Matriz de Responsabilidad Compartida CMMC.
87 de 110 controles NIST 800-171 aplicados a nivel de red. Los 23 restantes son controles de proceso del cliente.
¿Qué es una Matriz de Responsabilidad Compartida CMMC?
Una Matriz de Responsabilidad Compartida (SRM) mapea cada control NIST 800-171 a la parte responsable de aplicarlo. Para entornos on-premise con Access Gate, la SRM divide 110 controles en tres categorías: controles aplicados por Access Gate, controles del cliente, y controles compensatorios para activos OT.
Desglose por Familia de Controles.
Cada fila muestra una familia de controles NIST 800-171, cuántos aplica Access Gate, y qué debe poseer el cliente.
| Control Family | Coverage | Access Gate Enforces | Customer Owns |
|---|---|---|---|
| Access Control (AC) | 20/22 | Identity-based access control, RBAC, session-level enforcement, least-privilege policies. All enforced at network proxy layer. | Physical access control policies (PE overlap), mobile device policies. |
| Audit & Accountability (AU) | 9/9 | Tamper-evident session logs, user identity attribution, SIEM forwarding, log retention, automated alerting. | None. Full coverage. |
| Configuration Management (CM) | 7/9 | Baseline configuration enforcement, change tracking, overlay network topology versioning. | Software inventory processes, configuration change approval workflows. |
| Identification & Authentication (IA) | 11/11 | MFA enforcement at proxy boundary, identity gateway, credential management, replay-resistant authentication. | None. Full coverage. |
| System & Communications Protection (SC) | 14/16 | TLS/FIPS encryption on CUI paths, deny-by-default, microsegmentation, overlay isolation, session boundary enforcement. | Endpoint DLP for removable media (SC 3.13.16), public-access system separation policies. |
| Incident Response (IR) | 2/3 | Automated incident detection from session anomalies, alert correlation, forensic session replay. | Incident response plan documentation, reporting chain, external notification procedures. |
| Physical Protection (PE) | 0/5 | Not applicable. Network-layer enforcement does not cover physical security. | Facility access control, visitor logs, physical perimeter, environmental controls, delivery/removal procedures. |
| Personnel Security (PS) | 0/2 | Not applicable. Personnel screening is an organizational process. | Background checks, termination procedures, personnel screening. |
| Media Protection (MP) | 0/9 | Not applicable. Physical media handling is outside network enforcement scope. | Removable media policies, sanitization, marking, storage, transport, disposal. |
| Risk Assessment (RA) | 0/3 | Passive asset discovery supports risk visibility. Active vulnerability scanning of OT assets documented as NA with rationale. | Risk assessment processes, vulnerability scanning (documented NA for OT with compensating controls). |
| Total | 87/110 | Network-layer enforcement across IT and OT | Physical, personnel, media, and process controls |
Identity-based access control, RBAC, session-level enforcement, least-privilege policies. All enforced at network proxy layer.
Physical access control policies (PE overlap), mobile device policies.
Tamper-evident session logs, user identity attribution, SIEM forwarding, log retention, automated alerting.
None. Full coverage.
Baseline configuration enforcement, change tracking, overlay network topology versioning.
Software inventory processes, configuration change approval workflows.
MFA enforcement at proxy boundary, identity gateway, credential management, replay-resistant authentication.
None. Full coverage.
TLS/FIPS encryption on CUI paths, deny-by-default, microsegmentation, overlay isolation, session boundary enforcement.
Endpoint DLP for removable media (SC 3.13.16), public-access system separation policies.
Automated incident detection from session anomalies, alert correlation, forensic session replay.
Incident response plan documentation, reporting chain, external notification procedures.
Not applicable. Network-layer enforcement does not cover physical security.
Facility access control, visitor logs, physical perimeter, environmental controls, delivery/removal procedures.
Not applicable. Personnel screening is an organizational process.
Background checks, termination procedures, personnel screening.
Not applicable. Physical media handling is outside network enforcement scope.
Removable media policies, sanitization, marking, storage, transport, disposal.
Passive asset discovery supports risk visibility. Active vulnerability scanning of OT assets documented as NA with rationale.
Risk assessment processes, vulnerability scanning (documented NA for OT with compensating controls).
Controles que los PLC No Pueden Cumplir.
Los activos OT como PLCs, CNCs y HMIs no pueden ejecutar agentes, aplicar MFA o generar logs de auditoría. Access Gate proporciona controles compensatorios a nivel de red.
Multi-Factor Authentication
Production machines, CNC controllers, and quality inspection stations have no native identity stack. Access Gate enforces MFA at the proxy layer before any session reaches the equipment.
Audit Logging
Legacy production equipment generates no audit logs. Access Gate captures tamper-evident session logs with user identity, timestamp, protocol, and payload for every connection.
Encryption in Transit
Industrial protocols on CNC cutters, labeling systems, and factory controllers transmit in plaintext. Access Gate enforces TLS/FIPS encryption on CUI paths.
Access Control
Shop floor equipment accepts any connection on its open port. Access Gate enforces RBAC at the proxy boundary per user, asset, protocol, and time window.
Deny by Default
Production machines and quality scanners have no connection filtering. Access Gate enforces deny-all with explicit allowlist exceptions.
CMMC Compliance for On-Premise
Case studies, blog posts, and solution pages for CMMC compliance on existing networks.
CMMC on-premise compliance hubDoD Zero-Trust OT Alignment
DTM 25-003 pillar mapping for Access Gate across all 7 DoD OT-ZT pillars.
DoD Zero-Trust OT alignment guidePair With Open-CMMC for the CUI Enclave Side.
The Matrix maps each NIST 800-171 control to a responsible party. Open-CMMC is the open-source implementation of the enclave side — per-control posture and gap-analysis docs ready to paste into your SSP.
FAQ Matriz de Responsabilidad Compartida.
de 110 controles NIST 800-171 aplicados por Access Gate a nivel de red.
A Shared Responsibility Matrix maps every NIST 800-171 control required for CMMC Level 2 to the party responsible for enforcing it.
PLCs, CNCs, and HMIs typically cannot meet controls requiring multi-factor authentication (IA 3.5.3), audit logging (AU 3.3.1/3.3.2), encryption in transit (SC 3.13.8), access control with least privilege (AC 3.1.1/3.1.2), and deny-by-default network communications (SC 3.13.6).
A compensating control is an alternative security measure that provides equivalent protection when the standard control cannot be implemented on the asset.
Access Gate enforces 87 of 110 NIST 800-171 controls at the network layer. Full coverage in Audit (9/9) and Identification and Authentication (11/11).
Customer-owned controls fall into four categories: Physical Protection (PE), Personnel Security (PS), Media Protection (MP), and Risk Assessment (RA).
Provide the SRM to your assessor before the assessment begins. It establishes which controls are enforced by Access Gate with technical evidence.
Yes. The base SRM covers the standard Access Gate deployment. Your specific environment may shift some controls.
The SRM is versioned alongside Access Gate releases. When new enforcement capabilities are added, the SRM is updated.
Obtenga Su Matriz de Responsabilidad Compartida.
El equipo Trout adaptará la SRM a su instalación, activos y cronograma de cumplimiento.
Contáctenos