CMMC Practice SC.4.228
Isolate administration of organizationally defined high-value critical network infrastructure components and servers.
Bold Coast Security Guidance
This is listed as a maturity level four practice, but should be considered in all organizations. You should work with your network team to separate management access to network devices first. This may be achieved by IP restrictions on the devices themselves and cause the least impact to other services. Next the organization should consider placing critical infrastructure servers, such as domain controllers, in separate physical or logical network segments. You can apply access control lists to these segments to limit how users interact with those servers to the authentication requirements and prevent remote access except to approved administrators or administrative servers. Finally, review servers and storage locations which contain CUI and consider placing them in restricted physical or logical networks, and access control lists can be used to restrict network and user access. Create a policy for network segmentation of the identified resources, and note the technology used to create the segments in your plan. To test the effectiveness of your segments, be sure to conduct internal penetration tests against these isolated networks.
Organizations apply systems security engineering concepts and principles to identify the high value critical network infrastructure components in their network . High value critical systems are those that if compromised could lead to unauthorized access, use, modification or destruction of large amounts of CUI. Examples include boundary protection systems (e.g., routers, firewalls, intrusion protection and detection systems), critical infrastructure servers (e.g., domain, policy, certificate) and key servers processing CUI (e.g., file, mail, collaboration applications) Securing administration, the ability to alter the configuration of these components, includes delineating physical and logical security boundaries between the data and management interfaces such as through the use of an Out-of-Band network.
NIST Special Publication 800-160 provides guidance on systems security engineering.