Articles

What is a Shared Responsibility Matrix?

Heather Engel
Director of Strategic Security
This article is written based on CMMC version 1.02, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

Heather Engel, cuick trac’s Director of Strategic Security was recently featured as a guest on Cyber Security with Dana Mantilia's 123 CMMC podcast.

This episode is about understanding the scope and responsibilities when working with managed service providers, and understanding how business processes drive compliance and risk management.

Heather has over 20 years of technology, information security, and regulatory compliance experience in both government and commercial environments.

She is a recognized expert in DFARs cybersecurity clauses, FedRAMP, NIST frameworks including NIST SP 800-171, PCI, and 23 NYCRR 500.

Her industry certifications including CISSP, CISM and CISA and she is a frequent guest and contributor to blogs, podcasts, and articles.

Below is a transcript of the podcast episode:

Dana Mantilia: (01:56)

We have a good topic today that sometimes maybe doesn't get as much thought that really it needs to have. We're going to talk about the scope and responsibility matrix. All right. So our first question is, why might a company choose to use a managed service provider or enclave solution for DFARs to CMMC?

Heather Engel: (02:12)

The really simple answer to this question is that a lot of the businesses that we work with are not in the business of IT. They're in the business of manufacturing or services. This isn't their area of expertise, and it can be very resource-intensive, as we all know to implement these controls. 

Not even just the implementation, the interpretation, first of all, can be something that's beyond the abilities of what a lot of companies have in-house. Effectively, you don't know what you don't know. 

Working with a managed service provider or implementing an enclave solution that you know is going to be right for protecting your information can be really useful. It can be a cost-effective solution because remember, if you start to think about the cost of all the different tools that you might need to implement when you're working through these controls, everything from a SIM to a configuration management tool, to malware, antivirus, all of those things, those packages can really start to add up if you've got a do-it-yourself situation going on. That may or may not be the route that you want to take.

Dana Mantilia: (03:23)

Also, getting the words of wisdom from an expert in the area, as opposed to trying to navigate the waters yourself. I think that's a tough road to hold there. 

Speaking with professionals is definitely a good idea. What is a shared responsibility matrix, and why is it necessary?

Heather Engel: (03:39)

This is something we recommend to all of our clients that are working with any kind of MSP or within an enclave solution. 

We see pretty commonly service level agreements, and this says, if we're managing your systems for you, we'll let you know before we take it down for maintenance, you'll have guaranteed uptime, that's also really common with cloud services. 

The shared respond responsibility matrix is a little bit different because what that's going to do is identify the tasks that are required, and it's going to assign responsibility. 

For example, if we look at NIST 8001-71 in the identification and authentication family, control 3.5.5 is a great example of one that requires both a policy decision, and a technology decision.

This is prevent reuse of identifiers, and so we have to not only define the period that we aren't going to reuse our identifier, but we also have to then implement a technical solution to make sure that that doesn't happen. That's a great example of a control that's clearly a shared responsibility.

As a business owner, I need to say I'm not going to reuse identifiers for X amount of time and very often, the answer is we just don't reuse them, but then I've got to figure out how I'm going to make that happen and what's the technology behind that? 

Configuration management is another good example. That's something that might be almost entirely the responsibility of the managed service provider, but in many cases, your company is going to have specific software or hardware that they have to use so you're going to have to work together to understand what those baselines are going to look like.

Dana Mantilia: (05:13)

We talked about this before, but just the idea of it being completely on the MSP you can't do that either, and if somebody comes in and says, oh, we're going to take care of this 100%, that's impossible to do because when you're putting people involved in anything, this is not just a technology component of it.

There's also the policies and the people and the devices and stuff like that. Be leery if somebody says that.

Dana Mantilia: (06:06)

All right. What are some things to watch for when evaluating solutions and how does the SRM help with that?

Heather Engel: (06:11)

Well, you just brought it up: one of the key things to watch out for is anyone that tells you that they're providing a 100% solution and you don't have to do anything. 

This is the easy button over here. That's always something to watch out for. That may be true, that might be the situation, but you've got to ask the question, and you've got to really be able to pick that apart. 

An easy way to do that is to say, well, let me see the shared responsibility matrix because your understanding or my understanding is that this requires both policy and technology. If your solution doesn't also include those policies, it's not a 100% solution. 

Obviously, we want to look at things like the price. There's going to be wide variances in different levels of solutions. You may need a smaller solution that hosts your data one way, or you might need a solution that encompasses your entire network. That again goes back to talking a little bit about what's in scope and what's out of scope. 

Price obviously, so many of our clients are really price-conscious. 

Even as we start to work with some of the larger companies, price is a key component for this. You want to make sure that you understand what you're getting and that you're getting what you pay for.

Finally, the shared responsibility matrix really shows you what's going to be left to do and that impacts all of the things that we just talked about. If my solution or if a solution that I'm evaluating looks like it covers 70%, it's good on the technology side but I have to write all the policies myself, or I have to hire someone else to do those policies, then that's going to impact my price. 

Even though I'm paying the MSP or the enclave solution one price, there are additional costs that are going to be involved in that either resources for me to do it myself or additional costs for me to pay someone else to do it.

Those are all things that are not deal-breakers by any means, but it's a question of, are you comfortable with the solution that you're getting, and is it the right fit for you?

Dana Mantilia: (08:19)

Really, being aware of exactly where the responsibilities where they are. If they're with you if they're with me. This is one thing I always like in these videos, is for people that are watching them to be able to take questions away and now know that they should be asking about that shared responsibility matrix because before they may not have even thought to ask that question.

That's a good question to be asking when you are smelling around talking to different MSPs. Let's talk about this. 

That might be very helpful to somebody who's just hopping down this little CMMC road. How will you know if a solution is good for your company?

Heather Engel: (08:51)

We touched on a lot of these things already. 

Price is obviously going to be one component of it. Do you feel comfortable with the solutions provider? How responsive are they to your questions? Do you feel like they can talk really knowledgeably, not just about the technical controls, but about the environment in which we live? 

We just had some major changes to CMMC. Are the providers that you're talking with aware of that? Do they maintain an awareness of what's going on in the community and in the broader DOD arena? 

I think those are really important. You have to feel comfortable with the vendor's knowledge, and they have to be really clear about what's being offered in their solution. That's where the shared responsibility matrix comes in.

The other thing that we haven't touched on that I think is really important and this goes back to scope, is you've accounted not only for your unique software and hardware and different things that you need for your business processes, but you've also accounted for unique data types.

We know that there are specific requirements for working with CUI, but if I'm handling HIPAA-protected data, or I've got personally identifiable information, maybe my company takes credit cards, those are all some unique data requirements exclusive of what we're talking about with CMMC that I need to make sure I've accounted for in the security of my solution. 

GDPR is one now that a lot of companies are having to grapple with, and then we even have special categories of CUI like ITAR as an export control data that have their own special requirements in addition to what we're going to need for CUI. 

Beyond all of those things, I think the biggest thing in identifying whether a solution is a good fit is, does it work with your business process?

It could be the greatest solution out there, but if you have to completely re-engineer your operations in order to make that solution work, it might not be the best fit for your company. 

We see this a lot with manufacturing, where manufacturers have specific and unique requirements with some of their shop floors and the way that they do business and it's not always a great fit for a particular type of solution. 

Really make sure that you're accounting for your specific needs, in terms of how you do business and how you produce whatever it is that you're selling, as well as the different data types that you might need to handle that are going to be protected under this solution.

Dana Mantilia: (11:29)

Those are all excellent, excellent points and I just want to focus on one thing that you said about making sure that whoever's helping you, how they're keeping to speed, like CMMC 2.0. When did they find out about it? How are they staying on top of things because there's going to be more changes, and you want to make sure that whoever you're dealing with is somebody that's getting that information or readily looking for that information? 

You know what I mean? Trying to keep up to speed on a regular basis. That was an excellent point that you mentioned. 

With that, I would like to see if there's anything else you want to throw out there. This was very, very helpful information.

Heather Engel: (12:04)

I mean, I think I'm just closing by saying it's always better to ask these questions because not only does that help you gauge how knowledgeable your potential service provider is, but you learn a lot from talking to them. 

This is information, we're all in this community together where sharing that information and getting to know who you like as a potential service provider and what solutions are out there is really valuable, I think, as we go forward. 

As you mentioned, there's so many changes happening, and we expect to see more changes over the next 6 to 9 to 22 months. Being able to stay on top of those is really critical, both for you and for your service provider. I think that's one of the key takeaways.

The other thing really goes back to understanding your scope and understanding your boundary. What's going to be in scope, and what's going to be out of scope? What are the things that you need to make your business run and to generate revenue? 

Because that's really what this is about. We're in business to generate revenue, and we need to make sure that whatever our security solution is, supports that and allows a to continue to do that.

Dana Mantilia: (13:16)

Absolutely. There's got to be a fine balance there. 

Well, thank you very, very much for all of your expertise and all of your time, Heather, and this was very, very nice. We hope to have you back on another episode. We'll talk about something else.

Heather Engel: (13:28)

Thanks for having me. This was great!

Dana Mantilia: (13:30)

All right. Great. Well, thank you and thank you to everybody for watching.

Heather Engel
Director of Strategic Security
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.
Part of the most relevant industry groups and committees

Get a 30-minute demo from a cuick trac™ product expert

You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.

Schedule a quick product tour
See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.