Shared Responsibility Matrix

Cloud Service Provider's Shared Responsibility Matrix

In today's rapidly evolving digital landscape, safeguarding controlled unclassified information (CUI) within non-federal systems and organizations is more critical than ever. For Department of Defense subcontractors and manufacturers, adhering to the National Institute of Standards and Technology's Special Publication 800 171 Revision 2 is not just a recommendation—it's a requirement.DFARS

If you are wrapping up your CMMC Level 2 preparations, here are some pointers to be sure you did not miss any important items.

Let's talk about any Cloud Service Providers that may process, store, or transmit CUI. An example of this would be Microsoft Office 365. If you are using Microsoft Office 365 for email and you transmit CUI in your email, or store CUI using OneDrive, Teams, or SharePoint you will need to perform the due diligence in validating that your Microsoft Licenses is part of the FedRAMP Moderate certification. This would apply to any Cloud offering that you process, store, or transmit CUI.

An essential part of FedRAMP certification is your cloud service provider should supply you with a shared responsibility matrix. The shared responsibility matrix is a list of the NIST SP 800 171 Rev 2 controls that you will need to maintain and prove that you are adhering to them.

Here at DataSoftNow, we pride ourselves on the little nuances that may get you. We've been there and we know. If you have any follow up questions regarding this video, you can post them here at

We look forward in hearing from you.

DFARS 252.204-7012

Implementation of NIST SP 800-171: 

(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DOD Chief Information Officer (CIO), via email at, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

Cloud Service Providers: Paragraph (b)(2)(ii)(D): 

(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security  requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline ( and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.



CMMC 2.0

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is a certification process developed by the Department of Defense (DoD) to assess the cybersecurity practices of organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for the DoD. CMMC requires that government contractors protect their Controlled Unclassified Data (CUI) by implementing the NIST SP 800-171 controls and having them verified by a CMMC Third-Party Assessment Organization (C3PAO). With the recent release of CMMC 2.0, it's important for organizations to understand the changes and how it can affect their business.

The CMMC model includes 14 domains of cybersecurity practices, such as access control, incident response, and Maintenance. Each level includes a set of requirements and practices that organizations must meet in order to achieve certification at that level. One of the major changes in CMMC 2.0 is the introduction of a new certification level, Level 3. This new level will require organizations to demonstrate a greater level of maturity and capability in their cybersecurity practices. Additionally, CMMC 2.0 also includes new requirements for incident response, risk management, systems and communications protection, and cybersecurity governance. The certification process involves an assessment of an organization's cybersecurity practices by a third-party assessor, who will evaluate whether the organization is meeting the requirements for the level of certification being sought. The new version also features a new certification process, where the certifying body will have more control over the assessment process and will be responsible for the selection of the assessors, and the scheduling and conduct of the assessment, which allows more flexibility and responsiveness to the organization’s needs.

It's important to note that the CMMC certification is mandatory for certain contracts and not for others. Organization’s that handle FCI or CUI for the DoD must comply with the new requirements if they want to continue doing business with the DoD. Implementing the CMMC framework can bring many benefits to an organization. It can help improve the overall security posture by identifying and mitigating vulnerabilities, and it can also help organizations to comply with other regulatory requirements such as the Federal Risk and Authorization Management Program (FedRAMP) and the Health Insurance Portability and Accountability Act (HIPAA). Obtaining a CMMC certification can also bring a competitive advantage for organizations, as it demonstrates to customers and partners that the organization is taking cybersecurity seriously and that it is committed to protecting sensitive information.

To Summarize, the CMMC is a certification process that assesses the cybersecurity practices of organizations that handle FCI or CUI for the DoD, it provides a standard for measuring the maturity and capability of an organization's cybersecurity practices and it helps ensure that DoD suppliers are following best practices to protect sensitive information. Organizations that handle FCI or CUI for the DoD must comply with the new requirements if they want to continue doing business with the DoD, and it can bring many benefits to the organization such as improving overall security posture and gaining competitive advantage.


Written By: Chris Gonzalez, RP