Key Points
- Cloud platforms, MSPs, and client organizations each own distinct portions of the required security controls in CMMC compliance, and no single party can deliver full compliance on its own.
- Cloud platforms are responsible for physical data center security, infrastructure availability, and baseline platform controls, but they cannot address how systems are configured, accessed, or used within a specific organization’s environment.
- MSPs are the critical compliance layer between platform capabilities and operational control. They are responsible for configuring secure systems, managing privileged access, enforcing security policies, and supporting systems that store or process CUI.
- Even with MSPs and cloud platforms in place, the client organization retains ultimate CMMC compliance responsibility, including defining security policies, approving configurations, maintaining governance, and ensuring all controls are documented.
- A CMMC shared responsibility matrix maps all 110 NIST SP 800-171 controls to a defined owner across the organization, MSP, and platform.
- CMMC compliance tools and RMM platforms support audits by providing system visibility and configuration enforcement, but they must be properly configured and actively managed.
Cybersecurity Maturity Model Certification (CMMC) compliance is often misunderstood as a product or platform capability. In reality, it is a shared responsibility model where multiple parties contribute to control implementation and enforcement.
Cloud providers, MSPs, and client organizations each play distinct roles in meeting CMMC requirements. Because of this, you need to create a CMMC shared responsibility matrix to ensure that roles are clearly defined and everyone knows what they’re responsible for.
What does shared responsibility mean in CMMC?
In the context of CMMC, shared responsibility refers to the division of control and ownership across the different entities involved in a single environment. Responsibility is generally shared between:
- The client organization
- The MSP
- The underlying platform or service provider
It’s important to remember that no single party will provide you with full compliance on its own. Each entity is responsible for a different aspect of security and compliance. Not understanding the role everyone has can lead to gaps. Don’t assume that a control is covered. Instead, you have to check in with all parties involved and ensure that all policies are being actively enforced.
What platforms are responsible for in CMMC
Platforms are mainly responsible for maintaining your underlying infrastructure. This generally includes:
- Maintaining the physical data center and keeping it secure
- Ensuring that the infrastructure is available and resilient against negative events
- Protecting their core network and hardware to avoid outages
- Maintaining baseline platform-level security controls
Some platforms may also go above and beyond that by providing compliance-aligned services and certifications. However, it’s important not to rely on platform compliance alone. At the end of the day, it’s only part of a broader and more comprehensive model. Platform compliance won’t involve more minute details, such as how systems are configured or used in your specific environments.
What MSPs are responsible for in CMMC
If platforms are responsible for maintaining the underlying infrastructure, MSPs are in charge of implementing and managing controls on the platforms being used in the client environment. This will involve:
- Configuring and maintaining secure systems
- Managing access controls and privileged accounts
- Enforcing security policies across all endpoints
- Supporting systems that store or process Controlled Unclassified Information (CUIs)
Your MSPs are a critical layer between platform capabilities and operational compliance. They’re a key part in ensuring that you keep your data safe and secure.
What the client organization remains responsible for in CMMC
Even with all the support coming from platforms and MSPs, the client will still maintain a degree of responsibility when it comes to compliance. They’re the ones who know their needs best and how to fulfill them.
Typical client responsibilities include:
- Defining security policies and requirements
- Approving system configurations and access controls
- Maintaining governance and oversight
- Ensuring all controls in their environments are implemented and documented
CMMC compliance, especially for defense contractors, can never be outsourced entirely. Full responsibility will always, at the end of the day, still remain with the organization that’s being assessed and not anyone else.
Where responsibility overlaps in CMMC
Of course, when it comes to compliance, cooperation and collaboration are always necessary. For example, access control will always be defined by the client, but it’s the MSP who has to enforce it. Maintaining full governance and oversight, as well as incident response, will involve all parties, and ensuring all controls are implemented will involve both the client and the MSP.
How to map responsibilities in CMMC environments effectively
Organizations need to map control ownership. This will avoid confusion and ensure that all parties involved know what they’re supposed to be doing. Best practices include:
- Defining control ownership for each requirement
- Documenting shared responsibilities clearly
- Aligning services with specific compliance requirements
- Validating that all controls are always being actively enforced
Mapping these shared responsibilities ensures that your MSP’s client compliance solutions align with your organization’s audit expectations. It also reduces ambiguity when assessments and audits occur.
The role of tools and platforms in supporting compliance
The platforms and tools you use can support compliance and audits, but they don’t replace responsibility. CMMC compliance tools for MSPs and integrated RMM + compliance solutions can:
- Provide visibility into system status
- Support the enforcement of security configurations
- Assist with documentation and validation
However, you need to remember that tools have to be properly configured and managed. Otherwise, they’re not contributing that much to compliance. Responsibility for actually using and operating them will still lie with the MSP and client.
How shared responsibility impacts audits
In a CMMC assessment, auditors will evaluate how responsibilities are implemented in a specific environment. They’ll do the following things:
- Identify who owns each control
- Validate that controls are being correctly implemented
- Confirm that responsibilities are being clearly defined
Shared responsibility is key to CMMC success
CMMC compliance depends on a shared responsibility model. This will involve platforms, MSPs, and client organizations. A clear definition of responsibilities, proper mapping of control ownership, and alignment between services and requirements are essential in ensuring you get successful compliance outcomes.
Related topics:
