Back to Blog

The IoT and OT Blind Spot in Your CMMC Assessment Scope

BomberJacket Networks
4 min read
The IoT and OT Blind Spot in Your CMMC Assessment Scope

Most defense contractors can tell you where their CUI lives on file servers, in email, in their GCC High tenant. Far fewer can tell you what the smart thermostat, the badge reader, the shop floor CNC controller, or the warehouse sensor network can reach on that same network.

That gap matters more than it used to. Under CMMC Level 2, your assessment scope is not defined by what you consider "IT." It is defined by what can process, store, or transmit CUI, and by what connects to the assets that do. IoT and OT devices routinely fail that second test, and they do it quietly.

Why IoT and OT devices are a scoping problem, not just a security problem

The security weaknesses of embedded devices are well documented. Most ship with minimal or no security controls, and the underlying issues have not changed in years:

They often cannot be patched. Many IoT devices run legacy or vendor-locked firmware with no meaningful update path. A vulnerability discovered today stays exploitable for the life of the device. NIST 800-171 expects you to identify and remediate flaws in a timely manner. A device that cannot be remediated forces a different answer: isolate it or replace it.

They rarely encrypt anything. Data moving to and from these devices frequently travels in the clear. If that traffic crosses network segments that also carry CUI, you have a FIPS-validated encryption conversation coming, and it will not be a short one.

They ship with default credentials. Weak default passwords that never get changed remain one of the most common footholds attackers find. Identification and authentication controls apply to every device on an in-scope network, not just the ones with keyboards.

They resist monitoring. OT and IoT ecosystems are diverse and often invisible to standard endpoint tooling. If you cannot see the device, you cannot log it, and audit and accountability requirements start slipping through your fingers.

How an assessor will look at it

When a C3PAO assessment team walks your environment, one of the first exercises is validating your asset inventory and network diagrams against reality. Undocumented devices on in-scope network segments are exactly the kind of finding that stalls an assessment.

The scoping guidance gives you workable categories: CUI assets, security protection assets, contractor risk managed assets, and specialized assets. OT, IoT, and IIoT devices generally land in the specialized asset category, which comes with a lighter documentation burden, but only if you have actually identified them, documented them in your SSP, and shown how your risk-based policies address them. A specialized asset you never inventoried is not a specialized asset. It is a surprise, and surprises during an assessment rarely break in your favor.

Segmentation is the difference maker. A flat network where the break room smart TV can route to the file share holding export-controlled drawings puts everything in scope together. A properly segmented environment, with OT and IoT isolated behind documented boundaries, keeps your assessment scope tight and your control implementation defensible.

What to do before assessment day

  1. Inventory everything with an IP address. Not just workstations and servers. Cameras, printers, sensors, controllers, badge systems, building automation. If it talks on your network, it goes on the list.
  2. Map what each device can reach. The question is not "does this device hold CUI." It is "can this device reach anything that does."
  3. Segment ruthlessly. Put OT and IoT on isolated VLANs with explicit, documented rules for anything that must cross the boundary.
  4. Kill default credentials and document the exceptions. Where a device cannot support proper authentication, isolate it and record the risk decision.
  5. Write it into the SSP. Specialized assets need to appear in your inventory, your diagrams, and your policies. That is what turns a liability into a documented, defensible scoping decision.

Where we fit

BomberJacket Networks has spent over 25 years building and securing networks for organizations that cannot afford to get this wrong, and as an authorized C3PAO we see how scoping decisions play out on assessment day. Whether you need help finding the devices you forgot you had, designing the segmentation that keeps them out of scope, or preparing the documentation that proves it, that is work we do every week.

If your shop floor and your CUI enclave share a network and nobody has looked closely at what is between them, that is worth an hour of your time before an assessor makes it worth much more.

Need Help with CMMC Compliance?

BomberJacket Networks is Minnesota's only C3PAO-authorized MSP with 25 years of expertise. Get a free consultation to assess your CMMC compliance readiness.

Continue Reading