A local machine shop shouldn’t need a six-figure compliance project just to keep doing business with Spirit or Textron. But that’s where CMMC 2.0 is putting them.

The DoD’s final rule went into force at the end of 2024, and the phased rollout is now landing in real contracts. Any contractor or subcontractor that touches Controlled Unclassified Information has to demonstrate, on paper, that they meet the 110 controls in NIST 800-171. The big primes have been preparing for years. The 30-person shops in their supply chain, mostly, have not.

In Wichita, this is an economic story. We’re the Air Capital — Spirit AeroSystems, Textron Aviation, Bombardier, and Airbus all source here, and the supply chain that makes them work is a long tail of small, often family-owned shops. For a $10M-revenue shop, the realistic Level 2 compliance bill — new infrastructure, identity tooling, ongoing third-party assessments — clears six figures and never goes back to zero. That’s margin, not an IT line item.

The risk that worries me is supplier consolidation. Shops that can’t absorb the cost exit DoD work, get acquired, or close. Wichita’s aerospace ecosystem gets smaller, more fragile, and more expensive — and that hits the primes too. The same pattern plays out in every aerospace town; Wichita’s concentration just makes it visible from where I’m standing.

That’s the problem Janus exists to chip away at.

What Janus is Link to heading

Janus is an open source Zero Trust admission control service for OT environments — CNC machines, welding robots, SCADA HMIs. It answers exactly one question:

Is this user, on this device, allowed to reach that machine right now?

A request is admitted only if all three gates pass:

  1. The OT device is in the registry the gateway knows about.
  2. The user is a member of the Entra ID group required for that device.
  3. The user has at least one Intune-managed device currently reporting compliant.

If all three pass, Janus issues an 8-hour session ID and (in production) opens a tunnel to the OT device. If any gate fails, access is denied. Every decision — admit or deny — writes one entry to an append-only audit log. That log is the CMMC evidence artifact, by construction.

Janus admission flow

Why this doesn’t already exist Link to heading

Enterprise ZTNA products (Zscaler, Cloudflare Access, Entra Private Access) are priced and architected for organizations that have already converged on web and SaaS. They assume the protected resource speaks HTTP, RDP, or SSH. OT gear doesn’t — it speaks Modbus TCP, EtherNet/IP, OPC-UA, and a long tail of vendor protocols specced twenty years before any of this mattered. Janus is small enough to run at a 30-person shop, identity-grounded rather than network-grounded, and protocol-agnostic at the transport layer. It’s a missing architecture, not a missing feature.

How it’s built Link to heading

The PoC is in PowerShell, and it’s the canonical specification — not a demo. It pins down the decision contract, the data shapes, the gate sequence, and the functional-core / imperative-shell split that makes the admission logic testable without a Graph tenant. A production port translates that behavior; it doesn’t redesign it.

For the production language, C# on ASP.NET Core feels like the obvious starting point — first-class Microsoft.Graph SDK, mature observability story, big hiring pool. F# would be a strong candidate for the admission core itself: discriminated unions for Decision = Admit | Deny, exhaustive pattern matching, and total functions match the audit-completeness property an assessor is going to ask about. None of that is a constraint, though — Go and Rust are reasonable, and a contributor with strong opinions and a willingness to maintain the choice would shape this.

Where contributors can plug in Link to heading

  • HTTP API and admission engine. POST /admit returning the decision schema. The Pester tests are the conformance suite.
  • Graph integration. Workload identity or certificate-based service principal, with token caching.
  • Transport plug-in. An actual tunnel keyed off the session ID — YARP, WireGuard, raw TCP proxy.
  • Audit sink interface. Local file, SIEM forwarder, MSP control plane — one swappable interface.
  • Companion PowerShell management module. A separate repo, Install-Module Janus eventually.

If F# in security is something you’ve been looking for an excuse to write, this is one.

If any of this is interesting:

  • Star the repo to follow along.
  • Contributors welcomeCONTRIBUTING.md has the inbound license details.
  • If you’re a small shop in the Wichita area feeling the CMMC 2.0 squeeze, reach out via the social links on the home page. I’d genuinely like to talk to you.

Apache 2.0. Repo: github.com/spross216/Janus.