The CMMC Level 2 Shared Responsibility Matrix and Its Integration with Your System Security Plan

Key Takeaways

• Clear AO Ownership: The SRM assigns responsibility for every CMMC Level 2 Assessment Objective, ensuring the OSC, ESP, or both are clearly accountable.
• Complete SSP Alignment: Integrating the SRM with the SSP ensures each AO is fully documented, supported with evidence, and tied to the correct responsible party.
• Assessment Efficiency: A unified SSP-SRM structure helps assessors quickly understand control ownership, scope, and ESP involvement.
• Reduced Compliance Risk: The SRM prevents assumptions about outsourced responsibilities, reducing the chance of gaps or “Not Met” findings.
• Demonstrated Due Diligence: Including the SRM shows the OSC has thoroughly evaluated ESP dependencies and understands all CMMC Level 2 obligations.

SRM’s Core Function in CMMC

The Cybersecurity Maturity Model Certification (CMMC) Level 2 Certification assessment includes requirements relate to External Service Providers (ESP) that are in scope for the assessment. When an Organization Seeking Certification (OSC) outsources part of its IT or cybersecurity functions to an ESP, the overall responsibility for CMMC compliance does not disappear. The Shared Responsibility Matrix (SRM) ensures that every assessment objective (AO) has an assigned owner, which is critical for a successful CMMC assessment.

The SRM formally documents the division of labor between the OSC and ESP across the 110 security requirements (controls) and their 320 Assessment Objectives (AO). The SRM is required for CMMC Level 2 assessments and categorizes the responsibility for each AO as one of the following:

• OSC Responsibility (Inherited None): The OSC is solely responsible for implementing, managing, and maintaining the AO (e.g., creating the System Security Plan (SSP), documenting how the AO is met, and implementing the AO consistent with the documentation).
• ESP Responsibility (Inherited Full): The ESP is solely responsible for implementing the AO, and the OSC inherits that compliance (e.g., physical security of the cloud data center). These AOs are still in scope and will be assessed based upon the classification of the ESP.
• Shared Responsibility (Inherited Partial): The implementation of the AO requires actions from both the OSC and the ESP. This requires the most detail within the SSP to clearly define what specific tasks are assigned to each party (e.g., the ESP manages the security information and event management (SIEM) tool, but the OSC is responsible for investigating alerts and managing incident response).

A robust SRM is detailed and must align with the CMMC AOs to be acceptable to a CMMC Third-Party Assessor Organization (C3PAO). The following table provides an example of the information that should be documented within the SRM.

Why the SRM Must Be Integrated with the SSP for CMMC

Clarifies Control Ownership

• CMMC requires that all 320 AO of the CMMC Level 2 practice areas be implemented and documented.
• When using third-party providers (e.g., cloud, MSP, MSSP), some AOs may be shared or fully outsourced.
• The SRM explicitly defines who is responsible for each AO, the organization or the ESP. This ensures that there are no gaps in the SSP documentation of how all 320 AOs are met.

Supports Accurate SSP Documentation

• The SSP must describe how each AO is implemented.
• If an AO is shared or outsourced, the SSP should reference the SRM to show:
  • Which party has responsibility for implementing and maintaining the AO.
  • What evidence supports compliance with the AO.
  • How oversight is maintained.

Streamlines CMMC Assessments

• The CMMC Certified Assessor (CCA) needs to verify that all 110 CMMC controls and 320 AOs are documented within the SSP.
• An integrated SRM helps the CMMC Certified Assessor (CCA) quickly understand:
  • The division of responsibilities.
  • The scope of the organization’s CMMC implementation.
  • The role of ESPs.

Reduces Compliance Risk

• Without an SRM, organizations may assume an ESP is handling and has met an AO when they have not.
• This can lead to assessment failures or Not Met
• Integration ensures transparency and accountability.

Demonstrates Due Diligence

• Including the SRM in the SSP shows that the organization:
  • Understands its CMMC Level 2 AO obligations.
  • Has formally assessed and documented ESP dependencies and accountabilities.

For OSCs that depend upon ESPs (CSP, MSP, MSSP, etc.) to meet CMMC level 2 certification requirements, the SRM is a key component of CMMC 2.0 compliance.

McKonly & Asbury is proactive in assessing key documents and provides detailed feedback on any component that does not meet the CMMC AO requirements. To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Elaine Nissley or Mike Murray regarding our services.

About the Author

Related Services