CMMS Software for IT and OT Managers in Manufacturing

CMMS deployment in manufacturing sits at the intersection of IT and OT — a zone of increasing complexity as cloud systems connect to plant-floor control networks.

IT Requirements Checklist

• SOC 2 Type II certification (minimum), ISO 27001 preferred
• Data residency and GDPR/CCPA compliance documentation
• SSO and identity management (Active Directory, Azure AD, Okta)
• Network security architecture for OT connectivity
• SLA commitments for uptime and support response

OT Requirements Checklist

• PLC and SCADA connectivity method (OPC-UA, Modbus, or proprietary)
• Network segmentation compliance — cloud CMMS should not require direct firewall rules from OT network to public internet
• Edge gateway architecture for collecting machine data without exposing OT systems
• Vendor's experience with ISA/IEC 62443 industrial cybersecurity standards

The CMMS procurement process frequently involves IT signing off on security without OT involvement — or vice versa. Both patterns create costly post-contract implementation problems.

The central network security question: how does machine data move from the OT network to the cloud platform? Three architectures exist:

• Direct PLC-to-cloud: Simple but requires outbound firewall rules from OT network — prohibited by many OT security standards
• Edge gateway (recommended by ISA/IEC 62443 and NIST): Dedicated device in the DMZ between OT and IT networks collects PLC data and forwards to cloud, maintaining OT network isolation
• MES intermediary: CMMS pulls data from an existing MES or historian system that already sits on the IT network — maintains OT isolation without new edge hardware

What to Ask Every CMMS Vendor

Request a network architecture diagram showing exactly where connectivity occurs and which architecture they support. Vendors who cannot produce this diagram have not thought through the OT security implications of their integration approach.

Use this checklist to complete your CMMS vendor security review:

• Data residency: Written confirmation of where data is processed and stored — matches your data residency requirements
• SOC 2 Type II report: Within last 12 months — review Section 7 (Availability) and Section 9 (Confidentiality) specifically
• Penetration testing: Summary of most recent third-party pentest and remediation status
• API security: OAuth 2.0 with token expiry and rate limiting — not API key authentication without expiry
• Integration standards: OPC-UA support for modern PLC connectivity + Modbus TCP for legacy equipment
• Data export: Bulk data export in CSV/JSON without vendor involvement — your exit right protection
• Backup and recovery: RPO under 1 hour, RTO under 4 hours for production environments
• Vendor access log: All vendor access to your environment accessible to your team on demand