CMMC Shared Responsibility Matrix for OT.
87 of 110 NIST 800-171 controls enforced at the network layer. The remaining 23 are customer-owned process controls. This page shows exactly which controls Access Gate enforces, which it supports, and which are yours.
What is a CMMC Shared Responsibility Matrix?
A Shared Responsibility Matrix (SRM) maps every NIST 800-171 control to the party responsible for enforcing it. For on-premise environments using Access Gate, the SRM divides 110 controls into three categories: controls enforced by Access Gate at the network layer, controls the customer must own (physical security, personnel, media handling), and controls where Access Gate provides compensating controls for OT assets that cannot comply natively.
Control Family Breakdown.
Each row shows a NIST 800-171 control family, how many controls Access Gate enforces, and what the customer must own. The full downloadable matrix includes per-control detail.
| Control Family | Coverage | Access Gate Enforces | Customer Owns |
|---|---|---|---|
| Access Control (AC) | 20/22 | Identity-based access control, RBAC, session-level enforcement, least-privilege policies. All enforced at network proxy layer. | Physical access control policies (PE overlap), mobile device policies. |
| Audit & Accountability (AU) | 9/9 | Tamper-evident session logs, user identity attribution, SIEM forwarding, log retention, automated alerting. | None. Full coverage. |
| Configuration Management (CM) | 7/9 | Baseline configuration enforcement, change tracking, overlay network topology versioning. | Software inventory processes, configuration change approval workflows. |
| Identification & Authentication (IA) | 11/11 | MFA enforcement at proxy boundary, identity gateway, credential management, replay-resistant authentication. | None. Full coverage. |
| System & Communications Protection (SC) | 14/16 | TLS/FIPS encryption on CUI paths, deny-by-default, microsegmentation, overlay isolation, session boundary enforcement. | Endpoint DLP for removable media (SC 3.13.16), public-access system separation policies. |
| Incident Response (IR) | 2/3 | Automated incident detection from session anomalies, alert correlation, forensic session replay. | Incident response plan documentation, reporting chain, external notification procedures. |
| Physical Protection (PE) | 0/5 | Not applicable. Network-layer enforcement does not cover physical security. | Facility access control, visitor logs, physical perimeter, environmental controls, delivery/removal procedures. |
| Personnel Security (PS) | 0/2 | Not applicable. Personnel screening is an organizational process. | Background checks, termination procedures, personnel screening. |
| Media Protection (MP) | 0/9 | Not applicable. Physical media handling is outside network enforcement scope. | Removable media policies, sanitization, marking, storage, transport, disposal. |
| Risk Assessment (RA) | 0/3 | Passive asset discovery supports risk visibility. Active vulnerability scanning of OT assets documented as NA with rationale. | Risk assessment processes, vulnerability scanning (documented NA for OT with compensating controls). |
| Total | 87/110 | Network-layer enforcement across IT and OT | Physical, personnel, media, and process controls |
Identity-based access control, RBAC, session-level enforcement, least-privilege policies. All enforced at network proxy layer.
Physical access control policies (PE overlap), mobile device policies.
Tamper-evident session logs, user identity attribution, SIEM forwarding, log retention, automated alerting.
None. Full coverage.
Baseline configuration enforcement, change tracking, overlay network topology versioning.
Software inventory processes, configuration change approval workflows.
MFA enforcement at proxy boundary, identity gateway, credential management, replay-resistant authentication.
None. Full coverage.
TLS/FIPS encryption on CUI paths, deny-by-default, microsegmentation, overlay isolation, session boundary enforcement.
Endpoint DLP for removable media (SC 3.13.16), public-access system separation policies.
Automated incident detection from session anomalies, alert correlation, forensic session replay.
Incident response plan documentation, reporting chain, external notification procedures.
Not applicable. Network-layer enforcement does not cover physical security.
Facility access control, visitor logs, physical perimeter, environmental controls, delivery/removal procedures.
Not applicable. Personnel screening is an organizational process.
Background checks, termination procedures, personnel screening.
Not applicable. Physical media handling is outside network enforcement scope.
Removable media policies, sanitization, marking, storage, transport, disposal.
Passive asset discovery supports risk visibility. Active vulnerability scanning of OT assets documented as NA with rationale.
Risk assessment processes, vulnerability scanning (documented NA for OT with compensating controls).
Controls Production Machines Can't Meet Natively.
CNC cutters, labeling systems, quality scanners, and factory controllers cannot run agents, enforce MFA, or generate audit logs. Access Gate provides compensating controls at the network layer for five critical NIST 800-171 requirements.
Multi-Factor Authentication
Production machines, CNC controllers, and quality inspection stations have no native identity stack. Access Gate enforces MFA at the proxy layer before any session reaches the equipment.
Audit Logging
Legacy production equipment generates no audit logs. Access Gate captures tamper-evident session logs with user identity, timestamp, protocol, and payload for every connection.
Encryption in Transit
Industrial protocols on CNC cutters, labeling systems, and factory controllers transmit in plaintext. Access Gate enforces TLS/FIPS encryption on CUI paths.
Access Control
Shop floor equipment accepts any connection on its open port. Access Gate enforces RBAC at the proxy boundary per user, asset, protocol, and time window.
Deny by Default
Production machines and quality scanners have no connection filtering. Access Gate enforces deny-all with explicit allowlist exceptions.
CMMC Compliance for On-Premise
Case studies, blog posts, and solution pages for CMMC compliance on existing networks.
CMMC on-premise compliance hubDoD Zero-Trust OT Alignment
DTM 25-003 pillar mapping for Access Gate across all 7 DoD OT-ZT pillars.
DoD Zero-Trust OT alignment guideShared Responsibility Matrix FAQ.
of 110 NIST 800-171 controls enforced by Access Gate at the network layer, with full C3PAO evidence generation.
A Shared Responsibility Matrix maps every NIST 800-171 control required for CMMC Level 2 to the party responsible for enforcing it. It tells your C3PAO assessor which controls Access Gate handles at the network layer, which the customer must own through process controls, and which are addressed through compensating controls for OT assets.
CNC mills, laser cutters, labeling systems, quality inspection stations, and other production equipment typically cannot meet controls requiring multi-factor authentication (IA 3.5.3), audit logging (AU 3.3.1/3.3.2), encryption in transit (SC 3.13.8), access control with least privilege (AC 3.1.1/3.1.2), and deny-by-default network communications (SC 3.13.6). These machines lack identity stacks, log daemons, and TLS support. Access Gate provides compensating controls for all five.
A compensating control is an alternative security measure that provides equivalent protection when the standard control cannot be implemented on the asset. For OT, this means enforcing the control at the network layer through a proxy rather than on the device itself. The compensating control must be documented in the SSP with evidence that it provides equivalent protection.
Access Gate enforces 87 of 110 NIST 800-171 controls at the network layer. Full coverage in Audit (9/9) and Identification and Authentication (11/11). Strong coverage in Access Control (20/22), System and Communications Protection (14/16), and Configuration Management (7/9). The remaining 23 controls cover physical security, personnel screening, media handling, and risk assessment processes.
Customer-owned controls fall into four categories: Physical Protection (PE 3.10.1 through 3.10.5) covering facility access and environmental controls, Personnel Security (PS 3.9.1 and 3.9.2) covering background checks and termination procedures, Media Protection (MP) covering removable media and sanitization policies, and Risk Assessment (RA) covering vulnerability scanning processes. These are organizational and physical controls outside the scope of network-layer enforcement.
Provide the SRM to your assessor before the assessment begins. It establishes which controls are enforced by Access Gate (with technical evidence: logs, policy configs, segmentation baselines, session recordings) and which are documented through your organizational processes. This reduces assessment scope ambiguity and gives assessors a clear evidence map.
Yes. The base SRM covers the standard Access Gate deployment. Your specific environment may shift some controls between TAG-enforced and customer-owned based on your network architecture, what assets are behind the Access Gate, and your organizational policies. The Trout team works with you to produce an environment-specific SRM before your assessment.
The SRM is versioned alongside Access Gate releases. When new enforcement capabilities are added, the SRM is updated to reflect additional control coverage. Your account team notifies you of SRM changes that affect your compliance posture. The current version covers Access Gate software as of 2026.
Get Your Environment-Specific Shared Responsibility Matrix.
The Trout team will map the SRM to your facility, your assets, and your compliance timeline. Bring it to your C3PAO with confidence.
Contact Us