If you are using an MSP or MSSP for CMMC compliance, you are required to show an assessor a Shared Responsibility Matrix defining obligations and responsibilities for both your organization and the company that supports you.
Small and medium Aerospace and Defense organizations supporting the Department of Defense (DoD) are moving to external service providers to satisfy current DoD requirements such as CMMC 2.0, NIST 800-171, and DFARS 7012.
CMMC 2.0 requires contractors and those handling sensitive data (CUI/CDI/CTI/ITAR) on behalf of the DoD to define obligations and responsibilities when using external service providers for current compliance mandates.
CMMC 2.0 requires contractors and those handling sensitive data (CUI/CDI/CTI/ITAR) on behalf of the DoD to define obligations and responsibilities when using external service providers for current compliance mandates.
The goal of this guide is to equip readers with answers to the following questions:
What % of responsibility does my organization have if we're using external service providers for compliance? What questions should I be asking my Managed Service Provider (MSP)? Why am I required to have a Shared Responsibility Model / RACI Matrix for CMMC 2.0 compliance?
A proper Shared Responsibility Matrix (SRM) is the #1 indicator of your likelihood to pass a CMMC assessmentAn SRM is required for CMMC 2.0 compliance (by assumption and reference) An SRM provides assurance to both assessors and business ownersKey insights in this download:
- The responsibility of external service providers and organizations seeking certification (OSCs) are clearly defined for successful completion of CMMC assessments
-
The Summit 7 team analyzed the 1,524 assessable objects listed NIST SP 800-171A to determine correct RACI assignments
- This download highlights Summit 7 work packages that address large percentages of the assessment objectives defined in CMMC 2.0 and NIST 800-171
If you have any questions you can contact our team here.
.png)
