April 9, 2026

We Have DNC Software and VLANs. Why Isn't That Enough for CMMC?

DNC software and network segmentation are steps in the right direction. But they don't produce the evidence CMMC actually requires. Here's the gap — and why it matters at assessment time.

This is a question we get from shops that have already invested in infrastructure.

“We’re not running USB drives. We have DNC software managing program distribution. We have VLANs separating our CNC network from corporate IT. Why isn’t that enough?”

It’s a fair question. And the honest answer is: you’re further along than most — but probably not as close as you need to be at assessment time.

Here’s why.

What DNC Software Actually Does

DNC software has been around for decades. Most setups centralize program distribution from a server to the shop floor. Compared to USB sneakernet, that’s a meaningful improvement.

You’ve centralized distribution. You’ve removed the physical drive from the equation. You may have basic logging of what was sent and where.

That’s real progress.

But centralized distribution is not the same as controlled, auditable transfer — and CMMC assessments are evidence-driven.

What a CMMC Assessor Needs to See

When a C3PAO evaluates your CNC file-transfer workflow, they’re not asking whether you own software that moves programs.

They’re evaluating whether you can demonstrate control over CUI movement through evidence.

In practice, the evidence questions look like this:

  • Who initiated or approved the transfer — tied to an authenticated, attributable identity
  • What file was transferred — including which revision was intended
  • When it moved — with a clear timestamp
  • Where it went — which specific machine received it
  • Whether integrity was preserved — a verifiable way to show the delivered file matches the approved file

Now ask a practical question:

Can your current DNC setup produce a clean report for the last 90 days that answers all of those — without gaps?

Most DNC deployments can tell you what was sent and where. Fewer can reliably tie each transfer to an authenticated identity, prove the correct revision was used, and provide a verifiable integrity check — especially in real shops where exceptions happen.

That’s the gap.

What VLANs Actually Do

Network segmentation is the right instinct. Separating your CNC network from corporate IT reduces attack surface and limits lateral movement.

But a VLAN is a network architecture decision, not a compliance control by itself.

VLANs don’t produce transfer evidence. A packet crossing a VLAN boundary isn’t an auditable compliance event. It’s a network hop.

They don’t authenticate operators. The VLAN doesn’t know who requested a file or whether they were authorized.

They don’t verify integrity. Segmentation doesn’t tell you whether the G-code that crossed the boundary was the correct, unmodified revision.

VLANs are useful. They’re not sufficient by themselves.

The Question to Ask Your DNC Vendor

Before your assessment, try to pull this report from your DNC environment:

For every CNC program transfer in the last 90 days, show:

  • The requesting identity tied to each transfer (authenticated and attributable)
  • The program identifier and revision
  • The destination machine
  • The timestamp
  • A verifiable integrity indicator — a hash, a checksum, something that proves the delivered file matches the approved file

If you can produce that report cleanly — consistently — you may have more of what you need than you think.

If you can’t, that’s the evidence gap assessments tend to expose.

Where the Secure Manufacturing Cell (SMC) Fits

SMC replaces the transfer workflow your DNC handles today — and adds the evidence layer it was never built to produce.

It encrypts every file with a unique key, authenticates every transfer to a specific person and machine, verifies file integrity before delivery, and logs the complete evidence chain automatically. Your CNC machines never need direct exposure to the IT network.

Your VLANs stay in the picture. They become part of a defensible architecture instead of the only control you can point to. But the transfer workflow — the part the assessor is actually going to scrutinize — that’s what SMC takes over.

The result is a workflow that produces the record an assessor needs without adding steps for your operators.

The Honest Assessment

DNC software and VLANs are exactly the kind of investments that move a shop toward stronger security. You’re not starting from zero.

But CMMC is evidence-driven.

The question isn’t whether your infrastructure is “good.” It’s whether your workflow produces the record an assessor needs to verify control over CUI movement.

If it does — you’re in good shape.

If it doesn’t — that’s a solvable problem.

The architecture question is worth asking before the assessment does. See how CNC shops are reducing scope at /cnc-scope-reduction/.

CMMCCNCDNCnetwork segmentationVLANauditscope reduction
← Back to Blog Download the Scope Reduction Guide