Shared Responsibility Matrix

March 24, 2024

Cloud Service Provider's Shared Responsibility Matrix

In today's rapidly evolving digital landscape, safeguarding controlled unclassified information (CUI) within non-federal systems and organizations is more critical than ever. For Department of Defense subcontractors and manufacturers, adhering to the National Institute of Standards and Technology's Special Publication 800 171 Revision 2 is not just a recommendation—it's a requirement.DFARS

If you are wrapping up your CMMC Level 2 preparations, here are some pointers to be sure you did not miss any important items.

Let's talk about any Cloud Service Providers that may process, store, or transmit CUI. An example of this would be Microsoft Office 365. If you are using Microsoft Office 365 for email and you transmit CUI in your email, or store CUI using OneDrive, Teams, or SharePoint you will need to perform the due diligence in validating that your Microsoft Licenses is part of the FedRAMP Moderate certification. This would apply to any Cloud offering that you process, store, or transmit CUI.

An essential part of FedRAMP certification is your cloud service provider should supply you with a shared responsibility matrix. The shared responsibility matrix is a list of the NIST SP 800 171 Rev 2 controls that you will need to maintain and prove that you are adhering to them.

Here at DataSoftNow, we pride ourselves on the little nuances that may get you. We've been there and we know. If you have any follow up questions regarding this video, you can post them here at

We look forward in hearing from you.

DFARS 252.204-7012

Implementation of NIST SP 800-171: 

(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DOD Chief Information Officer (CIO), via email at, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

Cloud Service Providers: Paragraph (b)(2)(ii)(D): 

(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security  requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline ( and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.