Shared Responsibility Matrix - The Role of OSC in Meeting CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) sets the benchmark for cybersecurity preparedness for organizations within the defense industrial base. As Organizations increasingly adopt cloud technologies, secured cloud enclaves by Managed Security Service Providers (MSSP) have become prominent tools for meeting CMMC standards. However, the onus of compliance doesn’t just rest on the technologies provided; it significantly lies in how Organizations Seeking Certification (OSC) utilize these environments. This blog explores the OSC’s responsibilities in leveraging MSSP to ensure CMMC compliance.

Understanding Secured Cloud Enclaves

Secured cloud enclaves are controlled environments within a public or hybrid cloud designed to secure sensitive data (such as Controlled Unclassified Information) and operations from unauthorized access and threats. These enclaves may employ advanced security measures such as encryption, fine-grained access control, continuous monitoring, etc., offering enhanced security and meeting some CMMC requirements from day one. For an OSC, these enclaves provide a robust framework for protecting Controlled Unclassified Information (CUI) but do not take the OSC responsibilities of fully protecting customer CUI data.

OSC Responsibilities in CMMC Compliance

While MSSP equips clients with the tools necessary for securing data, achieving and maintaining compliance largely rests with the OSC. An OSC must create a shared responsibility matrix (SRM) identifying MSSP’s responsibilities in achieving CMMC compliance. The SRM must be a part of the System Security Plan, a mandatory document for meeting CMMC compliance. Here are a few of the key areas where OSC’s responsibilities manifest:

1. Understanding CMMC Requirements: OSC must thoroughly understand the specific CMMC-level requirements applicable to their operations. This includes knowing the security controls and processes that must be implemented and maintained.
2. Data Governance and Classification: While the MSSP will implement overall security controls, the OSC will classify their data and determine how the MSSP should implement controls based on that classification. The OSC must identify what qualifies as CUI and ensure it is appropriately handled and protected within the cloud enclave by the MSSP.
3. Access Control (Practice ID: AC): The MSSP may implement controls based on CMMC AC practices, such as identifying only the authorized users of the applications or systems. However, the OSC must provide an accurate list of authorized users and updates to implement controls for the right users. This involves defining up-to-date users’ roles and ensuring access to information based on their correct roles based on the principle of least priviledge.
4. Security Training and Awareness (Practice ID: AT): Secured cloud enclaves can only be effective if they know potential security risks and best practices. The onus will fall mostly on the MSSP to ensure that all their support staff has undergone formal training. The MSSP staff must recognize potential internal and external threats to protect OSC and DoD assets. The OSC will be responsible for putting a formal process in place for communication and action should a security event occur. ?
5. Incident Response and Recovery (Practice ID: IR): OSCs should have a proactive incident response and disaster recovery plan that aligns with CMMC requirements. While the OSC is responsible for creating an Incident Response (IR) policy and plan and participating in any IR activities, the MSSP will configure the information system to alert for potential indicators of potential environmental breaches. The MSSP should periodically perform tabletop exercises and the OSC (annually recommended) to test and validate the organization’s IR plan and effectiveness.
6. System and Communication Protection (Practice ID: SC): Continuous monitoring of the CUI environment is crucial. OSC should regularly ask for the status of security events and/or alerts. However, the MSSP will provide OSC with information about communication with internal and external systems in a document with corresponding controls.

The Benefits of Proper Utilization

By fulfilling these responsibilities as an OSC and sharing responsibilities with an MSSP, OSCs enhance their security and align closely with CMMC standards, facilitating smoother assessments and certifications. Secured cloud enclaves are powerful, but their effectiveness depends on vigilant and informed OSC management.

The shift to cloud computing presents challenges and opportunities in cybersecurity compliance. Secured cloud enclaves offer significant advantages in safeguarding CUI and assisting in CMMC compliance. However, the efficacy of these tools is contingent upon the diligent efforts of the OSC to understand, implement, and maintain the required security measures. As such, OSCs must take a proactive stance in managing their part of the compliance equation, ensuring that they not only meet but exceed the rigorous standards set forth by the CMMC.