CMMC enduring exception is a mechanism within the Cybersecurity Maturity Model Certification (CMMC) framework that allows a defense contractor to document that a specific asset cannot natively implement a required security control due to hardware or firmware limitations. The exception does not waive the security requirement. It requires a compensating control that addresses the residual risk.
How enduring exceptions work
CMMC Level 2 requires implementation of 110 security controls derived from NIST SP 800-171. Many OT assets, particularly PLCs, RTUs, embedded controllers, and legacy HMIs, lack the capability to implement controls such as multi-factor authentication, encrypted communications, or audit logging. These devices run purpose-built firmware with no mechanism for installing security agents or modifying authentication behavior.
An enduring exception documents this incapacity in the System Security Plan (SSP). The documentation must identify the specific asset, the specific control it cannot implement, the technical reason it cannot implement that control, and the compensating control that mitigates the resulting risk. The exception is "enduring" because the limitation is inherent to the device and will persist for its operational lifetime, unlike a temporary Plan of Action and Milestones (POA&M) that describes a control gap being actively remediated.
The critical distinction is scope. An enduring exception covers the incapacity of the asset to implement the control natively. It does not cover the risk created by that incapacity. The contractor must still demonstrate that the compensating control reduces the risk to an acceptable level. For example, a PLC that cannot perform user authentication might be compensated by placing it inside a network segment where every access path requires identity verification at the network layer.
The Affirming Official who signs the CMMC assessment is personally attesting that all documented exceptions have valid compensating controls. Under the False Claims Act, signing without verifiable compensating controls creates legal liability. This is not a theoretical risk. The Department of Justice has signaled that CMMC compliance attestations will be subject to the same scrutiny as other government contract certifications.
OT and industrial context
Defense manufacturers frequently operate CNC machines, welding robots, and test equipment with embedded controllers that are 10 to 20 years old. These devices process controlled technical drawings (CUI) and therefore fall within the CMMC assessment boundary. Replacing them is often cost-prohibitive and may require re-qualification of the entire production process.
A typical enduring exception scenario involves a CNC controller that receives G-code files containing CUI over an unencrypted FTP connection. The controller's firmware does not support SFTP, TLS, or any encrypted transport. The enduring exception documents this limitation. The compensating control might place the CNC controller inside an overlay-enforced enclave where only authenticated, authorized file servers can reach the FTP port, and all traffic within the enclave is encrypted at the network layer even though the application protocol is not.
Compliance relevance
CMMC enduring exceptions are governed by 32 CFR Part 170 and must be documented in the SSP alongside the associated compensating controls. NIST SP 800-171A provides assessment procedures that assessors use to evaluate whether compensating controls adequately address the risk. The exception mechanism aligns conceptually with IEC 62443 Security Level (SL) targeting, where devices with limited security capabilities are protected by the zone-level controls surrounding them.
Related terms
Access Gate connection
Access Gate provides compensating controls for OT assets that qualify for CMMC enduring exceptions by wrapping them in identity-enforced, encrypted overlay segments at the network layer. Learn more at CMMC enduring exceptions for OT.
