Legacy CNC controllers that cannot do multi-factor authentication — what is the path forward under IA.L2-3.5.3?

The Question

"We have 12 legacy CNC machines. They run Windows XP embedded or proprietary controllers. They cannot run multi-factor authentication (MFA). Our prime assessor says we are failing IA.L2-3.5.3. Do we have to replace $4M of capital equipment to pass?"

The Discipline

No — not automatically. You do not replace $4M of capital equipment merely because a legacy controller cannot run MFA natively. IA.L2-3.5.3 is one of the limited CMMC Level 2 requirements where partial implementation can affect scoring: three points are subtracted if MFA is implemented only for remote and privileged users, and five points are subtracted if MFA is not implemented for any users. But scoring is not the main decision point. The main decision point is scope: whether the controller processes, stores, or transmits CUI; whether it provides security protection for CUI assets; whether it is a Contractor Risk Managed Asset; whether it qualifies as a Specialized Asset; or whether it is truly out of scope.

1. Scoping and Asset Categorization. Start with a documented CUI data-flow analysis from drawing receipt through programming, machine-code generation, controller transfer, production, inspection, and retention. The controller is Out of Scope only if it cannot process, store, or transmit CUI, does not provide security protection for CUI assets, and is physically or logically separated from CUI assets. If the controller has the capability to process, store, or transmit CUI but is not intended or permitted to do so, and policy, procedure, and technical controls prevent CUI from reaching it, treat it as a Contractor Risk Managed Asset and document the treatment in the asset inventory, SSP, and network diagram. If it can process, store, or transmit CUI but cannot be fully secured because it is operational technology or industrial equipment, evaluate whether it is a Specialized Asset. Prime or contracting-officer alignment may be prudent for contractual risk, but it does not substitute for a defensible CMMC scope.

2. Specialized Asset / Access Architecture. If the CNC controller must receive CUI and cannot support MFA natively, do not describe the controller as magically compliant. Treat it as a CUI Asset if it can be fully secured, or as a Specialized Asset if it is OT that can process, store, or transmit CUI but cannot be fully secured. Then build the access architecture around it: isolate the CNC network, prohibit direct internet and general-user workstation access, restrict transfers to authorized personnel, use a managed jump box or transfer station, enforce MFA at the jump box or access layer, log transfers, control removable media, and document the asset treatment in the SSP, asset inventory, and network diagram. The jump box or access-control layer may be assessed as a Security Protection Asset; the CNC itself should be documented and managed according to its CMMC asset category.

3. POA&M. IA.L2-3.5.3 is not a viable CMMC Level 2 POA&M item. Under 32 CFR 170.21, Level 2 POA&M eligibility is limited to select requirements, and requirements with a point value greater than 1 generally cannot be included, except for the specific SC.L2-3.13.11 encryption case. IA.L2-3.5.3 is not eligible. For this issue, the shop must close through defensible scoping, Specialized Asset treatment, or implementation of MFA at the applicable access layer before assessment.

Do not replace the machines by default. Perform a CUI data-flow analysis, classify each controller under the CMMC asset categories, document the treatment in the SSP and asset inventory, isolate the controller where necessary, enforce MFA at the access layer that can support it, and treat IA.L2-3.5.3 as non-POA&M-able for CMMC Level 2 Conditional status.