Any organization that works within the Defense Industrial Base (DIB) has to comply with the cybersecurity requirements outlined in NIST 800-171 under the soon to be finalized CMMC rule. The CMMC rule currently contains 320 assessment objectives that organizations will need to fully comply with in order to bid on and receive contracts from the federal government. According to the DoD, 73% of businesses within the DIB are small-medium sized businesses meaning that a majority of defense contractors will need to enlist the help of a managed service provider (MSP) to attain compliance.
However, it's important that your organization chooses the right MSP that is both CMMC compliant and outlines its share of responsibility in the implementation of NIST 800-171. This is why a Shared Responsibility Matrix (SMB) is important.
What is a Shared Responsibility Matrix?
An MSPs SRM is a document that outlines which controls and requirements are the responsibility of the service provider and the organization under contract. If you are an SMB, more likely than not you will not have the resources available to accurately implement the 320 controls under CMMC. An SRM will detail which controls you are responsible for and which ones your provider will cover. In many cases, there will be a shared responsibility where both parties will share the burden of a certain objective. Your SRM should be outlined as a provider-client contract making it foundational to your relationship.
Is an SRM Required?
If you work with an MSP/ESP, or a cloud service provider (CSP), then you will need a form of an SRM per the requirements of NIST 800-171. According to the most recent CMMC rule "requires contractors and those handling sensitive data (CUI/CDI/CTI/ITAR) on behalf of the DoD to define obligations and responsibilities when using external service providers".
CorpInfoTech's CMMC Compliance Program
CorpInfoTech is a managed service provider that offers IT and cybersecurity solutions to SMBs. Through our CMMC compliance pathway, we offer an SRM that covers 2/3 of the 320 assessment objectives required by CMMC. This puts your organization at an extreme advantage when audit time comes. Our program also offers flexibility for on-prem technology that other enclave focused services don't provide. This allows us to tailor our services to your unique business and compliance needs.
Learn more about CMMC Compliance by viewing our index of terms and definitions!
Contact CorpInfoTech today to discuss how our CMMC Compliance Program can benefit you!
