In this nugget, we are delving into the concept of Shared Responsibility as it pertains to Cloud Service Providers (CSPs) and Managed Service Providers (MSPs) in association with organizations leveraging these service providers to meet CMMC requirements. As more and more organizations are looking to CSPs or MSPs to support their compliance and handling of FCI and CUI information, understanding your role in meeting compliance requirements is extremely important. Being is a Moderate or High validated CSP or MSP, does not automatically make you compliant with CMMC Level requirements.

What is the Shared Responsibility Model?

The Shared Responsibility Model is a fundamental concept in cloud and managed services that delineates the responsibilities of the service provider and the customer. In the context of cloud computing, the model specifies which security measures are the responsibility of the CSP and which are the responsibility of the customer. This model aims to ensure a clear understanding of security obligations and to prevent misunderstandings that could lead to security gaps.

Shared Responsibility Model and CMMC

For Organizations seeking to comply with CMMC requirements (specifically those at Level 2) while utilizing a CSP or MSP, a clear understanding of how Shared Responsibility implemented is paramount. While CSPs and MSPs may provide certain security controls and measures, organizations are still accountable for implementing and maintaining specific security practices as required by CMMC. An example of this is Physical and Environmental controls. As the hardware utilized by an organization (or portions of it) may reside within a CSP or MSP data center, then the requirements to protect against environmental disasters such as flood, earthquake, or fire, reside with the CSP or MSP.

Best Practices for Aligning with CMMC using Shared Responsibility

  1. Understand your Role: Clearly delineate the security responsibilities between your organization and your CSP or MSP. Ensure that you understand which CMMC Level requirements fall under your purview and which are covered by your service provider. A CSP or MSP may even provide you with a placemat or SSP documentation that explicitly identifies which requirements are that of the customer (You) and the CSP or MSP.
  2. Documentation and Communication: Maintain clear documentation of the security measures and controls that your organization is responsible for. Establish open communication with the CSP or MSP to ensure alignment with CMMC requirements.
  3. Regular Assessment & Review: Regularly assess and review the security measures implemented by your service provider to ensure they align with the CMMC Level requirements targeted. Additionally, ensure that internal audits are conducted to validate compliance with your organization’s responsibilities.

Tips to Working with CSPs and MSPs

When working with CSPs or MSPs, here are a few tips when seeking services:

  1. Ensure that you understand the security measures the CSP is committed to under the service agreement.
  2. Validate the CSP’s compliance with industry standards and certifications that are relevant to CMMC.
  3. Manage the security configurations, user access, and data protection measures within the cloud environment provided by the CSP.
  4. Define the scope of services and delineating security responsibilities in contractual agreements with the MSP. Ensuring that MSPs comply with cybersecurity standards that align with our targeted level of CMMC.
  5. Institute mechanisms for regular performance and security reporting from the MSP.

The shared responsibility model is a critical aspect of cloud and managed services, particularly for organizations aiming to meet the stringent security requirements of CMMC Level 2. By understanding this model and effectively aligning it with CMMC Level 2 requirements, organizations can enhance their cybersecurity posture and ensure compliance with industry standards.

For assistance with your CMMC efforts, contact DTC’s C3PAO team.