The Challenge

Even modern CNC controllers cannot safely join a corporate domain.

The Solution

NCFirewall™ bridges that gap—providing a compliant and secure way to exchange NC files between servers and CNC machines.

Executive Summary

NCFirewall™ is a secure, auditable file-exchange gateway that bridges the gap between IT-managed servers and CNC controllers in manufacturing environments.

It was developed to fully comply with CMMC 2.0 and NIST 800-171 Rev. 2 requirements, enabling manufacturers to safely transfer NC program files while keeping vulnerable CNC systems isolated from the corporate network.

NCFirewall™ eliminates the need for USB drives or unsecured network shares. Only validated, authorized, and traceable files are exchanged to and from the machines.

It combines modern Windows architecture, compliance-oriented design, and shop-floor usability, making it the first complete solution for compliant CNC file exchange.

Background and Motivation

CNC machines form the operational core of precision manufacturing but operate on operating systems and software stacks that differ radically from enterprise IT.
Many controllers still rely on Windows XP Embedded, Windows 2000, Windows 7, or Windows 10 LTS, and cannot support modern security tools such as antivirus, patch management, or group policy enforcement.

Connecting such systems directly to a domain controller (DC) is unsafe, unsupported, and non-compliant.

NCFirewall™ was conceived specifically to solve this challenge: enabling secure, compliant, and auditable data transfer between modern IT infrastructure and legacy or OEM-locked CNC systems.

Solution Overview

NCFirewall™ acts as a controlled intermediary firewall between the secure server environment and isolated CNC controllers.

It enforces file-transfer policies, validates each file’s authenticity, and maintains a tamper-resistant audit log of every event.

Core Capabilities

  • Secure file handling

    Strict validation and policy enforcement

  • Audit trail

    Complete transaction history in SQLite

  • User feedback

    Machinist notifications for transfer success/failure

  • Network segmentation

    CNC systems reside on a protected subnet

  • Effortless IT integration

    Operates as a regular domain user within Active Directory

How are you connected now?

  • Scenario A: Machines already on LAN

    Nothing changes for the Machinist.

    The workflow of posting G-Codes to the machine remains the same.

    Posting back from the machine gets even more comfortable.

    No Changes - Just compliant now

    Scenario A: Machines already on LAN

  • Scenario B: Currently using USB

    Add NCFirewall to your IT infrastructure and LAN connect your machines.

    Now you can access the files through NCFirewall™ right from the machine.

    No lost USB sticks any more.

    No confusion about file versions and revisions.

    No need for sanitization.

    Less hassle,more convenient and now fully compliant.

    Scenario B: Currently using USB

Key Features and Advantages

  • CMMC / NIST 800-171 Compliance

    Implements boundary control and logging required for certification.

  • Zero-Trust File Management

    Each NC file must pass structural and syntax validation before release.

  • Centralized Audit Trail

    Every transfer is timestamped, user-linked, and exportable.

  • Machine-Level Configuration

    Per-machine directories, post-back options, and allowed extensions.

  • Secure Quarantine

    Isolates non-compliant or failed transfers

  • Operator Awareness

    Desktop notifications confirm every action

Compliance Point-Benefits: With vs Without NCFirewall™

CMMC Level 2 audits evaluate ~110 NIST 800-171 controls. Each control carries 1–5 points; deductions reduce a shop’s score from a possible 110. A passing score typically falls near 88.

Impact of NCFirewall™

Control Family

Requirement ID

Typical Points

Without NCFirewall™

With NCFirewall™

AC – Access Control

3.1.3

5

Unrestricted file flow
(Lateral Movement Risk)
→ −5 pts

Validated, restricted flow
→ 0 deduction

AU – Audit & Accountability

3.3.1

5

No audit trail for CNC files
→ −5 pts

Comprehensive logging
→ 0 deduction

MP – Media Protection

3.8.9

5

USB transfer risk
→ −5 pts

USB eliminated
→ 0 deduction

SC – System & Comms Protection

3.13.11

5

No boundary protection
→ −5 pts

Dedicated OT firewall
→ 0 deduction

CM – Configuration Mgmt

3.4.8

3

Unverified file changes
→ −3 pts

Automatic quarantine and validation
→ 0 deduction

Potential Improvement

Shops typically lose 20–25 points across these high-value controls.
Deploying NCFirewall™ restores those points—often the difference between failing and passing CMMC Level 2.

Module overview

NCFirewall™ Base License

Base License per shop. Add machine licenses as needed

  • Can serve 1 to 400 machines

$1,999.00 per year

NCFirewall™ Machine License

Per-Machine License includes posting back functionality

  • Post to machine

  • Posting back from machine

  • File validation for 10+ G-Code dialects

$999.00 initial, $499.00 per year

NCFirewall™ PC Client License

PC Client for Windows 10 LTSC /Windows 11 Pro/Pro Workstation

  • Available as stand alone or plug in for ShopPortal4

$99.00 initial, $49.00 per year

NCFirewall™ Hardware

Optional Industrial Edge Server Appliance for NCFirewall™

  • Intel Core i7-14700 CPU

  • 16GB DDR5 Ram (up to 64GB optional)

  • 19" rack mount server case with front connections

  • 512GB of storage (optional RAID configurations)

  • Industrial grade monitored fan setup

  • OS Windows 11 Pro Workstation

$3,999.00 incl. 12-month warranty (Extendable)

  • NCFirewall™ is the solution to what customers are asking me for over a year.
    (Nate Mayhew, DMG-Mori)

  • This solves the compliance problems of legacy controllers.
    (Melissa Jones, GladiusIT)

Product Information Brochure

Find details about NCFirewall™ here.