VLANs separate broadcast domains. They do not verify identity, log sessions, encrypt traffic, or enforce least privilege. CMMC Level 2 requires all of these. If your shop floor compliance strategy is "we put the CNC machines on their own VLAN," you have a gap.
Our CMMC compliance solution for legacy OT covers what VLANs cannot.
What CMMC Level 2 Actually Requires on the Shop Floor
CMMC Level 2 maps to NIST 800-171, which includes 110 controls across 14 families. On a manufacturing floor with PLCs, CNCs, HMIs, and SCADA systems, the controls that matter most are:
- Access Control (AC): Every connection to a CUI-handling asset must be authorized per user, per role, per session. A VLAN does not know who is connecting.
- Audit and Accountability (AU): Every access event must be logged with user identity, timestamp, source, and destination. A VLAN generates no logs.
- Identification and Authentication (IA): Multi-factor authentication before accessing CUI systems. PLCs have no MFA capability. VLANs have no authentication layer.
- System and Communications Protection (SC): Encryption of CUI in transit. Industrial protocols transmit in plaintext. VLANs do not encrypt.
The Regulation Is Vague. Assessors Are Not.
The CMMC regulation uses language like "unable to be fully secured" and "managed using the contractor's risk-based security policies." This is deliberately broad. But assessors have a clear framework for what they accept.
An assessor who sees NIST controls enforced at the point of access has a strong basis for accepting that asset as managed under risk-based security. If you can show that every connection to a CNC mill passes through an identity-verified, MFA-enforced, session-logged proxy, you have a defensible position.
If you can only show that the CNC is on a separate VLAN, the assessor will ask: who accessed it? When? What did they do? You will not have answers.
PLCs Are Components, Not Standalone Assets
A point that often gets missed: assessors treat the larger system as the asset, not the individual PLC. A CNC mill is one asset. A production line segment is one asset. The PLC inside it is a component.
This matters because it reduces the number of assets you need to document Enduring Exceptions for. But it also means the controls apply at the system level. The question is not "can this PLC do MFA?" The question is "can you control, log, and encrypt access to this production system?"
What Assessors Actually Look For
Based on how C3PAOs operate in OT environments:
1. Documentation over perfection. Assessors do not expect a PLC to run an endpoint agent. They expect you to document why it cannot and what you did instead. The Enduring Exception exists for this purpose.
2. Controls at the point of access. If you enforce identity-based access control, session logging, and encryption at a proxy layer in front of the OT asset, most assessors will accept that as satisfying the control intent.
3. Evidence on demand. Policy configurations, session logs, segmentation baselines. Not a narrative in the SSP. Actual technical artifacts.
4. GFE is out of scope. Assessors do not assess Government Furnished Equipment. If the government gave you the PLC, it is their problem. Your Enduring Exceptions apply to your own specialized assets.
Why VLANs Fail the Test
VLANs provide Layer 2 segmentation. They are useful for reducing broadcast domains and limiting lateral movement at the network level, and they are a real improvement over the alternative — see our deep-dive on flat network vs segmented network for the foundational architecture trade-offs. But for CMMC, VLANs alone do not address:
| CMMC Requirement | VLAN | Overlay + Proxy |
|---|---|---|
| Identity verification | No | Yes |
| Session logging | No | Yes |
| MFA enforcement | No | Yes |
| Encryption in transit | No | Yes |
| Deny-by-default | Partial | Yes |
| Least privilege per user | No | Yes |
An overlay network with proxy enforcement (like Access Gate) sits on top of your existing VLANs and adds what they were never designed to provide. Your VLANs stay in place. The overlay adds identity, logging, and encryption.
The Practical Path
- Keep your VLANs. They are still useful for basic traffic separation.
- Add an overlay with proxy enforcement for CUI-handling assets.
- Document each OT asset that invokes the Enduring Exception.
- Generate evidence: session logs, policy configs, segmentation baselines.
- Have your Affirming Official review the evidence, not just the SSP.
The Shared Responsibility Matrix shows exactly which of the 110 controls are enforced at the network layer and which remain customer-owned.
For more CMMC resources, case studies, and implementation guides, visit the CMMC Compliance for On-Premise hub.
