CMMCDocs.comHome / Glossary / Shared Responsibility Matrix
Shared Responsibility Matrix
Also known as: SRM · Customer Responsibility Matrix
A document that maps each NIST SP 800-171 requirement to the party responsible for implementing it — the contractor, an external service provider, or shared between them.
A Shared Responsibility Matrix (SRM) is a document that breaks down each of the 110 NIST SP 800-171 requirements (and ideally each of the underlying assessment objectives) and identifies who is responsible for implementing it: the contractor, an external service provider, or both.
Cloud providers, MSPs, identity providers, and security service vendors typically publish their own customer responsibility matrices that document which parts of their service they have already implemented and which parts the customer must implement. A defense contractor pulls these together into a single SRM that covers their entire in-scope environment.
A C3PAO will ask for the SRM during a Level 2 assessment and use it to verify that no requirement falls into a gap between the contractor and an external provider. SRMs at the assessment-objective level are stronger than SRMs at the requirement level — assessors increasingly expect the granular version.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account