External Providers Operating Model // 12 MIN READ

Shared Responsibility in CMMC: What Your MSP, MSSP, and Internal Team Each Must Prove

The Assessor Does Not Care Who Is Responsible. They Care Who Has the Evidence.

When a C3PAO assessor evaluates a CMMC control, they do not ask which party is responsible for it. They ask whether the control is implemented and whether someone — anyone — can produce the evidence. Shared responsibility models fail at assessment time because the contractor points at the MSP, the MSP points at the contractor, and nobody has the artifact. Here is how to prevent that.

Why Shared Responsibility Fails at Assessment Time

The shared responsibility model is a sensible operating concept. The cloud service provider manages the infrastructure. The managed service provider manages the configuration. The contractor manages the policies and the users. Each party handles the layer they are best equipped to manage.

The problem is that CMMC does not assess layers. It assesses controls — 320 individual assessment objectives across 110 practices. Each objective is scored Met or Not Met based on evidence. The assessor does not evaluate Microsoft's half of a control separately from the contractor's half. They evaluate whether the control, as a whole, is satisfied. If the evidence for the provider's portion is missing, the control is Not Met — even if the contractor's portion is flawless.

The accountability gap: The contractor is responsible for the CMMC certification. The MSP is not being assessed. The cloud provider is not being assessed. But the controls the assessor evaluates depend on all three. If the MSP configured the firewall rules but cannot produce the configuration export, the contractor fails the control — not the MSP. If Microsoft manages the physical security of the GCC High data center but the contractor cannot produce the FedRAMP authorization letter, the physical security control is unsupported. The certification is yours. The evidence burden is yours. The responsibility for collecting it — from every party — is yours.

This is why the phrase "shared responsibility" is misleading for CMMC purposes. It is not truly shared. It is divided responsibility with unified accountability. The contractor divides the work across parties. The contractor is solely accountable for proving all of it to the assessor.

Control Ownership Matrix by Function

A control ownership matrix — sometimes called a Customer Responsibility Matrix (CRM) or a RACI matrix — maps every CMMC control to the party responsible for implementing it, the party responsible for providing evidence, and the party responsible for maintaining it over time. Without this document, the assessment becomes a discovery exercise where the assessor asks about a control and nobody knows who owns it.

In a typical environment with a cloud provider (Microsoft GCC High), a managed service provider (MSP), and the contractor's internal team, the ownership generally falls into these patterns:

Control Domain Cloud Provider MSP / MSSP Contractor
Physical Security (PE) Owns — data center Owns — office facility
Access Control (AC) — identity config Platform capability Configures — CA policies, groups Owns — user provisioning, access reviews
Audit & Accountability (AU) Generates — platform logs Configures — SIEM, log retention Owns — log review, response
System & Comm. Protection (SC) Owns — encryption in transit/rest Configures — DLP, labels Owns — policy, classification
Configuration Management (CM) Platform baselines Configures — Intune, GPO Owns — baseline approval, change mgmt
Incident Response (IR) Reports — platform incidents Detects — monitoring, triage Owns — IR plan, DoD reporting
Risk Assessment (RA) — vuln scanning Executes — scans, remediation Owns — policy, exception approval
Awareness & Training (AT) May deliver — phishing sims Owns — training program, records
Media Protection (MP) Owns — media destruction in DC Owns — removable media, tape, disposal
Personnel Security (PS) Owns — personnel screening (DC staff) Owns — their own staff screening Owns — employee screening, termination
This table is illustrative — every environment is different. The critical exercise is building your own version that reflects your specific provider relationships. For each of the 110 CMMC practices, you must be able to answer: who implements it, who produces the evidence, and where that evidence is stored. If you cannot answer all three for any practice, that practice is a finding risk.

Provider Policies Versus Customer Procedures

A common mistake is treating the provider's documentation as if it automatically satisfies the contractor's obligation. It does not. The provider's policies describe what the provider does. The contractor's procedures describe what the contractor does. Both are needed — and neither substitutes for the other.

Provider Policy

"Microsoft encrypts data at rest with AES-256."

This is documented in Microsoft's FedRAMP SSP and Service Trust Portal. It satisfies the provider's portion of SC.L2-3.13.16 (data at rest). But the assessor will also ask: "Is this encryption FIPS-validated? Which module? How do you verify it?" The contractor must be able to reference the provider's FIPS certificate and explain how it maps to the control — not just point at a marketing page.

Customer Procedure

"We enforce sensitivity labels on all CUI content."

This is the contractor's implementation on top of the provider's platform. Microsoft provides the Purview labeling engine. The contractor configures the label policies, defines the auto-labeling rules, and trains users to apply labels correctly. The provider's capability enables the control. The contractor's procedure implements it. Both must be documented. Both must produce evidence.

The same pattern repeats across every control domain. The provider offers a capability. The MSP may configure it. The contractor defines the policy that governs its use. The assessor evaluates the full chain — capability, configuration, policy, and evidence of operation. If any link is missing, the control is incomplete.

The test: For any control where a provider is involved, ask: "If the provider disappeared tomorrow and I had to explain this control to the assessor using only my own documentation, could I?" If the answer is no — if your only evidence is "our MSP handles that" — you have a documentation gap that must be closed before the assessment.

Evidence Inheritance and What Cannot Be Inherited

In CMMC, certain controls can be partially or fully inherited from a cloud service provider — meaning the provider's FedRAMP authorization satisfies the provider's portion of the control, and the contractor references the provider's authorization as evidence. This is the mechanism that makes cloud-based compliance architectures viable. Without inheritance, every contractor would need to implement every control from scratch, including physical security, infrastructure encryption, and platform-level access controls.

But inheritance has strict limits. The following categories cannot be inherited — they must be implemented and evidenced by the contractor regardless of the provider relationship:

01

User-Level Access Controls

The provider configures the identity platform. The contractor provisions users, assigns roles, performs access reviews, and manages the lifecycle of every account. AC.L2-3.1.1 (limit access to authorized users) cannot be inherited because the provider does not know which of your users should have access to which resources. That is your decision, your configuration, and your evidence.

02

Security Awareness Training

No provider can train your employees on your CUI handling policies. AT.L2-3.2.1 and AT.L2-3.2.2 require role-based security awareness training with documented completion records. This is 100% contractor-owned. Even if your MSP delivers phishing simulations, the training program, content, tracking, and evidence of completion belong to you.

03

Incident Response Plan and Execution

Your MSSP may detect and triage security events. But the incident response plan — including the 72-hour DoD reporting obligation under DFARS 7012(c) — is the contractor's responsibility. IR.L2-3.6.1 requires an operational IR capability that the contractor owns and exercises. Delegation of detection is not delegation of response. The contractor must own the plan, the decision-making authority, and the reporting obligation.

04

Risk Assessment and POA&M Ownership

Risk assessments (RA.L2-3.11.1) and the Plan of Action and Milestones are organizational artifacts. The MSP may contribute vulnerability scan data and remediation guidance, but the risk assessment judgment — which risks to accept, which to remediate, which to escalate — belongs to the contractor. The POA&M is the contractor's document, signed by the contractor's senior official.

05

Policy Documents

Every CMMC control family requires an organizational policy — access control policy, audit policy, incident response policy, and so on. These policies describe the contractor's intent and operating rules. They cannot be generic templates from the MSP. They must reflect the contractor's actual environment, actual procedures, and actual risk decisions. The MSP can help draft them. The contractor must own, approve, and maintain them.

The inheritance trap: Contractors who rely heavily on their MSP sometimes assume that if the MSP "handles security," the security controls are covered. They are not. The MSP's work is valuable — but it does not produce the contractor's policies, the contractor's training records, the contractor's access review evidence, or the contractor's incident response plan. Those artifacts must exist independently, and they must be in the contractor's possession before the assessment.

Contracts, SLAs, and Right-to-Audit Language

The legal agreement between the contractor and each provider is the foundation of the shared responsibility model. If the contract does not specify the provider's security obligations, the provider has no contractual obligation to meet them — and no obligation to produce evidence when the assessor asks.

Every contract with an MSP, MSSP, or cloud provider that touches CUI should include the following provisions:

Clause 01 Scope of Services
Explicit enumeration of which systems the provider manages, which data the provider accesses, and which CMMC control domains the provider contributes to. Vague language like "managed IT services" is insufficient — the scope must map to the responsibility matrix.
Clause 02 NIST 800-171 Compliance
A clause requiring the provider to implement and maintain NIST SP 800-171 controls for the services they deliver — or to provide evidence of equivalent compliance (FedRAMP authorization, SOC 2 Type II with relevant trust principles, or their own CMMC certification if applicable).
Clause 03 Evidence Production
An obligation for the provider to produce configuration exports, log samples, compliance reports, and other evidence artifacts within a defined timeframe when requested for CMMC assessment purposes. Without this clause, the provider may refuse or delay — and the assessment timeline does not wait.
Clause 04 Right to Audit
The contractor's right to audit the provider's compliance posture — either directly or through a mutually agreed third party. This may include reviewing the provider's own SSP, vulnerability scan results, access control configurations, and personnel screening records. For cloud providers, FedRAMP authorization serves as the audit equivalent.
Clause 05 Incident Notification
A requirement for the provider to notify the contractor of any security incident affecting the contractor's data or systems within a defined timeframe — typically 24 hours or less. The contractor cannot meet the 72-hour DoD reporting obligation if the provider takes a week to disclose an incident.
Clause 06 Personnel Requirements
Restrictions on which provider personnel can access the contractor's CUI environment — including U.S. person requirements if ITAR data is involved, background check requirements, and restrictions on subcontracting to fourth parties without prior approval.
If it is not in the contract, it does not exist. An MSP's verbal assurance that they "follow NIST 800-171" is not evidence. A contractual obligation, backed by a responsibility matrix and an evidence production schedule, is evidence. Get it in writing before the assessment — not during it.

Overseas Staff, Subcontractors, and Access Restrictions

One of the most consequential — and most overlooked — aspects of the shared responsibility model is who at the provider has access to the contractor's CUI environment. The physical location and citizenship status of provider personnel can determine whether the entire architecture is ITAR-compliant or not.

Risk

MSP with Overseas NOC or Helpdesk

Many MSPs operate 24/7 by staffing a network operations center in a lower-cost overseas location. If those staff members have admin credentials to the contractor's GCC High tenant, Azure AD, or firewall — they have access to CUI. If the CUI includes ITAR-controlled data, access by non-U.S. persons violates export control regulations. This is not a CMMC finding — it is a criminal liability.

Risk

MSP Subcontracting to a Fourth Party

The contractor contracts with MSP-A. MSP-A subcontracts backup management to MSP-B. MSP-B's technician has admin access to the backup server that holds CUI. The contractor has no contract with MSP-B, no visibility into MSP-B's security posture, and no control over MSP-B's personnel. But MSP-B's access to CUI puts MSP-B in the assessment boundary as an ESP — and the contractor is accountable for documenting it.

Mitigations must be contractual and technical — not just policy-based:

  • Contractual restriction — The MSP contract must prohibit subcontracting of services that involve CUI access without the contractor's prior written approval. Every subcontractor must be identified and their access scope documented.
  • U.S. person requirement — For ITAR environments, the contract must require that all provider personnel with access to CUI are U.S. persons (citizens or lawful permanent residents). The provider must be able to attest to this.
  • Named personnel list — The contractor should maintain a list of provider personnel authorized to access the CUI environment. Changes to the list require notification. New personnel require screening verification.
  • Technical access controls — Conditional access policies, IP restrictions, or privileged access workstations that limit provider access to managed, auditable channels. If the MSP can VPN in from any device at any location, the access control is the weakest link in the chain.
  • Access logging and review — Every provider login to the CUI environment must be logged and periodically reviewed by the contractor. If the MSP accesses your Azure AD at 3 AM from an overseas IP, you need to know — and you need to have a process for investigating it.

Building an Assessor-Ready Responsibility Map

The deliverable that ties all of this together is a single document — or a structured set of documents — that the assessor can reference to understand who owns each control, where the evidence lives, and how the contractor verified the provider's compliance. Here is what that package looks like:

Document 01 Responsibility Matrix
A table mapping all 110 CMMC practices to the responsible party (cloud provider, MSP, contractor, or shared) with the evidence source for each. For shared controls, specify which portion each party owns. This is the master reference the assessor will use to trace every control to its evidence.
Document 02 Provider Inventory
A list of every external party with access to or responsibility for any part of the CUI environment: name, services provided, contract reference, FedRAMP or compliance status, and the controls they contribute to. Include cloud providers, MSPs, MSSPs, backup providers, and any fourth-party subcontractors.
Document 03 Provider Evidence Binder
For each provider: the FedRAMP authorization letter (or equivalent), the Customer Responsibility Matrix from the provider, relevant SOC 2 reports, and any configuration evidence the provider has produced. For Microsoft GCC High, this includes the FedRAMP SSP reference and the M365 CRM. For the MSP, this includes their evidence of background checks, access control configurations, and incident notification procedures.
Document 04 Interconnection Agreements
For each provider connection to the CUI environment: the data flow, the access method, the authentication mechanism, and the security controls applied. This feeds the SSP's interconnection section and demonstrates that every external access point is documented, controlled, and monitored.
Document 05 Annual Review Record
Evidence that the responsibility matrix, provider inventory, and provider evidence binder are reviewed at least annually — or whenever a provider relationship changes. A dated review record with the reviewer's name and any updates made. Stale documentation is nearly as bad as no documentation.
Start building this package now — not two weeks before the assessment. Collecting provider evidence takes time. The FedRAMP authorization letter may require a formal request. The MSP's configuration exports may require coordination. The contract amendments may require legal review. Every week of delay reduces your ability to produce a complete package by assessment day.

The Bottom Line

Shared responsibility in CMMC is an operating model — but it is not a compliance model. The contractor holds the certification, the contractor sits in the assessment, and the contractor must produce the evidence for every control, including the controls that providers implement on their behalf. The MSP's work is valuable. The cloud provider's FedRAMP authorization is essential. But neither absolves the contractor of the obligation to document, verify, and present the complete control environment.

The contractors who pass assessments cleanly are the ones who build the responsibility matrix before they need it, put the evidence obligations in the contract before they sign it, collect the provider evidence before the assessor asks for it, and review the entire package annually to make sure nothing has drifted.

When the assessor asks "who is responsible for this control?" the only correct answer is: "We are — and here is how we verified that every party did their part." That answer requires a responsibility matrix, a provider evidence binder, and the contractual authority to demand both. Build those before the assessment. Not during it.

Related Articles

CMMC and MSPs: Scope, Shared Responsibility, and EvidenceChoosing CMMC Consultants and C3PAOsCMMC Conflicts of Interest: Assessor vs Consultant RulesHow to Write a CMMC System Security Plan (SSP)CMMC Backups: When Recovery Media Becomes In Scope