option period). CMMC Level 2 is assessed against NIST SP 800-171 Revision 2— not Revision 3 (CMMC Program FAQ).

Why that last date matters: the fixed deadline is Phase 2 on November 10, 2026, and your network architecture is the first thing that determines how much lead time you need. For a CUI environment, readiness is rarely a matter of weeks. If a Phase 2 contract will require a certified Level 2 environment, the architecture decision on this page is not a “someday” decision.

The right CMMC provider isn’t the same for every contractor.

The category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause — flagged in the solicitation — sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

Find My CMMC Path →Do not submit CUI, drawings, or sensitive contract details.

What does CMMC network segmentation actually require?

CMMC Level 2 contains no requirement titled “network segmentation.” Segmentation is the architecture method you use to satisfy requirements about controlling communications at boundaries, controlling CUI flow, isolating publicly accessible systems, and denying traffic by default — and to justify that certain assets sit outside your assessment scope. Physical or logical separation becomes specifically material the moment you claim an asset is Out-of-Scope (32 CFR § 170.19).

That distinction sounds academic. It isn’t. It’s the difference between buying a firewall and thinking you’re done, versus building a boundary you can prove.

Segmentation is a method — not a product, and not a certification

No firewall, VLAN, microsegmentation platform, secure cloud, or “CMMC-ready” enclave gives you CMMC certification. Your organization earns a CMMC status by meeting and demonstrating the applicable requirements across your assessment scope. A product can help you get there. It cannot get there for you, and any vendor implying otherwise is selling past the truth.

CMMC Level 2 incorporates all 110 security requirements from NIST SP 800-171 Revision 2, organized into 14 families(which the CMMC model calls domains). Segmentation doesn’t shrink that list. And not every in-scope asset is measured the same way: CUI Assets are assessed against all 110 requirements; Security Protection Assets are assessed only against the requirements relevant to the security capabilities they provide; and Contractor Risk Managed Assets and Specialized Assets receive the distinct treatment specified in 32 CFR § 170.19. What segmentation changes is which of your assets land in which category — and how many end up fully in scope.

Scoping questions and security questions are two different things

Contractors blur these constantly, and assessors don’t. Keep them separate and the whole process gets clearer.

The scoping questionThe security question
Which assets are CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope?Do the controls you implemented actually work?
Can you justify the boundary you drew?Are approved flows enforced and unapproved flows blocked?
Do your inventory, SSP, and network diagram describe the same environment?Do configs, logs, interviews, and tests back up the documentation?

Segmentation lives on the left. It answers “what’s in scope.” But every scoping decision you make creates a security-and-evidence obligation on the right — and that’s where boundaries fall apart under assessment.

The one hard truth about segmentation

Here’s the admission most CMMC marketing skips: a badly built boundary is worse than no boundary at all. If you stand up a “CUI VLAN” with no enforced policy between it and the corporate LAN, or you label systems “out of scope” while they still have a live path to CUI, you’ve spent money on separation andyou’ve set yourself up for pain. A defect doesn’t necessarily fail your whole certification — but the affected assessment objectives can be found NOT MET, and a claimed Out-of-Scope treatment can simply be rejected, which expands your scope right back out during the assessment (32 CFR §§ 170.17, 170.19).

Now the hopeful part, because this is very learnable: the requirements are knowable, the architectures are a short list, and the evidence an assessor examines is predictable. Get the architecture right up front and segmentation becomes one of the biggest levers you have for cutting CMMC cost and risk. The rest of this page is the map.

Map your boundary before you buy tools. Answer a few non-sensitive questions about where CUI enters, which services are shared, and how traffic is controlled, and get pointed to the provider category that fits the problem.

Use Find My CMMC Path →Do not submit CUI, drawings, system diagrams, or sensitive contract details.

Which NIST SP 800-171 Rev. 2 controls push you toward segmentation?

Segmentation isn’t required by name, but a cluster of NIST SP 800-171 Rev. 2 requirements makes it the practical way to comply when you choose a segmented architecture: boundary protection at external and key internal boundaries (3.13.1), a separated subnetwork for public-facing systems (3.13.5), deny-by-default traffic (3.13.6), separation of user and management functions (3.13.3), and control of CUI flow (3.1.3). Remote-access and transmission requirements pull in the same direction. In CMMC these carry a domain-and-level label — for example, SC.L2-3.13.1 means System and Communications Protection, Level 2, NIST requirement 3.13.1.

This is the part of the internet you’d otherwise assemble from a dozen browser tabs. We built it into one table. Below, each requirement is paired with the job it does in a segmented environment, where you actually enforce it, the evidence that proves it, a test you can run yourself, and the “false proof” trap that fails contractors who thought they were fine.

The CMMC Network Segmentation Control → Evidence Matrix

Principal, non-exhaustive mapping — the requirements most directly connected to segmentation, not the full 110. The exact assessment objectives remain those in NIST SP 800-171A (June 2018) and the current DoD CMMC Level 2 Assessment Guide. The “Official requirement” column is our plain-language summary, not verbatim regulatory text. The “Role,” “Where you enforce it,” “DCR challenge test,” and “False-proof trap” columns are The Defense Compliance Report’s editorial synthesis — a verification exercise, not a prescribed C3PAO script and not a certification guarantee.

Role key — Core: directly enforces the CUI boundary or an approved flow. Supporting: protects a path or function that could defeat the boundary. Conditional: matters when that architecture or access method is present.

Authority / requirementOfficial requirement (plain-language summary)RoleWhere you enforce itEvidence a C3PAO can examineDCR challenge testThe “false proof” trap
32 CFR § 170.19Defines the CMMC Assessment Scope and how each asset category is treatedScope gateThe CUI boundary and every asset/service relationshipAsset inventory, SSP, network diagram, category rationale, Customer Responsibility MatrixPick a sample asset and CUI path; explain why it’s a CUI Asset, SPA, CRMA, Specialized, or Out-of-ScopeTreating the world as just “inside” and “outside”
AC.L2-3.1.3Control the flow of CUI in accordance with approved authorizationsCoreFirewall, ACL, proxy, secure transfer pointCUI-flow map; source-destination-protocol-port authorization matrix; rules; approvals; logsConfirm one approved flow works and one unapproved flow is blocked“The CUI VLAN exists” while broad routing between zones remains open
AC.L2-3.1.12Monitor and control remote-access sessionsConditionalVPN, ZTNA gateway, VDI gateway, jump hostRemote-access policy, MFA config, session settings, connection logsAttempt access with an unauthorized account/device/location; verify denialAssuming “we have a VPN” proves remote access is controlled
AC.L2-3.1.14Route remote access via managed access-control pointsConditionalManaged VPN / remote-access gatewayDiagram, client routes, gateway config, approved access pointsTry an alternate route that bypasses the managed gatewayAn unmanaged side connection reaches the CUI environment
AC.L2-3.1.20Verify and control/limit connections to and use of external systemsSupporting / conditionalEgress gateway, proxy, firewall, secure exchange serviceExternal-connection inventory, business approvals, destination/protocol rules, logsAttempt an unapproved external destination or protocol; verify enforcementUnrestricted outbound traffic because only inbound exposure was considered
AC.L2-3.1.22Control CUI posted or processed on publicly accessible systemsConditionalPublic/DMZ tier, web publishing workflow, review processPublic-system inventory, content-review process, configVerify no CUI is reachable on a public-facing systemAssuming public web assets can’t touch CUI without checking
SC.L2-3.13.1Monitor, control, and protect communications at external and key internal boundariesCorePerimeter and internal firewalls, gateways, IDS/IPSBoundary diagram, config, rule set, monitoring records, review evidenceSend approved and prohibited traffic across a defined boundary; verify control and visibilityA clean-looking diagram with no matching enforcement or monitoring
SC.L2-3.13.2Apply security-engineering principles and secure architectureSupportingArchitecture and change-design processDesign rationale, trust-zone model, architecture review, change recordTrace a real CUI workflow and compare it against the documented designBuying a product without documenting why the design protects the workflow
SC.L2-3.13.3Separate user functionality from system-management functionalitySupportingManagement network/interface, jump host, privileged-access workstation, PAMAdmin-path diagram, role rules, config, privileged logsVerify ordinary users can’t access system-management functions; verify management-network separation where usedSeparate admin accounts, but an open network path from ordinary endpoints
SC.L2-3.13.5Place publicly accessible components on subnetworks physically or logically separated from internal networksConditionalDMZ, public subnet, reverse-proxy tierPublic-component inventory, DMZ diagram, inbound/east-west rules, logsVerify a public component can’t initiate an unauthorized path inwardTreating 3.13.5 as the rule for all internal CUI segmentation (it’s about public systems)
SC.L2-3.13.6Deny network traffic by default; permit by exceptionCoreThe system boundary and identified points within the system, via managed interfacesDefault-deny config, explicit allow rules with rationale/owner/review date, logsSend unmatched traffic and verify it’s denied; test each required exception worksBroad any-any rules or an implicit-allow posture
SC.L2-3.13.7Prevent split tunneling during remote accessConditionalVPN client and gatewayClient route config, remote-access policy, gateway controls, logsDuring a remote session, attempt the competing external path the control blocksTunneling the CUI route while leaving an uncontrolled second connection open
SC.L2-3.13.8Use cryptographic mechanisms — or alternative physical safeguards — to prevent unauthorized disclosure of CUI in transitSupportingTLS, IPsec, VPN, secure transfer mechanismCrypto config, protocol/certificate inventory, FIPS evidence where requiredConfirm CUI isn’t observable in plaintext on the tested pathTreating encryption as separation rather than transit protection
SC.L2-3.13.11Employ FIPS-validated cryptography when used to protect CUI confidentialitySupportingCrypto modules across in-scope systemsFIPS validation certificates, crypto configurationConfirm the modules protecting CUI are FIPS-validatedAssuming “it’s encrypted” satisfies the requirement without FIPS validation

The official language and the examine-interview-test method come from the CMMC rule, the NIST publication, and the DoD Level 2 Assessment Guide. The connective tissue — roles, enforcement examples, challenge tests, and the false-proof column — is ours, built to turn a list of controls into an architecture you can build and defend.

Why Revision 2 — and why it matters here

Design to the wrong standard and you’ll implement controls that aren’t the ones being assessed. The DoD’s CMMC Program FAQ states plainly that CMMC assessments are conducted against NIST SP 800-171 Revision 2, and that while a company may choose to implement Revision 3, it must still account for the current CMMC Revision 2 baseline until the rule changes through the formal process. Any competitor page telling you Level 2 maps to “800-171 r3” is describing a future that isn’t the assessment reality today.

Is a VLAN enough for CMMC network segmentation?

A VLAN can be a legitimate part of logical separation — but the VLAN label or subnet assignment is not the proof. The question an assessor asks is whether your configuration actually prevents unauthorized transfer, permits only approved flows, produces usable evidence, and survives testing. And one thing is settled: encryption alone does not create the boundary (CMMC Program FAQ).

This is one of the most common points of confusion we see in defense-contractor forums — “Can we use VLANs, or do the networks have to be physically separate?” So let’s answer it precisely.

Logical separation vs. physical separation

The DoD’s Scoping Guide defines both, and the CMMC Program FAQ names the mechanisms that count. Physical separation means no connection at all — wired or wireless. Logical separation means data transfer between physically connected assets is prevented by non-physical means such as firewalls, routers, VPNs, or VLANs. Note that VLANs are explicitly on that list. The catch is the word prevented.

MethodWhat it meansPotential CMMC useMain limitation
Physical separation (air gap)No wired or wireless connection between environmentsNarrow environments needing complete disconnectionExpensive; doesn’t remove the controls that still apply inside the separated environment
VLAN only (Layer 2)Logical separation at the switch levelOne component of a boundaryInter-VLAN routing or trunk misconfig can defeat it entirely
VLAN + restrictive ACLsLogical separation with explicit traffic rulesPotentially defensible when documented, monitored, testedStateless or over-permissive rules leave hidden paths
VLAN + stateful internal firewallSegmentation with inspected, logged, default-deny enforcementStronger evidence for controlled flowsRule sprawl and undocumented exceptions undermine it
MicrosegmentationWorkload-, host-, or identity-level enforcementUseful in complex or cloud environmentsProduct complexity and policy drift; not a named CMMC requirement
Physical air gap for CUIComplete disconnection of the CUI environmentSpecialized casesFile-transfer, update, and maintenance workarounds create new uncontrolled paths

Four VLAN scenarios, four verdicts

Encryption protects data in transit. It does not draw the boundary.

Two rules from the DoD’s own CMMC Program FAQ get confused constantly. Hold them together:

  1. Encryption alone does not create logical separation. In the FAQ’s words, logical separation is achieved by non-physical means such as firewalls, routers, VPNs, and VLANs; properly implemented encryption provides confidentiality but does not, by itself, prevent data transfer or enforce a network boundary. If you’re running TLS or IPsec across a flat network and calling those segments “separate,” an assessor won’t agree.
  2. Once an enclave is otherwise logically separated, encrypted CUI in transit doesn’t automatically drag the transit network into scope. The FAQ confirms that if your enclave is properly separated and CUI is encrypted before it leaves, the enterprise networking components carrying that encrypted traffic don’t have to be pulled into your assessment scope.

Both conditions have to be visible together. Encryption (or, less commonly, an alternative physical safeguard permitted under SC.L2-3.13.8) protects CUI in transit. That is not the same as drawing the boundary.

How does network segmentation change CMMC scope — and what stays in scope?

Segmentation reduces the number of assets assessed and changes how each category is treated — but it does not reduce the 110 Level 2 requirements, and it does not make everything outside your CUI VLAN automatically out of scope. The CMMC Level 2 Scoping Guide sorts every asset into five categories, and shared services like identity, logging, and backup often stay in scope even when they don’t hold CUI (32 CFR § 170.19).

The five Level 2 asset categories, translated for the network

The full classification logic lives on our CMMC scoping guide. Here’s what a network architect specifically needs to know about how each category interacts with the boundary you’re building. These distinctions come directly from 32 CFR § 170.19 and the DoD Level 2 Scoping Guide.

CategoryRelationship to segmentationWhat this page needs you to understand
CUI AssetProcesses, stores, or transmits CUIFully inside the CUI workflow; assessed against all 110 Level 2 requirements. Segmentation reduces how many systems land here.
Security Protection Asset (SPA)Provides security functions to the scope (firewall, SIEM, identity provider, MFA, MSSP)Assessed against the requirements relevant to the capability it provides. Can remain in scope even when it sits outside the CUI VLAN. Your segmentation devices themselves are usually SPAs.
Contractor Risk Managed Asset (CRMA)Can, but is not intended to, handle CUIDoes not have to be separated from CUI Assets. Managed under your risk-based security policies, procedures, and practices. If evidence shows it actually processes, stores, or transmits CUI, it no longer fits the CRMA definition.
Specialized AssetCan handle CUI but is hard to secure conventionally (OT, IoT, GFE, CNC, test equipment)Documented in the asset inventory, SSP, and network diagram and managed under your risk-based policies. At Level 2, the assessor reviews the SSP and does not assess the Specialized Asset against the other CMMC requirements.
Out-of-Scope AssetNo CUI, no protection role, physically or logically separatedThis is the goal of segmentation. It’s also the strongest claim an assessor probes — separation has to be technically enforced, not declared.

Shared services that don’t hold CUI but still land in scope

A service or asset is in scope when it processes, stores, or transmits CUI or Security Protection Data, or provides a security function or capability to the assessment scope (32 CFR § 170.19). That rule catches most of the services that contractors assume they’ve segmented away.

Shared serviceLikely categoryThe deciding factor
Identity provider / SSOSPA (or CUI Asset if it stores CUI)Whether it stores CUI; the security function it provides
MFA serviceSPAThe capability it provides to the scope
EDR / antivirus managementSPAWhether it holds Security Protection Data
SIEM / log storageSPAWhat logs/config it holds
Backup platformCUI Asset if backups contain CUIWhether backups include CUI
DNS / DHCPSPA or CRMA by roleIts actual role relative to CUI systems
Privileged admin / jump hostSPAThe admin path and what it can reach
Print server / printersCUI Asset if CUI is printedWhether CUI is printed or spooled
Hypervisor / management planeSPA (guests may be CUI Assets)What it hosts and administers
MSP / MSSP tooling (External Service Provider)ESP, assessed within your scopeWhether it handles CUI or Security Protection Data, and which controls it's responsible for

On that last row, be precise: an MSP or MSSP is an in-scope External Service Provider (ESP) when its services process, store, or transmit CUI or Security Protection Data. The DoD’s CMMC Program FAQ and § 170.19 are explicit that a provider handling neither CUI nor SPD does not meet CMMC’s ESP definition. An MSP is not automatically a Cloud Service Provider, and an ESP is not necessarily required to hold its own CMMC status — its responsibilities are documented in a Customer Responsibility Matrix (CRM) and assessed as part of your scope.

When a remote laptop can stay out of scope

There is a legitimate path to keep endpoints out of scope, and it’s narrow. Per the Scoping Guide and the current CMMC Program FAQ, an endpoint that accesses CUI through a Virtual Desktop Infrastructure (VDI) may remain out of scope only when the server-side configuration prevents all processing, storage, or transmission of CUI beyond keyboard, video, and mouse; copy/paste, file transfer, drive mapping, local printing, saving, and screenshots are blocked; CUI stays entirely within the session; multifactor authentication to the VDI server is separate from the unmanaged client; only authorized users can connect; access is restricted to allowable locations; and the configuration is verified. If the endpoint can process, store, transmit, print, save, or capture CUI, it becomes a CUI Asset.

Which CMMC segmentation architecture fits your environment?

CMMC doesn’t prescribe one network topology. The right pattern depends on where CUI enters, is processed, stored, transmitted, and printed — and a whole-enterprise design can be simpler than a narrow enclave when CUI and shared services are everywhere. The DoD Level 2 Assessment Guide recognizes that an assessment can cover an enterprise network or one or more enclaves, depending on the scope you define.

This table is The Defense Compliance Report’s original multi-source synthesis, compared against the DoD’s logical-separation conditions and operational evidence requirements.

ArchitectureBest fitScope effectCan support logical separation?Controls most implicatedPrimary cost / operating-burden driversCommon failure modeLikely provider category
Flat network (no segmentation)Almost no one who handles CUIEvery connected system becomes a candidate for the boundaryNo separation to rely onNothing to build upfront; burden lands on assessment scope and evidenceThe population under § 170.19 balloonsReadiness partner to re-architect first
On-prem segmented CUI zoneLocal engineering, file servers, controlled office CUINarrows CUI to selected systemsPotentially — only if rules prevent unauthorized transfer and it’s documented and tested3.13.1, 3.13.6, 3.13.3, 3.1.3Firewall/hardware, configuration, rule administration, evidence upkeepShared AD/backup/logging/printers quietly stay in scopeRPO + CMMC-focused MSP/MSSP or network integrator
Cloud / VDI enclaveRemote users, document-centric CUICan shrink endpoint scope under strict VDI rulesPotentially — with proper logical separation and VDI conditions metIdentity + SC family + inherited controlsCloud subscription, migration, CRM management, endpoint lockdownAssuming the cloud “does compliance”; endpoints still in scope unless KVM-only VDIEnclave provider + readiness support
Hybrid (on-prem + cloud)CAD locally, collaboration in the cloud, remote usersEffective but adds boundary legsPotentially — each connection must be separated and documentedOn-prem boundary controls, cloud controls, identity, remote access, encrypted transitDuplicate tooling, two control sets, responsibility allocation, evidence across both“Two compliant halves” that ignore the link, identity, and transfer path between themRPO + MSP/MSSP with hybrid experience
OT / manufacturing segmentationCNC, CMM, PLC, test equipment, engineering transferCan contain office scope while retaining Specialized AssetsPotentially for the boundary; Specialized Assets handled separately3.13.1 + Specialized Asset treatmentIndustrial firewall, transfer station, OT constraints, legacy devicesLegacy protocols, removable media, vendor access, shared engineering PCsRPO + implementer with OT/manufacturing experience
Whole-enterprise Level 2Most staff and systems legitimately touch CUILittle boundary reduction, but fewer artificial exceptionsEnterprise-wide controlsThe relevant requirements applied broadlyBroad implementation footprint; more systems to secure and staffTrying to bolt on an enclave that doesn’t reflect realityReadiness/implementation program, not an enclave seller

On-prem enclave.The cleanest version is a dedicated CUI segment behind a stateful firewall running default-deny, with a separate management path so admins don’t reach the environment from ordinary desktops (SC.L2-3.13.3). If you have public-facing components — a VPN gateway or web portal — those go on a separated subnetwork such as a DMZ (SC.L2-3.13.5). The failure mode usually isn’t the firewall — it’s the shared backup, logging, and identity services that follow CUI home.

Cloud / VDI enclave.Moving CUI into a purpose-built government cloud can materially reduce your on-prem scope when the endpoint and shared-service conditions are met. But “we bought a GCC High or GovCloud tenant” is not a compliance strategy. When an external Cloud Service Provider stores, processes, or transmits covered defense information in performance of a contract containing DFARS 252.204-7012, the contractor must require and ensure FedRAMP Moderate-equivalent protections and the clause’s associated incident-reporting, preservation, and forensic-support obligations. CMMC and DFARS do not mandate Microsoft 365 GCC High or AWS GovCloud by brand — suitability depends on the data, the service, the contract clauses, authorization or equivalency evidence, your configuration, and the division of responsibility.

Hybrid. Two separately compliant environments do not automatically make one defensible environment. The connection between them, the split of responsibilities, the shared identity, the logs, and the data-transfer process all have to be in scope and documented.

OT and manufacturing.This is one of the more complex real-world cases: CNC machines and test equipment that receive engineering data but can’t run modern security tooling. One common pattern is a controlled transfer station and an industrial firewall segmenting the shop floor, with the machines documented as Specialized Assets. Availability and safety constraints are real here — don’t let a compliance design take a production line down.

Whole-enterprise.If your CUI is genuinely pervasive, an enclave can be a brittle fiction with dozens of exceptions to defend. Sometimes the honest answer is to bring the enterprise up to Level 2. We’d rather tell you that than sell you a boundary you’ll fight your assessor over.

Different problems need different providers.A scoping question, a firewall build, a managed cloud enclave, an evidence workflow, and a formal certification assessment are five different engagements — and blurring them is how contractors overpay. See how the categories compare on our CMMC scoping guide.

How do you build CMMC network segmentation, step by step?

Build from the CUI flow outward — not from a firewall inward. Confirm your contractual level and assessment type, map how CUI moves, classify your assets, define trust zones, authorize only the flows you need, test what’s allowed andwhat’s blocked, and make your inventory, diagram, SSP, configs, and logs all describe the same environment.

Steps 4–11 are The Defense Compliance Report’s implementation framework, derived from the cited requirements. They are not a prescribed DoD topology or a mandatory sequence — the DoD Assessment Guide’s examples are illustrative and don’t carry the force of law.

  1. Confirm the required level and assessment type. Your solicitation tells you. DFARS 252.204-7025is the solicitation provision where the contracting officer states the required level — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — and DFARS 252.204-7021is the contract clause that carries the continuing obligation and flow-down. A checklist can’t tell you your level; the solicitation and contract do. Record the solicitation, the level, the assessment type, and which systems will perform the work.
  2. Map every CUI touchpoint.Where does CUI enter (email, DoD portals, secure file transfer, supplier uploads)? Where is it processed, stored, transmitted, printed, backed up, and destroyed? Include removable media and shop-floor transfers. This data-flow map is the backbone of your SSP and your diagram — and it’s what surfaces the systems you forgot.
  3. Classify assets before you finalize the boundary. Use the five-category model above. Get this wrong and every downstream decision inherits the error. (Full logic on our scoping guide.)
  4. Define trust zones and enforcement points. Typical zones: internet, DMZ/public, corporate, guest, CUI user, CUI server, management, security tooling, remote access, OT, printers, backup, external provider. Every boundary between zones needs a named enforcement point.
  5. Build the approved-flow matrix.For each permitted flow, document source, destination, direction, protocol, port, business purpose, the CUI relationship, the control it supports, the owner, the approval, and the log source. If a flow isn’t on the matrix, it shouldn’t be allowed.
  6. Implement deny-by-default, permit-by-exception.The DoD Level 2 Assessment Guide’s illustrative example for SC.L2-3.13.6 describes a firewall between the CUI environment and other networks, deny-all rules, only the required outbound traffic permitted, testing of required services, a comment or rationale on every rule, and regular rule review. Use that as a DoD illustrative example of how one organization couldsatisfy the requirement — not as a prescribed architecture or a port list to copy.
  7. Separate public, admin, and remote-access paths. Place publicly accessible components on a physically or logically separated subnetwork; a DMZ is one common implementation (SC.L2-3.13.5). Separate user functionality from system-management functionality; a jump host or privileged-access workstation is one possible implementation (SC.L2-3.13.3). Route remote access through managed access points (AC.L2-3.1.14), and disable split tunneling (SC.L2-3.13.7).
  8. Instrument the boundary.Define log sources and destinations, the events you capture, who reviews them, alert conditions, retention, and time synchronization. A boundary with no visibility is a boundary you can’t prove.
  9. Run positive and negative tests.This is the step people skip in an informal plan, and it’s the one that turns a diagram into evidence. Prove an approved application flow succeeds. Then prove the unapproved cases fail: unapproved source, unapproved destination, unapproved port, a general workstation reaching a management interface, a public server initiating an inbound connection, a remote bypass path, a split-tunnel attempt, and a VDI attempting to copy or print. Verify that prohibited paths fail and that expected monitoring or logging operates where logging is part of your boundary-protection and evidence design. A boundary you’ve tested both ways is a boundary you can defend.
  10. Reconcile every artifact. Line up the asset inventory, network diagram, CUI-flow diagram, SSP, firewall config, remote-access config, ESP/CSP Customer Responsibility Matrix, logs, test results, policies, and change tickets. When these disagree, the discrepancy can trigger scope questions, a permitted CRMA limited check, rejection of an Out-of-Scope treatment, or a NOT MET finding against an affected objective.
  11. Assign change ownership.Name the rule owner, the technical owner, the information owner, the approving official, and the evidence owner, and set a review cadence and an emergency-change process. Segmentation is not a project you finish. It’s a state you maintain.

The Firewall Rule Authorization and Segmentation Test Worksheet

This is The Defense Compliance Report’s source-derived boundary-evidence template — built from the artifacts assessors consistently ask to see. It is not a CAP-prescribed form or a certification guarantee; the exact evidence an assessment team selects depends on the objectives, your implementation, and their sampling. Use one row per flow, and capture these fields:

Source trust zone · Destination trust zone · Source asset category · Destination asset category · Direction · Protocol and port · Business purpose · Authorized CUI flow (yes/no) · Related CMMC requirement · Firewall/ACL rule ID · Rule owner · Approving person · Approval date · Review date · Expiration date · Logging source · Positive test result · Negative test result · Change-ticket reference · Last verified date.

Fill it in as you work through Steps 5, 6, and 9 and you’ll have assembled most of your boundary evidence as a byproduct. An editable copy of this worksheet is forthcoming on our templates page.

What should a CMMC network diagram show?

A CMMC network diagram should make your assessment boundary and enforcement points understandable: the defined boundary, in-scope asset categories, external and key internal connections, CUI flows, security services, remote and cloud paths, and the enforcement points that make claimed separation real. The rule requires the applicable in-scope asset categories to be documented in the network diagram, but it does not mandate one icon per endpoint (32 CFR § 170.19).

We recommend three coordinated layers, because trying to show everything on one page produces a diagram nobody can follow — including an assessor:

You can group identical assets — same baseline, same role, same zone, same policy treatment — as long as the individual detail lives in your asset inventory. Watch for the anti-patterns that draw assessor scrutiny: one box labeled “CUI enclave” with no internal detail, a missing cloud or remote path, missing shared identity and logging, no arrow direction, no enforcement point, a diagram that disagrees with the firewall config, or “out of scope” assets drawn with unrestricted connections.

What drives the cost of CMMC network segmentation?

There’s no single price, and anyone quoting one without seeing your environment is guessing. Segmentation cost is driven by the shape of your CUI problem, not a fixed line item — which is exactly why architecture decisions made early have such an outsized effect on the total.

The honest cost drivers: the number of distinct CUI workflows, your current security maturity, how many shared services touch CUI, the number of enforcement points you need, your endpoint model (managed devices vs. locked-down VDI), whether you’re migrating to a cloud enclave, OT and Specialized Asset constraints, the size of your evidence gap, staffing, and the cost of operatingthe boundary over time — rule review, testing, and documentation don’t stop after go-live. For a broader picture of what a Level 2 program costs end to end, see our CMMC Level 2 cost guide. The single biggest cost lever most contractors control is the one on this page: a smaller, well-drawn boundary means fewer systems to license, harden, monitor, and prove.

What evidence will a C3PAO examine and test?

Before a Level 2 certification assessment reaches its evidence-gathering phase, the C3PAO validates your assessment scope and confirms enough evidence will be available; scope disagreements are resolved first. During the assessment, assessors examine documents and configurations, interview the people responsible, and test boundary mechanisms — so a diagram with no reproducible technical evidence behind it is weak. This reflects the Cyber AB CMMC Assessment Process (CAP v2.0).

DCR-recommended evidence package, not a mandatory CAP artifact list — the assessment team selects the evidence and samples sufficient to evaluate the applicable objectives.

Evidence itemWhat it should establishLikely assessment methodPotential concern
Scope narrativeWhy the boundary is drawn where it isExamine / interviewGeneric text unrelated to your actual data flow
Asset inventoryEvery asset, owner, category, location, roleExamine / sampleSystems on the network that aren't in the inventory
Network diagramBoundaries, zones, connections, security servicesExamine / interviewMissing shared services or external paths
CUI-flow mapHow CUI legitimately movesExamine / interview / testCUI reaching undocumented systems
Flow authorization matrixBusiness justification for allowed trafficExamine / testRules with no owner or purpose
Firewall / ACL exportThe actual enforcementExamine / testRules broader than documented; undocumented exceptions
Rule-review recordOngoing governanceExamine / interviewStale rules, no reviewer
Boundary logsVisibility and enforcementExamine / testLogs inaccessible where logging is part of the design
Positive test recordsRequired business functions workExamine / testControls break the workflow
Negative test recordsUnauthorized paths failExamine / testProhibited paths succeed
Remote-access configManaged access, MFA, routing, monitoringExamine / testA bypass or split-tunnel path exists
VDI configNo local CUI processing/storage/transmissionExamine / testClipboard, download, print, or screenshot enabled
ESP / CSP Customer Responsibility MatrixWho's responsible for which controlExamine / interviewControls unassigned or assumed
Change recordsArchitecture and evidence are currentExamine / interviewDiagram or SSP predates a major change

The three methods, in plain terms: examine your documents, configs, and logs; interview your network admins, security staff, system owners, users, and any ESP personnel; and testthe technical mechanisms at the boundary using both permitted and prohibited traffic. And a safety note the CAP is firm about: don’t share CUI electronically during virtual evidence collection unless both sides are using conforming Level 2 environments.

Readiness help and formal assessment must stay separate — and there’s a hard rule here

This is the single most important trust-and-money rule on the page, and it’s more than a “grade your own homework” cliché. Under 32 CFR § 170.8(b)(17)(ii)(G), CMMC Ecosystem members are prohibited from participating in the Level 2 certification assessment process for an assessment in which they served as a consultant to prepare that organization for any CMMC assessment within the prior three years. The Cyber AB’s Code of Professional Conduct (v2.0) confirms this prohibition applies to the C3PAO as an organization and to every member of its assessment team, and it covers any preparatory or advisory work for any type of CMMC assessment.

Separately, the CAP bars a C3PAO, its assessment team, and affiliated personnel from providing remedial or implementation advice after an adverse readiness determination and then resuming that same suspended assessment. A C3PAO also cannot guarantee your outcome, and the assessment team cannot speculate about the likelihood of success during readiness determination. If a conflict can’t be sufficiently mitigated, the C3PAO must not proceed.

The practical takeaway: this is not a lifetime ban, but it is broader than “don’t fix problems mid-assessment.” Keep your readiness/implementation engagement and your certification assessment appropriately separated, and confirm conflict status in writing before you sign anything.

If that evidence table exposed gaps — missing configs, no negative tests, unclear ownership — your next engagement is readiness and implementation, not a certification assessment. Keep those roles distinct and you’ll avoid paying a C3PAO to discover problems a readiness partner should have fixed first.

Request scoped readiness options →

When is network segmentation the wrong answer?

Segmentation is the wrong primary strategy when most of your enterprise legitimately handles CUI, when shared services make the proposed boundary artificial, or when staff would have to bypass the boundary to do normal work. In those cases a broader Level 2 environment can be simpler to operate and defend — whether it’s cheaper depends on your actual scope, current maturity, shared services, and workflow.

Here’s the boundary-fit judgment we’d apply, criterion by criterion — no score, no threshold, just the factors that actually move the decision:

Choose a segmented enclave when CUI has a genuinely narrow workflow, a limited group needs access, entry and exit points can be controlled, and you can actually operate the boundary day to day. Choose strict VDIonly when the workflow tolerates blocking local copy, download, printing, transfer, and screenshots — it may be unworkable for CAD or shop-floor drawing work. And use physical isolation only when the operational case justifies the patching, transfer, and maintenance overhead it creates.

The honest summary: segmentation carries its own configuration, documentation, testing, and exception-management burden. That burden is worth it when your CUI workflow is genuinely narrower than your enterprise. When it isn’t, a smaller boundary is just a bigger argument with your assessor.

Who should design, implement, operate, and assess a segmented environment?

Scoping advice, implementation, managed operations, GRC software, and formal assessment are five different services. An RPO or qualified readiness resource helps resolve scope; an MSP/MSSP or enclave implementer builds and runs the controls; a GRC platform supports the evidence workflow; and an authorized C3PAO conducts the certification assessment. The Cyber AB’s impartiality and conflict-of-interest rules apply across those relationships.

What you needProvider categoryTrigger for this categoryWhat it should doWhat it does not establish
Determine likely scope and readiness pathRPO / RP or qualified readiness consultantScope is unresolvedMap CUI, classify assets, identify gaps, build the planDoes not issue a Level 2 certificate
Build and operate network controlsCMMC-focused MSP, MSSP, or network integratorThe boundary must be built and runConfigure boundaries, identity, endpoints, logging, remote access, testingDoes not determine contractual applicability
Manage the evidence and compliance workflowGRC platform (with CMMC templates)SSP, evidence, and change management need structureTrack controls, host evidence, manage POA&Ms, support the SSPDoes not assess or certify
Conduct the formal Level 2 certification assessmentAuthorized C3PAOA C3PAO assessment is required or you want the certificateExamine, interview, and test against the 110 requirements and assessment objectivesDoes not guarantee the outcome or serve as a readiness consultant within the prior three years
Interpret disputed contract languageQualified federal-contracts attorneyThe contract language is in disputeProvide legal interpretationDoes not design or operate your environment

A note on verification: when a firm’s C3PAO or RPO/RP designation is material to your decision, confirm its current status in the Cyber AB Marketplace — and confirm it again on the day you engage, because status changes. MSPs, MSSPs, enclave providers, and GRC vendors are not automatically required to hold a Cyber AB designation; verify only the designation that’s material to the service you’re buying, and don’t read Marketplace presence as a Cyber AB endorsement.

The CMMC Path Frameworkmaps a contractor’s required CMMC level, FCI or CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category it needs. It routes to a category, not a named provider, and it is not a score, ranking, certification prediction, or compliance advice.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Get matched to the role you need — not the first company that sells “CMMC.” Tell us your required level, your current CUI boundary, your architecture, and your contract timeline, and we’ll point you to the source-checked provider category that fits your next unresolved step.

Get matched with CMMC provider categories →Do not submit CUI, drawings, export-controlled content, system diagrams, vulnerabilities, or sensitive contract details.

How do you keep the segmentation boundary valid after implementation?

A boundary stays defensible only while you evaluate and document changes to assets, CUI flows, rules, cloud services, remote access, and shared security tooling. The DoD’s CMMC Program FAQ directs contractors to assess the security and scope impact of relevant changes, update the SSP and supporting artifacts, and determine whether a significant change affects continuing CMMC status — with the affirming official involved.

Change-trigger ledger — DCR synthesis of the FAQ’s change-management guidance into the specific events that should force a boundary review.

Change eventScope question it createsArtifacts to updateTests to rerunAffirming Official review indicated?
New applicationDoes it touch CUI or a security function?Inventory, SSP, flow map, rule matrixApproved + blocked flow testsIf it changes CUI handling or scope
New cloud serviceIs it an ESP/CSP handling CUI or SPD?Inventory, CRM, diagramExternal-connection + transit testsIf it changes scope
New printerWill it process or store CUI?Inventory, SSPPrint-path testIf CUI is printed
Identity migrationDoes the new IdP change the security boundary?SSP, diagram, CRMAccess-control + remote-access testsLikely
New remote-access methodDoes it create a new boundary path?Remote-access config, diagramBypass + split-tunnel testsIf it changes scope
Firewall replacementDo the rules and logging still enforce the boundary?Rule matrix, config, logsFull positive/negative suiteIf enforcement changes
New facilityDoes CUI reach a new location?Inventory, SSP, diagramBoundary + physical testsLikely
AcquisitionDoes it merge networks or add CUI?Inventory, SSP, diagram, CRMFull re-scope + testsYes
Supplier exchangeNew CUI in/out path?Flow map, rule matrixTransfer-path testIf it changes flows
Backup changeWill backups hold CUI?Inventory, SSPRestore + access testIf CUI is stored
SIEM/EDR changeDoes it change a security capability in scope?SSP, CRM, configLogging/enforcement testIf SPA role changes
OT additionNew Specialized Asset or CUI path on the floor?Inventory, SSP, diagramTransfer-station + segmentation testIf it changes scope

And don’t forget the status side. Level 2 operates on a three-year assessment cycle. When Final status follows a Conditional status, the three-year period runs from the Conditional CMMC Status Date. A Conditional Level 2 (C3PAO) status expires if the permitted Plan of Action and Milestones (POA&M) isn’t successfully closed within 180 days, and an affirming official must affirm continuing compliance at the time of assessment and annually thereafter— a lapse in that affirmation causes the status to lapse (32 CFR § 170.17). A boundary that drifts out of sync with your documentation puts every one of those on shaky ground.

Is my SPRS score the same as CMMC Level 2 status?

No. DFARS 252.204-7019 and -7020 concern the NIST SP 800-171 DoD Assessment score you post in the Supplier Performance Risk System (SPRS). DFARS 252.204-7025 and -7021 concern your current CMMC status, annual affirmation, and the CMMC unique identifier in SPRS. A score of 110 under the DoD Assessment Methodology is notitself a Level 2 CMMC status or a C3PAO certificate. Contractors who assume “we’re already at 110 in SPRS, so we’re Level 2 ready” are conflating two different regimes — worth untangling before a solicitation forces the issue.

What we actually verified

We think a page that tells you what a C3PAO will test should hold itself to the same standard. Here’s our work.

Verified , against the version of each source then current:

  • 32 CFR Part 170— §§ 170.3(e) (phases), 170.8(b)(17) (conflict-of-interest and the three-year consultant prohibition), 170.14(c) (Level 2 and Level 3 requirement sets), 170.17 (Level 2 assessment, POA&M closeout, affirmation), 170.19 (scope and asset categories), and 170.24 (scoring), via eCFR.
  • NIST SP 800-171 Revision 2 (February 2020, with updates through January 2021) control text for AC 3.1.3, 3.1.12, 3.1.14, 3.1.20, 3.1.22 and SC 3.13.1, 3.13.2, 3.13.3, 3.13.5, 3.13.6, 3.13.7, 3.13.8, 3.13.11; and NIST SP 800-171A (June 2018) for the examine-interview-test method.
  • The DoD CMMC Program FAQ— that encryption alone does not create logical separation, that a properly separated enclave doesn’t extend scope to enterprise networking carrying encrypted CUI, the MSP/MSSP-as-ESP treatment, the VDI endpoint conditions, and that CMMC Level 2 is assessed against NIST SP 800-171 Revision 2.
  • The CMMC Level 2 Scoping Guide and Level 2 Assessment Guide for the five asset categories, the physical-vs-logical separation definitions, and the illustrative boundary example.
  • The Cyber AB CMMC Assessment Process (CAP v2.0) and Code of Professional Conduct (v2.0)for impartiality, the suspended-assessment rule, and the three-year prohibition’s scope.
  • DFARS 252.204-7012 (covered defense information and FedRAMP), -7019 / -7020 (SPRS assessment score), -7021 (contract clause), and -7025 (solicitation provision), via Acquisition.gov / eCFR.
  • NIST SP 800-172 (February 2021) as the current CMMC-incorporated Level 3 source, and that NIST issued SP 800-172 Revision 3 on May 13, 2026 (which does not become the CMMC baseline without rulemaking).

What’s official vs. editorial synthesis: The asset-category rules, control language, assessment methods, phase dates, status durations, and clause requirements are official. The role labels, the architecture comparison, the challenge tests, the evidence packages, the provider-category routing, the boundary-fit criteria, the change-trigger ledger, and the worksheet are The Defense Compliance Report’s editorial synthesis, built from those verified facts.

What we deliberately left out:universal cost figures and one-size-fits-all timelines, named-provider rankings, “most common finding” claims, certification predictions, and any suggestion that a product or topology guarantees compliance. We didn’t have defensible primary-source data for those, so we didn’t publish them.

This page was written by The Defense Compliance Report Editorial Team. It has not been formally reviewed by a named CMMC advisor. See our editorial standards, methodology, and corrections policy.

CMMC network segmentation FAQ

Each answer is based on the governing authority named with it.

Is network segmentation required for CMMC Level 2?
There is no requirement titled “network segmentation.” It’s a method that may be necessary to satisfy boundary and CUI-flow requirements (such as SC.L2-3.13.1 and AC.L2-3.1.3) and to support an Out-of-Scope Asset claim (32 CFR § 170.19). On a flat network, every connected system becomes a candidate for the boundary.
Is a VLAN enough for CMMC?
A VLAN can be one mechanism within a logical-separation design, but the label alone is not evidence. The configured controls have to actually prevent unauthorized transfer, and you should be able to prove it with rules, logs, and testing (CMMC Program FAQ).
Does CMMC require physically separate networks?
Not universally. The DoD recognizes both physical and logical separation. An air gap is one valid option, not a blanket requirement (CMMC Level 2 Scoping Guide).
Does a firewall automatically put my corporate systems out of scope?
No. Asset category, actual CUI handling, security function, connectivity, and the full architecture determine scope — a firewall is one enforcement point, not an automatic exclusion (32 CFR § 170.19).
Can encryption keep my enterprise switches and routers out of scope?
Potentially, but only when the enclave is otherwise logically separated and the enterprise components merely carry properly encrypted CUI in transit. Per the DoD CMMC Program FAQ, encryption alone does not create the boundary.
Does segmentation reduce the 110 Level 2 requirements?
No. It reduces how many assets are assessed and how each category is treated. CUI Assets are still measured against all 110 NIST SP 800-171 Revision 2 requirements (32 CFR § 170.14).
Are identity, SIEM, EDR, DNS, backups, and admin systems in scope?
They have to be evaluated. A service or asset is in scope when it processes, stores, or transmits CUI or Security Protection Data, or provides a security function or capability to the assessment scope — so many of them are Security Protection Assets even when they don’t store CUI (32 CFR § 170.19).
Can a remote laptop stay out of scope with VDI?
Potentially, under strict conditions in § 170.19 and the CMMC Program FAQ: keyboard/video/mouse only, with local copy, transfer, drive mapping, print, save, and screenshots blocked, CUI kept entirely in the session, separate MFA to the VDI server, access limited to authorized users and allowable locations, and the configuration verified. Any local CUI processing turns the endpoint into a CUI Asset.
Does my MSP or MSSP have to be CMMC certified?
Not necessarily. An MSP or MSSP is an in-scope External Service Provider when its services process, store, or transmit CUI or Security Protection Data; a provider that handles neither is not a CMMC ESP. An ESP isn’t automatically required to hold its own CMMC status, and its responsibilities are captured in a Customer Responsibility Matrix (CMMC Program FAQ; 32 CFR § 170.19).
Does every endpoint need its own icon on the network diagram?
The rule requires the applicable in-scope asset categories to be documented, but it doesn’t prescribe a one-icon-per-device format (32 CFR § 170.19). We recommend grouping equivalent assets visually while keeping individual detail in the asset inventory.
Is a DMZ required?
SC.L2-3.13.5 requires publicly accessible components to sit on a physically or logically separated subnetwork. A DMZ is the common implementation, but the requirement is the separation outcome — not a specific appliance (NIST SP 800-171 Rev. 2).
Does CMMC require GCC High or AWS GovCloud?
No brand is named as a universal requirement. When an external Cloud Service Provider stores, processes, or transmits covered defense information under DFARS 252.204-7012, the contractor must require and ensure FedRAMP Moderate-equivalent protections and the clause’s other obligations. Whether a specific government cloud is appropriate depends on your data, the service, the contract clauses, authorization or equivalency evidence, and your configuration (DFARS 252.204-7012).
Does the same scope model apply at Level 3?
No. Level 3 scoping differs — including different treatment of assets considered Contractor Risk Managed at Level 2 — and CMMC Level 3 currently adds 24 enhanced requirements DoD selected from the February 2021 version of NIST SP 800-172 on top of the Level 2 baseline (32 CFR § 170.14(c)(4)). NIST released SP 800-172 Revision 3 in May 2026, but Revision 3 does not become the CMMC-controlling Level 3 baseline unless DoD amends the program rule. This page is Level 2-focused.
When should I contact a C3PAO?
After your scope, SSP, evidence, technical implementation, and test results are mature enough for pre-assessment validation. A C3PAO can’t promise the outcome and must follow the Cyber AB’s impartiality and conflict rules — including the three-year prohibition on assessing an organization it previously helped prepare (32 CFR § 170.8; CAP v2.0). For a comparison of self-assessment vs. C3PAO assessment, see our self-assessment vs. C3PAO guide.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Provider matching may generate qualified-introduction, sponsorship, or referral compensation when disclosed. Compensation does not control our regulatory analysis or provider-category routing. Do not submit CUI, drawings, export-controlled content, vulnerabilities, system diagrams, or sensitive contract details.

This article is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization, or with a qualified federal-contracts attorney when contract interpretation is required. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance and is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Primary sources cited on this page (verified ):

  • 32 CFR Part 170 (CMMC Program Rule), §§ 170.3(e), 170.8(b)(17), 170.14(c), 170.17, 170.19, 170.24 — ecfr.gov
  • NIST SP 800-171 Revision 2 (Feb 2020, updated Jan 2021) and NIST SP 800-171A (Jun 2018) — csrc.nist.gov
  • NIST SP 800-172 (Feb 2021; superseded by Rev. 3 on May 13, 2026) — csrc.nist.gov
  • DoD CMMC Level 2 Scoping Guide and CMMC Level 2 Assessment Guide — dodcio.defense.gov
  • DoD CMMC Program Frequently Asked Questions — dodcio.defense.gov
  • Cyber AB CMMC Assessment Process (CAP) v2.0 and Code of Professional Conduct v2.0 — cyberab.org
  • DFARS 252.204-7012, -7019, -7020, -7021, -7025 — acquisition.gov / ecfr.gov