The CMMC Enduring Exception does not exempt you from compliance. It requires you to document why a specific asset cannot meet a specific control, implement a compensating control that provides equivalent protection, and produce evidence that the compensating control works. An Affirming Official must sign off. If you get this wrong, you face False Claims Act liability.
For the compensating-control architecture itself, see our CMMC compliance for defense manufacturers overview.
What the Enduring Exception Covers
The Enduring Exception applies to assets that cannot natively comply with NIST 800-171 controls due to technical limitations. PLCs, CNCs, HMIs, and legacy OT equipment are the most common examples. These devices lack identity stacks, cannot generate audit logs, do not support MFA, and transmit over plaintext industrial protocols.
The exception does not apply to assets you simply have not gotten around to securing. It applies to assets that structurally cannot comply.
The Five Documentation Requirements
For each asset invoking the Enduring Exception, your SSP must include:
1. Asset identification. Name the specific device, its function, its network location, and the protocol it uses. A C3PAO assessor will want to see this device on your asset inventory.
2. The specific control requirement. Cite the exact NIST 800-171 control (e.g., IA 3.5.3 for MFA, AU 3.3.1 for audit logging). Do not say "various controls." Name each one.
3. Why the asset cannot comply. Document the technical limitation. A PLC has no identity stack. A CNC transmits over Modbus with no TLS support. The firmware cannot be updated. Be specific.
4. The compensating control. Describe exactly how you achieve equivalent protection. If the device cannot enforce MFA, document that a proxy gateway enforces MFA for human sessions — and a degraded but auditable credential (mutual TLS certificate or scoped service-account credential) for any machine-to-machine sessions — before either reaches the device. If the device generates no logs, document that network-layer session logging captures user or service identity, timestamp, protocol, and payload for every connection.
5. Evidence that the compensating control works. This is where most organizations fail. A narrative is not evidence. You need policy configurations, session logs showing enforcement, segmentation baselines, and denied-access records. Your C3PAO will ask for these on demand.
The Affirming Official Requirement
An Affirming Official must review the compensating control evidence and sign off. This is not a rubber stamp on the SSP narrative. The Affirming Official is attesting that the compensating controls are technically implemented and verifiable.
The False Claims Act Hook
When you submit your CMMC score to SPRS, you are making a representation to the federal government. If your Enduring Exception documentation is incomplete, if your compensating controls are planned but not implemented, or if your evidence does not match your claims, you are exposed to False Claims Act liability. This is not theoretical. The DoD has stated it will use FCA enforcement for CMMC misrepresentation.
The Five Controls That Matter Most for OT
Most OT Enduring Exceptions center on five NIST 800-171 controls:
- IA 3.5.3 (Multi-Factor Authentication) — PLCs and HMIs have no identity stack
- AU 3.3.1 / 3.3.2 (Audit Logging) — Legacy OT generates no logs
- SC 3.13.8 (Encryption in Transit) — Industrial protocols transmit in plaintext
- AC 3.1.1 / 3.1.2 (Access Control) — OT assets accept any connection
- SC 3.13.6 (Deny by Default) — No connection filtering on the device
For each of these, Access Gate provides a compensating control at the network layer: MFA at the proxy for human sessions (with mutual TLS or service-account credentials for machine-to-machine flows), session logging with identity attribution, TLS encryption on CUI paths, RBAC enforcement, and deny-all default posture. The Shared Responsibility Matrix documents exactly which controls are enforced and which evidence is generated.
The Assessor Perspective
Assessors treat the larger system as the asset, not just the PLC. A CNC mill or a production line segment is assessed as a unit. This reduces the number of individual Enduring Exception justifications you need to write. But the documentation requirements for each are the same.
For more CMMC resources, case studies, and implementation guides, visit the CMMC Compliance for On-Premise hub.
