TroutTrout
Back to Glossary
Compensating controlCMMC Level 2Enduring Exception

Compensating Control (CMMC)

3 min read

A compensating control is a security mechanism that delivers equivalent protection when the targeted NIST SP 800-171 Rev 2 requirement cannot be implemented on the asset itself. Under CMMC Level 2, every Enduring Exception must be paired with a compensating control that is technically implemented, not just described on paper.

When compensating controls are required

CMMC maps Level 2 to the 110 controls in NIST SP 800-171 Rev 2. A defense contractor can invoke an Enduring Exception for an asset — typically a PLC, CNC, HMI, or other specialized OT equipment — that cannot natively satisfy a given control. The exception documents the asset's incapacity. It does not remove the control obligation. A compensating control closes the gap.

The Affirming Official who signs the assessment is certifying that each compensating control produces verifiable evidence equivalent to the original requirement. A C3PAO will ask for that evidence during the assessment. Control language on paper without a working technical implementation is not sufficient.

What the compensating control must do

Four tests for an acceptable compensating control:

  1. Equivalent risk reduction. The control must mitigate the specific risk that the unimplemented requirement addresses — not a similar risk, the same one.
  2. Technically implemented. The mechanism is deployed, not planned. Configuration is exportable as evidence.
  3. Verifiable. Logs, policy exports, or network captures demonstrate the control operating.
  4. Documented in the SSP. The asset, the uncovered control, the compensating mechanism, and the evidence path are all written down.

Proxy-layer enforcement for OT

Most OT compensating controls shift enforcement from the asset to a network-layer proxy. A CNC controller that cannot perform MFA is protected by an identity gateway that enforces MFA at the network boundary before any session reaches the machine. A legacy controller that cannot generate audit logs is protected by session logging at the proxy. A device that speaks plaintext Modbus is protected by encrypted transport terminating at the proxy inside a micro-DMZ.

The pattern is consistent: the asset remains unchanged, the compensating control runs elsewhere, the SSP documents the architecture.

Related terms

Access Gate connection

Access Gate is commonly used to host compensating controls for OT assets that qualify for Enduring Exceptions — enforcing identity, audit, and encryption at the network boundary rather than modifying the asset. See the CMMC Shared Responsibility Matrix for per-control coverage.

Other Terms

Affirming OfficialCMMC Level 2

Affirming Official (CMMC)

The Affirming Official is the senior company representative who certifies CMMC compliance under penalty of the False Claims Act — personally liable for the accuracy of every control statement in the SSP.

CMMC Level 2Advanced Cyber Hygiene

CMMC Level 2

CMMC Level 2 refers to the second level of the Cybersecurity Maturity Model Certification (CMMC), which is designed to ensure that Defense Industrial Base (DIB) contractors implement effective cyberse...

Specialized assetCMMC Level 2

Specialized Asset (CMMC)

A specialized asset is a CMMC-defined category of equipment that processes CUI but cannot fully implement the 110 NIST SP 800-171 controls — typically IoT, OT, government-furnished property, restricted information systems, and test equipment.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles