Matrice de Responsabilité Partagée CMMC.
87 des 110 contrôles NIST 800-171 appliqués au niveau réseau. Les 23 restants sont des contrôles processus appartenant au client.
Qu'est-ce qu'une Matrice de Responsabilité Partagée CMMC ?
Une Matrice de Responsabilité Partagée (SRM) associe chaque contrôle NIST 800-171 à la partie responsable de son application. Pour les environnements on-premise utilisant Access Gate, la SRM divise 110 contrôles en trois catégories : contrôles appliqués par Access Gate, contrôles appartenant au client, et contrôles compensatoires pour les actifs OT.
Répartition par Famille de Contrôles.
Chaque ligne montre une famille de contrôles NIST 800-171, combien Access Gate en applique, et ce que le client doit posséder.
| Control Family | Coverage | Access Gate Enforces | Customer Owns |
|---|---|---|---|
| Access Control (AC) | 20/22 | Identity-based access control, RBAC, session-level enforcement, least-privilege policies. All enforced at network proxy layer. | Physical access control policies (PE overlap), mobile device policies. |
| Audit & Accountability (AU) | 9/9 | Tamper-evident session logs, user identity attribution, SIEM forwarding, log retention, automated alerting. | None. Full coverage. |
| Configuration Management (CM) | 7/9 | Baseline configuration enforcement, change tracking, overlay network topology versioning. | Software inventory processes, configuration change approval workflows. |
| Identification & Authentication (IA) | 11/11 | MFA enforcement at proxy boundary, identity gateway, credential management, replay-resistant authentication. | None. Full coverage. |
| System & Communications Protection (SC) | 14/16 | TLS/FIPS encryption on CUI paths, deny-by-default, microsegmentation, overlay isolation, session boundary enforcement. | Endpoint DLP for removable media (SC 3.13.16), public-access system separation policies. |
| Incident Response (IR) | 2/3 | Automated incident detection from session anomalies, alert correlation, forensic session replay. | Incident response plan documentation, reporting chain, external notification procedures. |
| Physical Protection (PE) | 0/5 | Not applicable. Network-layer enforcement does not cover physical security. | Facility access control, visitor logs, physical perimeter, environmental controls, delivery/removal procedures. |
| Personnel Security (PS) | 0/2 | Not applicable. Personnel screening is an organizational process. | Background checks, termination procedures, personnel screening. |
| Media Protection (MP) | 0/9 | Not applicable. Physical media handling is outside network enforcement scope. | Removable media policies, sanitization, marking, storage, transport, disposal. |
| Risk Assessment (RA) | 0/3 | Passive asset discovery supports risk visibility. Active vulnerability scanning of OT assets documented as NA with rationale. | Risk assessment processes, vulnerability scanning (documented NA for OT with compensating controls). |
| Total | 87/110 | Network-layer enforcement across IT and OT | Physical, personnel, media, and process controls |
Identity-based access control, RBAC, session-level enforcement, least-privilege policies. All enforced at network proxy layer.
Physical access control policies (PE overlap), mobile device policies.
Tamper-evident session logs, user identity attribution, SIEM forwarding, log retention, automated alerting.
None. Full coverage.
Baseline configuration enforcement, change tracking, overlay network topology versioning.
Software inventory processes, configuration change approval workflows.
MFA enforcement at proxy boundary, identity gateway, credential management, replay-resistant authentication.
None. Full coverage.
TLS/FIPS encryption on CUI paths, deny-by-default, microsegmentation, overlay isolation, session boundary enforcement.
Endpoint DLP for removable media (SC 3.13.16), public-access system separation policies.
Automated incident detection from session anomalies, alert correlation, forensic session replay.
Incident response plan documentation, reporting chain, external notification procedures.
Not applicable. Network-layer enforcement does not cover physical security.
Facility access control, visitor logs, physical perimeter, environmental controls, delivery/removal procedures.
Not applicable. Personnel screening is an organizational process.
Background checks, termination procedures, personnel screening.
Not applicable. Physical media handling is outside network enforcement scope.
Removable media policies, sanitization, marking, storage, transport, disposal.
Passive asset discovery supports risk visibility. Active vulnerability scanning of OT assets documented as NA with rationale.
Risk assessment processes, vulnerability scanning (documented NA for OT with compensating controls).
Contrôles que les PLC Ne Peuvent Pas Satisfaire.
Les actifs OT comme les PLC, CNC et HMI ne peuvent pas exécuter d'agents, appliquer le MFA ou générer des journaux d'audit. Access Gate fournit des contrôles compensatoires au niveau réseau.
Multi-Factor Authentication
Production machines, CNC controllers, and quality inspection stations have no native identity stack. Access Gate enforces MFA at the proxy layer before any session reaches the equipment.
Audit Logging
Legacy production equipment generates no audit logs. Access Gate captures tamper-evident session logs with user identity, timestamp, protocol, and payload for every connection.
Encryption in Transit
Industrial protocols on CNC cutters, labeling systems, and factory controllers transmit in plaintext. Access Gate enforces TLS/FIPS encryption on CUI paths.
Access Control
Shop floor equipment accepts any connection on its open port. Access Gate enforces RBAC at the proxy boundary per user, asset, protocol, and time window.
Deny by Default
Production machines and quality scanners have no connection filtering. Access Gate enforces deny-all with explicit allowlist exceptions.
CMMC Compliance for On-Premise
Case studies, blog posts, and solution pages for CMMC compliance on existing networks.
CMMC on-premise compliance hubDoD Zero-Trust OT Alignment
DTM 25-003 pillar mapping for Access Gate across all 7 DoD OT-ZT pillars.
DoD Zero-Trust OT alignment guidePair With Open-CMMC for the CUI Enclave Side.
The Matrix maps each NIST 800-171 control to a responsible party. Open-CMMC is the open-source implementation of the enclave side — per-control posture and gap-analysis docs ready to paste into your SSP.
FAQ Matrice de Responsabilité Partagée.
des 110 contrôles NIST 800-171 appliqués par Access Gate au niveau réseau.
A Shared Responsibility Matrix maps every NIST 800-171 control required for CMMC Level 2 to the party responsible for enforcing it. It tells your C3PAO assessor which controls Access Gate handles at the network layer, which the customer must own through process controls, and which are addressed through compensating controls for OT assets.
PLCs, CNCs, and HMIs typically cannot meet controls requiring multi-factor authentication (IA 3.5.3), audit logging (AU 3.3.1/3.3.2), encryption in transit (SC 3.13.8), access control with least privilege (AC 3.1.1/3.1.2), and deny-by-default network communications (SC 3.13.6).
A compensating control is an alternative security measure that provides equivalent protection when the standard control cannot be implemented on the asset. For OT, this means enforcing the control at the network layer through a proxy rather than on the device itself.
Access Gate enforces 87 of 110 NIST 800-171 controls at the network layer. Full coverage in Audit (9/9) and Identification and Authentication (11/11). Strong coverage in Access Control (20/22), System and Communications Protection (14/16), and Configuration Management (7/9).
Customer-owned controls fall into four categories: Physical Protection (PE), Personnel Security (PS), Media Protection (MP), and Risk Assessment (RA). These are organizational and physical controls outside the scope of network-layer enforcement.
Provide the SRM to your assessor before the assessment begins. It establishes which controls are enforced by Access Gate with technical evidence and which are documented through your organizational processes.
Yes. The base SRM covers the standard Access Gate deployment. Your specific environment may shift some controls between TAG-enforced and customer-owned based on your network architecture.
The SRM is versioned alongside Access Gate releases. When new enforcement capabilities are added, the SRM is updated to reflect additional control coverage.
Obtenez Votre Matrice de Responsabilité Partagée.
L'équipe Trout adaptera la SRM à votre installation, vos actifs et votre calendrier de conformité.
Contactez-nous