Shared Responsibility Matrix

In the CMMC (Cybersecurity Maturity Model Certification) context, a Shared Responsibility Matrix (SRM) should exist between the Organization Seeking Certification (OSC) and any Managed Service Provider (MSP)—and by extension, also with any GRC platform the OSC uses if it impacts implementation or evidence collection for CMMC controls. Here’s how this typically breaks down:

MSP–OSC Shared Responsibility Matrix

• Required if the MSP provides services impacting CMMC-relevant systems (e.g., managing Entra ID, EDR, backups, logging, patching).

• The OSC must demonstrate which CMMC practices are:

  • Fully implemented by the MSP,

  • Jointly implemented (e.g., endpoint protection configured by MSP but deployed on OSC-owned systems),

  • The sole responsibility of the OSC.

This SRM is vital evidence during a C3PAO assessment to prove that all CMMC requirements are covered—either directly or through contracts.

GRC Platform Role (e.g., CyberComply)

• GRC software itself does not fulfill requirements, but it supports evidence collection, task management, documentation, and workflows.

• If the GRC is provided, configured, or managed by an MSP, it becomes part of the MSP–OSC SRM.

• If OSC uses it independently, no formal SRM with the GRC provider is usually necessary unless:

  • The GRC stores/processes FCI/CUI (which triggers additional compliance obligations under DFARS 252.204-7012 and NIST 800-171).

  • The provider claims shared responsibility in security control implementation.

Summary