A C3PAO assessor walking into an OT environment is not looking for the same things they look for in an IT office. They know PLCs cannot run CrowdStrike. They know CNCs do not support MFA natively. What they are looking for is evidence that you understood the gap and closed it with documented compensating controls.
The Assessor Mindset in OT
C3PAO assessors operating in OT environments have adapted their approach. They do not narrowly focus on individual PLCs. They treat the larger system as the asset. A CNC mill with three PLCs and an HMI is one asset. A production line segment is one asset.
This means they are looking at: can you control access to this system? Can you log who accessed it? Can you show that unauthorized access is blocked?
They are not looking at: can this PLC do MFA on its own?
The Five Things Assessors Check
1. Asset Inventory
Do you know what is on your network? Assessors expect a current, accurate inventory of every OT asset in the CUI boundary. Not a spreadsheet from last year. A live inventory that reflects the current state of the network.
Passive asset discovery tools that build inventories without active scanning satisfy this requirement without risking operational disruption.
2. Enduring Exception Documentation
For each OT asset that cannot natively comply with a NIST 800-171 control, assessors look for:
- The specific control cited
- The technical reason the asset cannot comply
- The compensating control implemented
- Evidence that the compensating control works
The Enduring Exception guide covers the full documentation requirements.
3. Access Control Evidence
Assessors ask: who can reach this asset? How is access authorized? What happens when an unauthorized user tries to connect?
They want to see identity-based access control, not just network segmentation. A VLAN limits which network segment can reach the device. An identity-aware proxy limits which authenticated user, with which role, can access which specific asset. Assessors strongly prefer the latter.
4. Audit Trail
Every access event to a CUI-handling asset must be logged. Assessors will ask to see logs showing:
- User identity (not just IP address)
- Timestamp
- Source and destination
- Protocol and action
- Session duration
If the OT asset generates no logs (most do not), the compensating control must capture this at the network layer.
5. Evidence Retrieval
This is where assessments fail most often. The assessor asks for evidence. The organization scrambles to find it. If you cannot produce a policy configuration, a session log, or a segmentation baseline within minutes, the assessor marks the control as not met.
Evidence must be pre-organized, current, and retrievable on demand. Access Gate generates session logs, policy exports, and segmentation baselines that can be pulled during an assessment without preparation.
What Assessors Do Not Focus On
Government Furnished Equipment. If the DoD gave you the device, assessors do not assess it. Your Enduring Exceptions apply to your own specialized assets.
Perfect compliance on every device. Assessors understand OT limitations. They are looking for a documented, defensible approach. The Enduring Exception mechanism exists precisely for this.
Specific vendor choices. Assessors do not care whether you use Trout, Claroty, or homegrown scripts. They care about whether the control is implemented and evidenced.
The Gap Trout Closes
The most common assessment finding in OT environments is: "Controls are documented in the SSP but evidence of enforcement is missing." Access Gate closes this gap by generating the evidence automatically. Session logs, policy configurations, denied-access records, and segmentation baselines are produced continuously and available for assessor review.
The Shared Responsibility Matrix maps each of the 110 NIST 800-171 controls to who enforces it and what evidence is generated.
For more CMMC resources, case studies, and implementation guides, visit the CMMC Compliance for On-Premise hub.
