CMMC Compliance & The Shared Responsibility Matrix (SRM): Why MSPs Can Make or Break Your Certification
Achieving CMMC compliance is a daunting task, but it becomes even more complicated when you involve Managed Service Providers (MSPs) and Cloud Service Providers (CSPs). One critical tool to make this process manageable and auditable is the Shared Responsibility Matrix (SRM).
During our recent webinar featuring top CMMC experts, the importance of the SRM and how it impacts CMMC assessments was a hot topic. If you rely on MSPs to handle parts of your cybersecurity, understanding and implementing an SRM is non-negotiable.
Here’s what you need to know.
What is a Shared Responsibility Matrix (SRM)?
A Shared Responsibility Matrix (SRM) is a detailed document that clearly defines which cybersecurity responsibilities are managed by your company and which are handled by your MSPs or CSPs. It outlines:
- Inherited Responsibilities: Controls managed entirely by your service provider.
- Shared Responsibilities: Controls where responsibility is split between you and your service provider.
- Customer Responsibilities: Controls you are solely responsible for implementing and managing.
The SRM acts as a roadmap for assessors during a CMMC assessment, providing clarity about who is accountable for each security control.
Webinar Insight:
“If you’re working with an MSP and they don’t have a clear SRM, you’re not going to pass your assessment. It’s one of the most critical artifacts we look at.” — Kelly Kendall, KNC Strategic Services
Why the SRM is Essential for CMMC Compliance
When you outsource parts of your cybersecurity management to an MSP, you cannot simply wash your hands of responsibility. The DoD and CMMC assessors will want to know exactly what your MSP is doing to protect your data and what you’re responsible for.
1. Proving Compliance to Assessors
Assessors need to see a comprehensive SRM to determine whether you are meeting the requirements of NIST 800-171. The SRM helps assessors understand:
- Which controls are covered by the MSP.
- How responsibilities are divided.
- Whether the company has evidence to prove their side of the shared responsibilities.
Webinar Insight:
“The minute we see an MSP involved, our first question is: Where’s the SRM? It determines how we approach the entire assessment.” — Chris Haigh, CMMC Expert
2. Accountability And Liability Protection
An accurate SRM helps you avoid legal trouble by clearly outlining which entity is responsible for specific controls.
- If your MSP fails to meet a requirement they were responsible for, the SRM provides documented proof of responsibility, potentially protecting you from legal and financial consequences.
- Without an SRM, the Department of Justice (DOJ) may hold your company accountable for non-compliance, even if the issue was your MSP’s fault.
3. Streamlining The Assessment Process
A well-prepared SRM can save you time and money during the assessment process. It acts as a blueprint for the assessor to understand your security architecture, reducing misunderstandings and ensuring a smoother certification process.
Webinar Insight:
“When you have a clear SRM, assessors can go through your evidence much more efficiently. If your MSP doesn’t provide one, it’s a red flag.” — Steve Palamara, Lifeline Data Centers
How Assessors Evaluate Your SRM During Assessments
When a CMMC Assessor begins their review, one of the first documents they’ll request is your SRM. Here’s what they’ll be looking for:
1. Clarity of Responsibilities:
- Does your SRM clearly define who is responsible for each of the 110 security controls required by NIST 800-171?
- Are shared responsibilities outlined with specific tasks assigned to each party?
2. Evidence of Implementation:
- Do you have the necessary evidence to prove you are meeting your responsibilities?
- Are there documented processes, policies, and procedures corresponding to each control listed in the SRM?
3. Alignment With Policies & Procedures:
- Does the SRM accurately reflect your internal policies and procedures?
- Is there consistency between your documentation and what is outlined in the SRM?
4. MSP Credentials & Competence:
- Has your MSP demonstrated knowledge of NIST 800-171 and CMMC requirements?
- Can they provide their own certification or proof of compliance if needed?
The Danger of Working with Unqualified MSPs
Not all MSPs understand what it takes to be CMMC-compliant. If your MSP isn’t familiar with the requirements of NIST 800-171, your SRM will likely fall short during an assessment.
Webinar Insight:
“If your MSP doesn’t know what 171 is or how CMMC works, run. They will cost you your certification.” — Chris Haigh, CMMC Expert
Red Flags to Watch Out for:
- An MSP that cannot provide a comprehensive SRM.
- Lack of familiarity with CMMC requirements.
- Inability to offer evidence of compliance for their portion of the controls.
Best Practices for Creating an Effective SRM
To avoid compliance headaches, follow these steps:
1. Work With Qualified MSPs:
- Choose MSPs listed on the Cyber AB Marketplace (cyberab.org).
- Verify their credentials as Certified CMMC Professionals (CCPs) or Certified CMMC Assessors (CCAs).
2. Clearly Define Responsibilities:
- Break down each control into Inherited, Shared, or Customer Responsibilities.
- Clearly document who is responsible for each task and provide evidence where applicable.
3. Regularly Review & Update Your SRM:
- Continuously monitor your SRM for updates and changes in compliance requirements.
- Review your SRM with your MSP regularly to ensure alignment.
Simplify Your Compliance Process with USGovCert Tool
Preparing for certification doesn’t have to be a nightmare. The USGovCert Tool can help you:
- Organize and manage your documentation efficiently.
- Streamline the assessment process with our tool.
- Easily identify and address gaps in your compliance framework.
- Prepare for assessments effortlessly.
Take a Free Demo of USGovCert Tool Now! — Protect your business from non-compliance and make certification stress-free.