Your Fanuc 0i-MF doesn’t have antivirus. Your Haas NGC can’t run endpoint detection. Your Mazak Smooth controller hasn’t had a software update since 2019 — and that’s by design.
These machines were built to cut metal, not to satisfy NIST 800-171. But if they touch Controlled Unclassified Information — and if you’re transferring G-code files to them, they do — then CMMC 2.0 says they’re in scope.
What “In Scope” Actually Means
Every system that processes, stores, or transmits CUI must meet 110 security controls under NIST 800-171. That includes:
- Access control — who can log in, what they can see
- Audit logging — a record of every action on that system
- Configuration management — proving the system is hardened and patched
- Identification and authentication — unique user accounts, multi-factor auth
Your CNC controller can’t do any of this. Most run proprietary embedded operating systems with no concept of user accounts, no log files, and no ability to install security software.
The Compliance Trap
Here’s where shops get stuck. Their IT consultant says: “Every system that touches CUI needs to meet these controls.” The shop owner looks at 30 machines on the floor and does the math. That’s 30 systems that need individual compliance — and none of them can do it.
The consulting quote comes back at six figures. The timeline is measured in months. And the proposed solution usually involves firewalls around machines that communicate over RS-232 serial cables.
What the DoD Actually Expects
The good news: the DoD didn’t write these requirements expecting a Fanuc controller to run antivirus. NIST 800-171 allows for scope reduction — moving systems out of the assessment boundary by placing them behind a compliant technical boundary.
If you can prove that CUI is protected before it reaches the machine and after it leaves, and that the path between is controlled, logged, and encrypted — the machine itself doesn’t need to meet all 110 controls.
That’s exactly what SMC does. It creates a controlled boundary between your IT network and your CNC controllers. The focus of assessment shifts toward the boundary controlling how CUI reaches the machines — not the machines themselves.
The Bottom Line
Your CNC controller can’t pass a CMMC audit. It was never supposed to. The question is whether you’re going to spend six figures trying to make it comply, or whether you’re going to put the right boundary in place and support a more defensible assessment.
The architecture question is worth asking before the assessment does. See how CNC shops are reducing scope at /cnc-scope-reduction/.