Beyond VPN for CMMC Compliance.
Your VPN handles tunnel encryption. CMMC requires additional controls on top of that: per-session authorization, per-asset audit logging, and deny-by-default segmentation. Access Gate adds these controls natively, working alongside or replacing your existing VPN.
What VPNs cover and what they don't
A VPN creates an encrypted tunnel between a remote user and your network. That satisfies the encryption requirement. But CMMC also requires per-asset access control, session-level audit trails, and microsegmentation within the network. These are separate controls that VPNs were not designed to provide. A C3PAO assessor will ask: who accessed this CNC machine last Tuesday? What commands did they send? How long was the session? Your VPN logs the tunnel. Access Gate logs the session.
What Your VPN Covers vs. What You Still Need.
Six NIST 800-171 controls relevant to remote access. Your VPN addresses encryption. Access Gate adds the remaining controls that assessors expect to see in OT environments.
VPN grants tunnel-level access. Once connected, the user can reach every resource on the network segment. No per-asset, per-protocol, or per-session authorization.
Access Gate authorizes each session individually. RBAC policies restrict access by user, asset, protocol, port, and time window. A vendor gets access to one CNC machine on Modbus TCP only.
VPN logs tunnel establishment: user connected at timestamp. It does not log what the user accessed, which commands were sent, or which assets were reached inside the tunnel.
Access Gate logs every session with user identity, source, destination asset, protocol, command payload, and duration. Logs are tamper-evident and forwarded to SIEM.
Most VPNs support MFA at tunnel establishment. But once the tunnel is open, subsequent connections to internal resources are not re-authenticated. One MFA check covers unlimited internal access.
Access Gate enforces MFA per session. Each connection to a new asset requires re-authentication through the identity gateway. Compromised sessions cannot pivot to other resources.
VPN default is allow-all within the tunnel. The user can reach any IP on the remote subnet. Firewall rules can restrict this, but most deployments route the full subnet.
Access Gate default is deny-all. Only explicitly authorized user-to-asset connections are permitted. Everything else is dropped and logged. No implicit trust within the overlay.
VPN encrypts the tunnel. This satisfies SC 3.13.8 for the tunnel segment. However, traffic inside the remote network after the tunnel terminates is unencrypted.
Access Gate encrypts user-to-proxy with FIPS-validated TLS. The plaintext segment between proxy and OT asset is isolated in a micro-DMZ with no lateral paths.
VPN creates a point-to-point tunnel that bypasses network boundaries. Remote users appear as local hosts. This undermines segmentation and DMZ architecture.
Access Gate enforces boundaries through overlay microsegmentation. Remote users access resources through per-asset proxies. They never appear on the local network.
Add Zero Trust Controls in Four Steps.
Deploy Alongside
Install Access Gate on your network. Keep the VPN running. Both operate in parallel. No disruption to existing remote access.
Proxy Critical Assets
Route CUI-handling assets through Access Gate proxies. CNC machines, production controllers, and quality systems get identity-based access control. VPN users continue accessing non-CUI resources.
Migrate Users
Move remote users and vendors from VPN to Access Gate. Each gets scoped access to specific assets, specific protocols, specific time windows. MFA enforced per session.
Consolidate or Keep Both
Once CUI-handling access routes through Access Gate, you can keep the VPN for general access or consolidate. Either way, your C3PAO evidence is already being generated: session logs, policy configs, denied-access records.
Typical migration takes 1-2 weeks for the CUI boundary. Non-CUI remote access can remain on VPN if desired. The two systems coexist without conflict.
See the Migration in Action.
We can walk through your VPN topology and map the migration path for your specific environment.
CMMC Shared Responsibility Matrix
Full NIST 800-171 control breakdown: what Access Gate enforces vs. what VPNs miss.
Read moreFIPS-Validated Encryption
Cipher suites, TLS configuration, and CMMC SC 3.13.8 evidence.
Read moreRemote Access Solution
Zero-Trust remote access for vendors, contractors, and technicians.
Read moreVPN + CMMC FAQ.
additional NIST 800-171 controls beyond encryption that CMMC requires for remote access. Access Gate adds all five natively.
Yes. Access Gate and your VPN can coexist. Many organizations start by routing CUI-handling assets through Access Gate while keeping the VPN for general remote access. This reduces migration risk and gives you CMMC compliance on the CUI boundary immediately.
Access Gate supports vendor access, technician remote maintenance, and employee remote work. The difference is granularity: instead of granting subnet-level access, each user gets scoped access to specific assets on specific protocols. A vendor servicing a CNC machine gets Modbus TCP access to that machine only.
Access Gate does not use tunnels. Each session is an individually authorized, logged, and encrypted connection from the user to a specific asset through the proxy. There is no tunnel to split. Internet-bound traffic stays on the user's local network. Only authorized connections to specific assets route through Access Gate.
You can decommission it after migration, or keep it for non-CUI access. Access Gate deploys as a separate appliance or VM. It does not require changes to your VPN infrastructure during the transition.
Vendor access improves. Instead of granting a VPN tunnel to your network, the vendor gets a scoped session to the specific machine they are servicing, with MFA, session recording, and time-limited access. The session log shows exactly what they did. This satisfies CMMC AU 3.3.1 and AC 3.1.1 simultaneously.
Yes. Access Gate supports site-to-site overlay connections between facilities. Each site runs its own Access Gate, and the overlay network connects them with encrypted tunnels. Access policies are enforced at each site independently.
Access Gate proxy adds sub-millisecond latency per session establishment. Once established, throughput is comparable to direct connections. For industrial protocols operating at 10ms scan cycles, the overhead is not measurable. For bulk file transfers, throughput depends on the Access Gate hardware model.
Close the Gap Between Your VPN and CMMC.
The Trout team can review your current VPN setup, identify which CMMC controls need additional enforcement, and show you how Access Gate fills the gap in a live demo.
Request a Demo