There is a moment in almost every CMMC gap assessment where the consultant and the shop owner stare at the same problem from opposite sides.
The consultant points at the CNC machines and says: these are in scope.
The shop owner looks at a row of Fanuc and Haas controllers — some running software older than the machinists operating them — and says: you want me to make those compliant?
That tension is where most shops get stuck. And it’s where the wrong decisions start.
The Instinct That Costs You
Once a shop realizes their CNC machines touch CUI, the reflex is to secure them directly. Lock down the controllers. Wrap firewalls around the floor network. Build compensating controls for machines that can’t run antivirus because they’re running Windows XP — or no Windows at all.
The intent is right. The approach is expensive, fragile, and in many cases impossible.
A Fanuc 0i from 2003 was not designed to enforce access control, generate audit logs, or encrypt anything. Neither was the Mazak sitting next to it. Asking a CNC controller to satisfy NIST 800-171 security requirements is like asking a forklift to pass a driver’s license exam. It does real work. It was never built for this test.
And yet — assessors are walking shop floors right now, looking at exactly these machines, asking exactly these questions.
What CMMC Actually Asks
Here’s where the framing matters.
CMMC Level 2 doesn’t require every device to be a hardened IT endpoint. It requires you to demonstrate control over Controlled Unclassified Information:
Where it exists. How it moves. Who can access it. And what evidence proves those controls are working.
The 110 controls in NIST 800-171 are about information — not about machines. The machines matter only because CUI passes through them. If you change how CUI reaches the machines, you change which questions the assessor asks and where they ask them.
That’s the architectural shift.
The Wrong Question and the Right One
Most shops ask: “How do we make the CNC controller compliant?”
The better question: “Why does the CNC controller need to handle CUI without any controls in front of it?”
In some shops, the workflow is still manual — USB drives, shared folders, emailed files. No authentication, no encryption, no log of who sent what or when it arrived.
But plenty of shops have moved past that. They’re running DNC software and centralized distribution is a real improvement. The USB drive is gone. Programs move from a server to the machine over the network.
The problem is that most DNC systems were built for convenience, not compliance. They can tell you what was sent and where. Fewer can tie every transfer to an authenticated identity, encrypt the file in transit and at rest, verify integrity on delivery, and produce the evidence package an assessor needs — consistently, for every transfer, for the last 90 days.
Whether the path is a USB drive or a DNC server, the question is the same: is CUI reaching the machine through a controlled, auditable channel — or just a centralized one?
That’s what pulls the machines into the hardest part of the assessment. Not the machines themselves — the path CUI takes to get there and whether that path produces evidence of control.
The Concept: A Controlled Transfer Boundary
Instead of trying to bolt compliance onto each machine, you put a system between the CUI environment and the execution environment.
That system becomes responsible for authenticating who sends files, encrypting them in transit and at rest, controlling which machines each programmer can reach, logging every transfer with a timestamp and identity, and verifying that what arrived at the machine matches what was approved.
The machines on the other side of that boundary don’t do any of those things. They receive files through a controlled channel instead of an uncontrolled one. That’s the change.
When done correctly, this shifts the assessor’s attention from the individual machines to the boundary that controls CUI movement. The machines still appear in your System Security Plan — the CMMC scoping guide is clear that specialized assets like CNC controllers need to be documented and addressed. But the security story you tell the assessor changes from “we tried to lock down 15 legacy controllers” to “we built a controlled boundary that handles CUI protection before it reaches the floor.”
One of those stories is defensible. The other is a list of compensating controls you’ll be defending for years.
What This Doesn’t Do
This is important, and it’s where a lot of vendors overclaim.
A controlled transfer boundary does not automatically move machines out of assessment scope. Scope is determined by whether CUI is stored, processed, or transmitted — and by how systems are connected. An assessor evaluates the full picture.
But it can simplify the environment significantly. It can reduce your reliance on compensating controls. And it supports a narrower, more defensible assessment boundary — which is what most consultants and C3PAOs want to see when they walk in.
Where the Secure Manufacturing Cell (SMC) Fits
This is exactly what SMC was built to do.
SMC replaces the uncontrolled transfer workflows — the USB drives, the shared folders, the emailed files — with an encrypted, authenticated, auditable pipeline from the programmer’s workstation to the machine spindle.
Every file is encrypted with its own unique key. Every transfer is tied to a specific person and a specific machine. Every delivery is logged with a timestamp, identity, and a cryptographic integrity check. The file is decrypted only in memory at the moment of transfer — it never sits on disk unencrypted. And after the job runs, it’s purged from the machine automatically.
The machines don’t change. The controllers don’t get modified. The operators don’t learn a new system — they tap a screen and run the job. What changes is the path CUI takes to get there, and the evidence trail that path produces.
That’s the architecture. Not louder security on the machines. Smarter control of the workflow.
The Bottom Line
You don’t make CNC machines compliant. You design your environment so they don’t need to be.
That’s the difference between trying to secure everything and controlling what actually matters — and it’s the difference between walking into an assessment with a defensible story and walking in with a stack of compensating controls and a prayer.
The architecture question is worth asking before the assessment does. See how CNC shops are reducing scope at /cnc-scope-reduction/.