Here’s a conversation that comes up in almost every demo.
We’re walking through how SMC works — encrypted transfer, authenticated delivery, automatic audit trail — and the shop owner nods along until they look at the floor and say:
“That sounds great. But I’ve got a 1998 Fanuc in the corner running RS-232. A 2009 Mazak with a proprietary control. A couple of 2017 Okumas. And a Haas that showed up last year. Are you telling me this works on all of them?”
Yes. Every one of them.
The Problem Nobody Else Solves
Most cybersecurity tools are built for IT environments. Modern operating systems. Network-connected endpoints. Standard protocols.
Your shop floor is not that.
CNC controllers are purpose-built machines refined over decades for one job: precision manufacturing. They run proprietary operating systems. Many communicate over serial connections that predate the internet. Some have never been — and should never be — directly connected to a corporate network.
When compliance solutions built for IT get applied to shop floors, the result is usually one of three things: replacing controllers that are still making good parts, forcing legacy machines onto networks they were never designed for, or writing compensating controls that acknowledge the gap without closing it.
If you’re running DNC software, you may have centralized distribution — but centralized is not the same as encrypted, authenticated, and auditable. The transfer path still lacks the evidence chain CMMC requires.
SMC was designed from the beginning to work with the machines that are actually on defense shop floors — not the ones a compliance consultant assumes you have.
How SMC Talks to Your Machines
Every CNC controller communicates through a protocol — determined by the manufacturer and the era the machine was built. SMC speaks five protocols natively: RS-232 serial for legacy machines with no network interface, Fanuc FOCAS for modern Fanuc Ethernet controllers, FTP for Mazak, Siemens, Heidenhain, Hurco, Brother, and Mitsubishi, SMB network shares for Haas NGC, and an encrypted delivery method purpose-built for Okuma’s OSP controllers.
That covers 11 controller families across roughly 90% of the installed CNC base in North America.
The specific protocol matters to the machine. It does not matter to the compliance outcome.
The Same Evidence Chain Across Every Machine
Here’s what doesn’t change regardless of which protocol your machine uses:
Every transfer is encrypted with its own unique key. Every transfer is authenticated to a specific person and a specific machine. Every transfer is logged with a timestamp, identity, and integrity verification. Whether the file traveled over RS-232 serial to a 1998 Fanuc or Ethernet to a machine delivered last month, the audit record looks the same to an assessor.
CMMC doesn’t care how old your machine is. It cares whether you can demonstrate control over how CUI reaches it.
With SMC, the answer is consistent across the entire floor. The protocol varies by controller family. The evidence chain does not. That consistency is what makes a CNC environment defensible at assessment time.
No Modifications Required
SMC does not require changes to your existing controllers.
No firmware updates. No hardware changes. No production downtime for installation. SMC sits upstream of your machines and communicates using the protocols your controllers already speak. The machines don’t change. The compliance posture does.
The Bottom Line
Walk your floor. Count the controller families. Count the decades. A 1998 Fanuc on serial. A 2009 Mazak on FTP. A 2017 Okuma with its own encrypted protocol. A 2025 Haas on a network share.
That’s not a compatibility problem. That’s a normal shop floor.
SMC was built for exactly that floor — not a theoretical one where every machine runs the same controller and speaks the same language. The compliance outcome is the same across every machine, every protocol, every generation.
The architecture question is worth asking before the assessment does. See how CNC shops are reducing scope at /cnc-scope-reduction/.