The Technical Wall
A five-axis Matsuura MAM72-35V or a Fanuc Robodrill represents a capital investment that may exceed $500,000 per unit. These machines produce flight-critical components with tolerances measured in ten-thousandths of an inch. They are extraordinary pieces of engineering. They are also, from a cybersecurity standpoint, black boxes.
Most legacy CNC controllers run proprietary real-time operating systems that do not support user authentication, role-based access, audit logging, encrypted storage, or any of the technical controls that NIST SP 800-171 expects from information systems. A Fanuc 31i controller has no concept of a "user account." There is no password prompt. There is no access control list. The controller boots, loads its parameters, and waits for instructions.
The problem arises because these controllers process CUI. The G-code and M-code programs that drive a five-axis mill to cut a titanium bracket for a fighter jet nacelle are themselves CUI. They encode geometry, toolpath strategies, feed rates, and surface finish parameters that, taken together, reveal the design intent and manufacturing methodology for controlled defense articles. When that program is loaded into a controller's memory and executed, CUI is present on a device that cannot protect it through any conventional IT security mechanism.
G-code derived from Department of Defense specifications, technical data packages, or engineering drawings is Controlled Unclassified Information. The NARA CUI Registry lists Controlled Technical Information as a CUI category under the Defense index. Under 32 CFR Part 2002, derivative materials inherit the CUI designation of their source. The moment a CAM programmer translates a controlled drawing into a toolpath, that program inherits the CUI marking of its source material.
This is where many shop owners hit what practitioners call the "technical wall." They look at requirements like IA.L2-3.5.3 (Multi-Factor Authentication) and conclude, correctly, that their CNC equipment cannot implement MFA. They then incorrectly assume one of two things: either that they need to replace the equipment, or that they can mark the requirement as "not applicable." Neither conclusion is right. A C3PAO assessment team will expect the contractor to demonstrate how CUI is protected on every asset that processes, stores, or transmits it. "The machine cannot do it" is not a finding of nonapplicability. It is the beginning of a conversation about compensating controls.
The Specialized Asset Classification
The CMMC Assessment Guide defines a Specialized Asset as a device or system that processes, stores, or transmits CUI but is unable to be fully secured due to its operational purpose, technical limitations, or both. CNC controllers, programmable logic controllers, coordinate measuring machines with embedded processors, and similar shop floor equipment almost always fall into this category.
The critical distinction is that Specialized Assets are not exempt from the assessment. They are in scope. But the CMMC framework acknowledges that these assets will be evaluated differently. Instead of asking whether the controller itself implements MFA or encrypts data at rest, the assessor will ask what compensating controls the organization has implemented around the asset to protect the CUI it handles.
The Three-Pillar Architecture
The Secure Area strategy is built on a principle that classified environments have applied for decades: when the asset cannot protect the data, the environment must. CMMC requires a structured, documented, and verifiable implementation of that principle at the CUI level.
Physical Protection: The Sentry Protocol and Badge System
Physical protection is the foundation. If you cannot control who enters the space where CUI is present, no amount of technical or procedural controls will compensate. Every Secure Area must have defined and controlled entry points with electronic access control that logs every entry and exit with a timestamp and individual identifier.
Loading dock doors present a unique challenge. They must be opened for material receipt, shipment, and equipment moves. The solution is the Sentry Protocol: whenever a loading dock or bay door is open, a trained CUI-aware employee must be physically stationed at that door, maintaining a log that records the time opened, the reason, every person who enters or exits, and the time closed and secured.
In a busy shop environment, the ability to immediately identify who belongs in the Secure Area requires a visual system. A color-coded badge protocol provides this at a glance:
| Badge | Category | Access Rules |
|---|---|---|
| Green | CUI Handler | Full unescorted access. Trained and authorized to handle CUI materials, G-code, drawings, and traveler sheets. |
| Yellow | Non-CUI Staff | Access permitted only when accompanied by a Green badge holder. May not view, handle, or access CUI materials. |
| Red | Escorted Visitor | Must be escorted at all times by a Green badge holder. Visit logged with arrival/departure times and purpose. |
Media Protection: The Iron Vault Approach
G-code is the lifeblood of a CNC operation, and in a defense manufacturing context, it is CUI. The most practical and defensible approach to G-code transit in shops without a fully segmented CUI network is the use of FIPS 140-2 (or 140-3) validated, hardware-encrypted USB drives with onboard pin pads. The PIN entry satisfies authentication requirements, the FIPS-validated encryption satisfies protection requirements for portable media, and the crypto-erase capability satisfies sanitization requirements. The hardware-based encryption works regardless of whether the host device has any security capabilities of its own.
Every CUI-containing G-code program moves from the CAM station to the shop floor on an approved drive. No exceptions. No personal thumb drives. No emailed files on unencrypted media. Every approved drive must be individually serialized, assigned to a responsible individual, and tracked through a Media Accountability Log that records checkout, return, content, and periodic inventory reconciliation. A single unencrypted USB drive containing CUI program files, lost or unaccounted for, constitutes a potential data spillage event.
24/7 Operations: Securing the Unattended Shop Floor
Aerospace machine shops do not operate on standard hours. Multi-pallet horizontal machining centers are designed for extended unattended operation, and lights-out capability is a significant competitive advantage. During unattended operations, video surveillance assumes the monitoring role that trained personnel provide during attended hours.
Camera placement requires deliberate planning. Cameras must monitor all access points to the Secure Area: exterior doors, loading docks, and internal doorways. Equally important is where cameras must not be aimed. Camera angles must avoid capturing CUI: no views of CNC controller screens displaying G-code parameters, work surfaces with traveler sheets or drawings, or CAM workstation monitors. If surveillance footage captures CUI, the camera system itself becomes a CUI asset, the recording storage becomes a CUI asset, and anyone with access to the footage requires CUI handling authorization. That is a self-inflicted scoping expansion that serves no one.
The Human Sensor
In environments where technology cannot provide automated detection and response, trained human beings become the primary security sensor. Machinists, setup technicians, programmers, and quality inspectors are present on the shop floor every working hour. They know who belongs and who does not. They understand the workflow and can detect anomalies that no camera or access log would flag: a visitor lingering near a CAM workstation, an unfamiliar face in the tool crib, a USB drive sitting on a machine that is not currently running a job.
Personal mobile devices with cameras present a direct threat to CUI in a manufacturing environment. A smartphone photograph of a traveler sheet, an engineering drawing, or a controller screen displaying program parameters constitutes unauthorized reproduction of CUI. Prohibiting personal devices with cameras from the Secure Area entirely, with storage lockers at entry points, is the most enforceable approach. Relying on a policy that says "do not photograph CUI" without removing the capability to do so is a control that depends entirely on voluntary compliance. In a security architecture, hope is not a control.
Control Mapping
| Control | Secure Area Component | Implementation |
|---|---|---|
| PE.L2-3.10.1 | Sentry Protocol, Access Control | Controlled entry points with badge readers; trained sentry at open dock doors with timestamped logs. |
| PE.L2-3.10.2 | Video Surveillance | Cameras on access points during unattended hours, angled to avoid CUI capture. Footage retained per policy. |
| PE.L2-3.10.3 | Escort Procedures | Red badge visitors escorted by Green badge holders at all times. Visits logged. |
| PE.L2-3.10.5 | Device Restriction | Personal devices with cameras prohibited in Secure Area. Storage lockers at entry points. |
| MP.L2-3.8.1 | Iron Vault USB Drives | FIPS-validated hardware-encrypted drives for all G-code transit. No unauthorized media. |
| MP.L2-3.8.5 | Media Accountability Log | Serialized drives tracked with checkout/return, content descriptions, and periodic reconciliation. |
| MP.L2-3.8.9 | Sanitization Protocol | Crypto-erase for reuse; physical destruction for decommission. All events documented. |
| IA.L2-3.5.3 | Compensating Controls | Hardware PIN on USB drives; badge access at zone entry; sentry verification. Documented as compensating for MFA on Specialized Assets. |
| AT.L2-3.2.1 / 3.2.2 | CUI Awareness Training | Role-based training for all CUI Handlers. Annual refresher and onboarding integration. |
Compliance Without Capital Destruction
The CMMC compliance challenge for aerospace machine shops is real, but it is not unsolvable. When you look at a Fanuc controller and see a computer that cannot be secured, you see an impasse. When you look at that same controller as a Specialized Asset inside a Secure Area, you see a problem with a proven, documentable, and assessable solution. The Secure Area strategy does not require replacing capital equipment. It requires disciplined physical controls, rigorous media management, and a workforce that understands its role in protecting the information that keeps contracts active.
Legacy CNC equipment built the business. A Secure Area architecture protects that business without dismantling the production capability that earned it.
Download the Full White Paper
Includes the complete three-pillar architecture, detailed badge protocol specifications, Iron Vault implementation guide, 24/7 surveillance strategy, camera placement guidance, and full control mapping table.
The CMMC Decision, Second Edition
Chapter 6 ("Blind Spots") addresses the physical security risks that live outside IT, from cleaning crews and third-party access to the operational vulnerabilities that derail otherwise well-prepared organizations. Chapter 3 covers physical security as a hidden compliance cost category.
Free Download →