CMMC Compliance Series: The CMMC Shared Responsibility Matrix

The Cybersecurity Maturity Model Certification (CMMC) is designed to enhance the protection of sensitive information across the defense industrial base. However, for many businesses, especially smaller ones, implementing the full range of required security controls can be overwhelming. Even at the foundational Level 1 of CMMC, organizations are expected to meet 48 security practices, and this number increases to 110 at Level 3. Although CMMC is not yet a mandatory requirement, it is expected to be soon, with the rollout anticipated to begin in Q1 of 2025 and full compliance required by 2028. Preparing now is essential to stay ahead of the curve.

For smaller businesses that may not have extensive internal IT resources, this can create a significant challenge. Managing such a broad set of cybersecurity requirements can feel like an impossible task. However, businesses are not entirely on their own in this journey. One approach to managing these requirements more effectively is through the use of external service providers (ESPs).

Understanding The Challenge

Small businesses typically do not have the same cybersecurity infrastructure or personnel as larger enterprises. For example, a small manufacturing company that supplies parts to a defense contractor might not have a dedicated cybersecurity team. As a result, managing the various aspects of CMMC compliance—such as access control, incident response, and data encryption—can become a significant burden.

To help mitigate this, businesses often turn to external service providers (ESPs), such as Amazon Web Services (AWS), Microsoft Azure, or managed security service providers (MSSPs), to help handle parts of their security requirements. ESPs can offer pre-built security frameworks and tools that assist in meeting CMMC requirements. For example, AWS has built-in encryption services, which can help businesses meet the CMMC control requiring the encryption of sensitive information in transit.
However, relying on ESPs alone is not sufficient for full compliance. This is because cybersecurity responsibility is shared between the business and the service provider. Businesses still need to understand what tasks they are responsible for and what the ESP will handle.

The Role of the Shared Responsibility Matrix

The Shared Responsibility Matrix serves as a guide that clearly outlines which security responsibilities belong to the business and which are handled by the ESP. This matrix is critical for clarifying roles and preventing confusion over who is accountable for specific security tasks. For example consider a business using Microsoft Azure to host its data. Azure may be the infrastructure, such as physical data centers and cloud servers, but the business itself is responsible for securing the data they upload to Azure. This could include managing access controls, ensuring that only authorized personnel can access sensitive information, and implementing encryption for the data stored within the cloud.

The shared responsibility model makes it clear that while cloud service providers manage the underlying infrastructure, businesses must still manage how they configure and use these services.

Examples of Shared Responsibilities

1. Data Encryption: While a cloud service provider like AWS may offer encryption tools, the business is responsible for deciding which data needs encryption and ensuring that encryption is configured correctly. If sensitive data is not encrypted as per CMMC requirements, it is the business’s responsibility, not AWS’

   2. Access Control: In a shared responsibility model, an ESP might offer identity and access management (IAM) tools, but it’s up to the business to use those tools to restrict access to sensitive information. For example, a business using Microsoft Azure must configure role-based access control (RBAC) to ensure only authorized users can access specific resources.
   
   3. Incident Response: While many ESPs offer monitoring and alert services, the business is typically responsible for responding to incidents that involve their data or applications. A managed service provider might notify a business of suspicious activity, but it is up to the business to have a plan in place to investigate and respond to potential breaches.

Practical Steps for Implementing the Matrix

Businesses should work closely with their service providers to establish a clear division of responsibilities. This often involves creating contracts or agreements that outline the specific tasks each party will handle. For instance, if a business uses an MSSP to monitor network traffic, the agreement might specify that the MSSP will alert the business to any detected anomalies, but the business is responsible for taking action in response.

Additionally, businesses should document their use of the Shared Responsibility Matrix for compliance purposes. This documentation can serve as evidence during a CMMC audit, demonstrating that the business has taken the necessary steps to clarify responsibilities and is actively managing its security obligations.

By using a Shared Responsibility Matrix, businesses can not only streamline their CMMC compliance efforts but also ensure a more efficient and effective security strategy. This matrix allows businesses to focus on the aspects of cybersecurity that they are responsible for while relying on ESPs to handle the more technical or infrastructure-based controls. For small businesses, this can make the difference between struggling with compliance and successfully navigating the CMMC requirements.

Understanding how responsibilities are divided is crucial for both compliance and security. By clearly delineating roles and ensuring each party fulfills its obligations, businesses can mitigate risks and ensure they remain compliant with evolving cybersecurity standards


Maverc Technologies, is a Registered Provider Organization experienced in conducting assessments across a variety of cybersecurity frameworks. With deep knowledge of CMMC’s development and evolving requirements, we offer valuable insights and guidance. If you have any questions or need further information, don't hesitate to contact us. You can also schedule a demo of our platform to see how we can assist your organization in meeting its compliance needs