The long-standing requirement that you must use subnetting to isolate public from internal, and operational from management, workloads has been a thorn in the side of cloud-based FedRAMP-authorized companies for ages, and now they're finally updating it as part of the "FedRAMP 20x" program aimed at reducing red tape.
From the linked doc:
Current FedRAMP Guidance:
SC-7 (b) Additional FedRAMP Requirements and Guidance: SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (fedramp.gov/assets/resources/documents/FedRAMP_subnets_whitepaper.pdf) for additional information.
Updated FedRAMP Guidance:
SC-7 (b) Additional FedRAMP Requirements and Guidance: SC-7 (b) may be met by using any technical capability that ensures logical separation between publicly accessible components and internal networks by preventing traversal without inspection and authorization; traffic may not flow unrestricted from publicly accessible components to internal networks.
From the linked doc:
Current FedRAMP Guidance:
SC-7 (b) Additional FedRAMP Requirements and Guidance: SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (fedramp.gov/assets/resources/documents/FedRAMP_subnets_whitepaper.pdf) for additional information.
Updated FedRAMP Guidance:
SC-7 (b) Additional FedRAMP Requirements and Guidance: SC-7 (b) may be met by using any technical capability that ensures logical separation between publicly accessible components and internal networks by preventing traversal without inspection and authorization; traffic may not flow unrestricted from publicly accessible components to internal networks.