/
/

Shared Responsibility in CMMC: What MSPs vs Platforms Must Handle

by Ann Conte, IT Technical Writer
Shared Responsibility in CMMC What MSPs vs Platforms Must Handle

Key Points

  • Cloud platforms, MSPs, and client organizations each own distinct portions of the required security controls in CMMC compliance, and no single party can deliver full compliance on its own.
  • Cloud platforms are responsible for physical data center security, infrastructure availability, and baseline platform controls, but they cannot address how systems are configured, accessed, or used within a specific organization’s environment.
  • MSPs are the critical compliance layer between platform capabilities and operational control. They are responsible for configuring secure systems, managing privileged access, enforcing security policies, and supporting systems that store or process CUI.
  • Even with MSPs and cloud platforms in place, the client organization retains ultimate CMMC compliance responsibility, including defining security policies, approving configurations, maintaining governance, and ensuring all controls are documented.
  • A CMMC shared responsibility matrix maps all 110 NIST SP 800-171 controls to a defined owner across the organization, MSP, and platform.
  • CMMC compliance tools and RMM platforms support audits by providing system visibility and configuration enforcement, but they must be properly configured and actively managed.

Cybersecurity Maturity Model Certification (CMMC) compliance is often misunderstood as a product or platform capability. In reality, it is a shared responsibility model where multiple parties contribute to control implementation and enforcement.

Cloud providers, MSPs, and client organizations each play distinct roles in meeting CMMC requirements. Because of this, you need to create a CMMC shared responsibility matrix to ensure that roles are clearly defined and everyone knows what they’re responsible for.

What does shared responsibility mean in CMMC?

In the context of CMMC, shared responsibility refers to the division of control and ownership across the different entities involved in a single environment. Responsibility is generally shared between:

  • The client organization
  • The MSP
  • The underlying platform or service provider

It’s important to remember that no single party will provide you with full compliance on its own. Each entity is responsible for a different aspect of security and compliance. Not understanding the role everyone has can lead to gaps. Don’t assume that a control is covered. Instead, you have to check in with all parties involved and ensure that all policies are being actively enforced.

What platforms are responsible for in CMMC

Platforms are mainly responsible for maintaining your underlying infrastructure. This generally includes:

  • Maintaining the physical data center and keeping it secure
  • Ensuring that the infrastructure is available and resilient against negative events
  • Protecting their core network and hardware to avoid outages
  • Maintaining baseline platform-level security controls

Some platforms may also go above and beyond that by providing compliance-aligned services and certifications. However, it’s important not to rely on platform compliance alone. At the end of the day, it’s only part of a broader and more comprehensive model. Platform compliance won’t involve more minute details, such as how systems are configured or used in your specific environments.

What MSPs are responsible for in CMMC

If platforms are responsible for maintaining the underlying infrastructure, MSPs are in charge of implementing and managing controls on the platforms being used in the client environment. This will involve:

  • Configuring and maintaining secure systems
  • Managing access controls and privileged accounts
  • Enforcing security policies across all endpoints
  • Supporting systems that store or process Controlled Unclassified Information (CUIs)

Your MSPs are a critical layer between platform capabilities and operational compliance. They’re a key part in ensuring that you keep your data safe and secure.

What the client organization remains responsible for in CMMC

Even with all the support coming from platforms and MSPs, the client will still maintain a degree of responsibility when it comes to compliance. They’re the ones who know their needs best and how to fulfill them.

Typical client responsibilities include:

  • Defining security policies and requirements
  • Approving system configurations and access controls
  • Maintaining governance and oversight
  • Ensuring all controls in their environments are implemented and documented

CMMC compliance, especially for defense contractors, can never be outsourced entirely. Full responsibility will always, at the end of the day, still remain with the organization that’s being assessed and not anyone else.

Where responsibility overlaps in CMMC

Of course, when it comes to compliance, cooperation and collaboration are always necessary. For example, access control will always be defined by the client, but it’s the MSP who has to enforce it. Maintaining full governance and oversight, as well as incident response, will involve all parties, and ensuring all controls are implemented will involve both the client and the MSP.

How to map responsibilities in CMMC environments effectively

Organizations need to map control ownership. This will avoid confusion and ensure that all parties involved know what they’re supposed to be doing. Best practices include:

  • Defining control ownership for each requirement
  • Documenting shared responsibilities clearly
  • Aligning services with specific compliance requirements
  • Validating that all controls are always being actively enforced

Mapping these shared responsibilities ensures that your MSP’s client compliance solutions align with your organization’s audit expectations. It also reduces ambiguity when assessments and audits occur.

The role of tools and platforms in supporting compliance

The platforms and tools you use can support compliance and audits, but they don’t replace responsibility. CMMC compliance tools for MSPs and integrated RMM + compliance solutions can:

  • Provide visibility into system status
  • Support the enforcement of security configurations
  • Assist with documentation and validation

However, you need to remember that tools have to be properly configured and managed. Otherwise, they’re not contributing that much to compliance. Responsibility for actually using and operating them will still lie with the MSP and client.

How shared responsibility impacts audits

In a CMMC assessment, auditors will evaluate how responsibilities are implemented in a specific environment. They’ll do the following things:

  • Identify who owns each control
  • Validate that controls are being correctly implemented
  • Confirm that responsibilities are being clearly defined

Shared responsibility is key to CMMC success

CMMC compliance depends on a shared responsibility model. This will involve platforms, MSPs, and client organizations. A clear definition of responsibilities, proper mapping of control ownership, and alignment between services and requirements are essential in ensuring you get successful compliance outcomes.

Related topics:

FAQs

No. A cloud platform can’t make an organization fully CMMC compliant on its own. Organizations must still implement, document, and manage the people and process controls that the platform cannot address. CMMC compliance is environment-specific and organization-owned. The platform provides the foundation, not the certification.

Yes. MSPs share compliance responsibility for any CMMC controls they directly implement, configure, or manage within a client’s environment. If an MSP manages endpoints, identity systems, or security tools that are within the CMMC assessment boundary, those controls are assessed as part of the client’s certification. MSPs that handle Controlled Unclassified Information (CUI) on their own systems may also require their own independent CMMC Level 2 certification.

A shared responsibility matrix is not explicitly mandated by name in the CMMC Level 2 requirements, but it is effectively essential in any environment that uses MSPs, cloud platforms, or external service providers. CMMC assessors require that every control in the System Security Plan (SSP) has a documented owner, and a shared responsibility matrix is the standard mechanism for capturing that ownership across multiple parties.

A CMMC shared responsibility matrix is a structured document that maps each of the 110 NIST SP 800-171 security controls to the party responsible for implementing and maintaining it. It works alongside the SSP to give assessors a clear picture of how compliance obligations are distributed across the entire technology environment.

CMMC Level 1 requires organizations to implement 15 basic cybersecurity practices drawn from FAR 52.204-21, focused on protecting Federal Contract Information (FCI), and is satisfied through an annual self-assessment with executive affirmation in the Supplier Performance Risk System (SPRS).

CMMC Level 2 requires full implementation of all 110 security controls from NIST SP 800-171. It’s designed to protect Controlled Unclassified Information (CUI), and requires a third-party assessment by a certified C3PAO for prioritized programs rather than self-attestation.

You might also like

Ready to simplify the hardest parts of IT?