CMMC Shared Responsibility Matrix: Who Owns Each Control?
A CMMC shared responsibility matrixis the who-owns-what map between your company and any outside provider whose people, technology, or services process, store, or transmit your CUI or Security Protection Data—or that provide a security function for your assessment scope. It assigns each NIST SP 800-171 Revision 2 security requirement, and ideally each assessment objective beneath it, to you, your provider, or both, so nothing is left unowned when a Certified Third-Party Assessment Organization (C3PAO) walks in the door.
The document is officially called a Customer Responsibility Matrix (CRM) in 32 CFR § 170.19 and the current DoD Level 2 Scoping Guide. “Shared responsibility matrix” is the common market and search term for the same thing, borrowed from cloud computing. Below we use both interchangeably, clarify the difference where it matters, and explain exactly what assessors check.
That last sentence—exactly what assessors check—is the whole game, and it’s where we’ll spend most of our time. First, the fast version.
The 60-second answer
| Your situation | What it means for your matrix |
|---|---|
| A cloud provider stores, processes, or transmits your CUI | FedRAMP requirements apply (DFARS 252.204-7012). You still document scope, your configuration duties, and the controls the provider’s CRM hands back to you. |
| An MSP or MSSP touches your CUI | Their services are in your assessment scope and assessed as part of your assessment. If they hold their own CMMC certification, that can reduce the effort—it doesn’t erase your documentation. |
| A provider only handles logs, configs, vuln data, or passwords (no CUI) | Usually still in scope. Assessed as a Security Protection Asset. “No CUI” does not automatically mean “out of scope.” |
| A provider touches neither CUI nor Security Protection Data | Usually isn’t an “external service provider” under CMMC at all. Don’t drag every vendor into scope. |
| You run everything in-house, no outside providers | You don’t produce an external matrix—you document responsibility inside your SSP. |
Get the free CMMC shared responsibility matrix template
NIST publishes the official CUI System Security Plan template and CUI Plan of Action template free and ungated alongside SP 800-171 Rev. 2. Use those as the authoritative skeleton, then add the 14-family ownership columns, the three-state classification (you / provider / shared), and your evidence references on top.
Get the NIST CUI documentation package (free, official) →What is a CMMC shared responsibility matrix?
A CMMC shared responsibility matrix is a control-ownership document that maps each NIST SP 800-171 Revision 2 security requirement—and its assessment objectives—to a responsible party: your organization, an external service provider, or both. Its purpose is to prove, before an assessment, that every one of the 110 requirements (broken into 320 assessment objectives) has an owner and a source of evidence. It is the bridge between “our provider handles that” and “here is the final-form evidence that proves it.”
It is not a marketing chart. It is not your provider’s SOC 2 report. It is not a slide that says “the cloud handles security.” A real matrix connects four things: the requirement, who implements it, what evidence proves it, and where that lands in your SSP.
The document exists because outsourcing is now the norm in the Defense Industrial Base (DIB—the companies that supply the U.S. military). Small and mid-tier contractors move email, file storage, identity, monitoring, and patching to outside specialists. But CMMC accountability does not move with the work. The matrix is how you keep track of who is actually doing what—and how you avoid the worst assessment-day surprise: a control nobody owned.
One framing to keep handy as you read:
| Regulation-stated term | Market / search term | |
|---|---|---|
| Name | Customer Responsibility Matrix (CRM) | Shared Responsibility Matrix (SRM) |
| Where it appears | 32 CFR § 170.19(c)(2)(ii) and the current DoD Level 2 Scoping Guide | Provider docs, RFPs, forums, search engines |
| Use it for | SSP language, evidence, assessment | Talking to people who call it an SRM |
Same document. Two names. The question isn’t “do I have a matrix?” It’s “does every requirement my providers touch have a named owner and final-form evidence behind it?”
Is a CMMC shared responsibility matrix required?
The exact phrase “shared responsibility matrix” is not a named, standalone mandate in the rule—but the underlying documentation is effectively required whenever you use an outside provider. 32 CFR § 170.19 states that an external service provider’s use, relationship, and services must be documented in your SSP and described in the provider’s service description and customer responsibility matrix (CRM).
The DoD CMMC Level 2 Assessment Guide is blunt about the standard: all applicable assessment objectives must be MET or not applicable. Draft evidence is unacceptable. If an objective is marked MET, the evidence must be final-form and tied to a named responsible party. Without the matrix, an assessor cannot confirm the responsible party. Without a named party, the objective cannot be scored MET.
A shared responsibility matrix does not transfer your CMMC accountability to your provider. It can clarify who implements which requirement and what evidence the provider supplies. But if a provider’s responsibility is undocumented, unsupported by their service description, missing from your SSP, or impossible to evidence, the gap still lands on yourassessment. “The vendor handles that” is not a defense an assessor can score.
Now the pivot, because that flaw is exactly why the matrix is worth your time: it converts a vague verbal assurance into a testable, evidence-backed statement beforean assessor, a prime, or a contracting officer forces the issue. A good matrix doesn’t increase your risk—it surfaces and closes the risk while you still control the timeline.
When you may genuinely not need one:if you run your CUI environment entirely in-house and no external provider processes, stores, or transmits CUI or Security Protection Data—and none provides a security function for your scope—you don’t produce an external responsibility matrix. You still document who internally owns each control in your SSP. If that’s you, the CMMC System Security Plan guide is the better starting point, and you don’t need the template on this page.
SRM, CRM, or RACI—what should you actually call it?
For how buyers and assessors talk, “shared responsibility matrix” (SRM) and “customer responsibility matrix” (CRM) describe the same practical artifact: a map of who owns which security responsibility between you and a provider. The distinction worth knowing is directional. A CRM is authored by the provider and is one-directional—it tells you what youmust do for their service to support your compliance. An SRM is built collaboratively and is bidirectional—it shows what each party does for each requirement.
Which term is “official”? We read both primary sources to be sure. The rule uses CRM: 32 CFR § 170.19(c)(2)(ii) requires that an ESP relationship be documented in your SSP and “described in the ESP’s service description and customer responsibility matrix (CRM).” The current DoD Level 2 Scoping Guide (v2.13, September 2024) consistently uses “customer responsibility matrix.”
So why is “shared responsibility matrix” everywhere? Partly because it’s borrowed from cloud computing—and partly because DoD’s earlier (2021) Level 2 scoping guide actually used the phrase “shared responsibility matrix” before the Final Rule. The term stuck in the market even though the current rule and guidance both say CRM. Bottom line: CRM is the official CMMC term; SRM is the practical and search term for the same document.
Here’s the clean way to hold all of it:
| Document | Who writes it | Direction | The question it answers |
|---|---|---|---|
| Customer Responsibility Matrix (CRM) | The provider (ESP/CSP) | One-directional (provider → you) | “Here’s what you, the customer, must do for our service to support your compliance.” |
| Shared Responsibility Matrix (SRM) | You and the provider, together | Bidirectional | “For each requirement, who does what—you, the provider, or both.” |
| FedRAMP Customer Responsibility Matrix / CIS | The cloud provider (in its FedRAMP package) | One-directional | A FedRAMP-package list of customer-responsible controls that feeds your CMMC matrix. |
| Cloud “shared responsibility model” | The cloud provider (Microsoft, AWS) | Conceptual | High-level “we secure the cloud; you secure what’s in it.” Not a CMMC deliverable. |
| RACI matrix | Usually you | Responsible / Accountable / Consulted / Informed | Internal project accountability—a format, not assessment evidence on its own. |
Naming convention we recommend for the document itself: title it CMMC Level 2 Customer / Shared Responsibility Matrix. That matches the rule’s language and the buyer’s language, so it survives both an SSP review and a search.
When does a provider become an “external service provider” (ESP) under CMMC?
Under 32 CFR § 170.4, an external service provider (ESP) is external people, technology, or facilities you use for IT or cybersecurity services where CUI or Security Protection Data (SPD) is processed, stored, or transmitted on the provider’s assets. Two questions decide how the provider is treated: Is it a Cloud Service Provider (CSP)? And does it handle CUI, SPD, or neither? A provider that touches neither CUI nor SPD does not meet the CMMC definition of an ESP.
This is the most consequential page in the whole exercise, because scope determines everything downstream. Run every provider through the same gate. The rule’s scoping table—Table 4 to § 170.19(c)(2)(i)—lays it out:
| When the provider handles… | If it is a CSP | If it is not a CSP |
|---|---|---|
| CUI (with or without SPD) | The CSP must meet the FedRAMP requirements in DFARS 252.204-7012 | The provider’s services are in your assessment scope and assessed as part of your assessment |
| SPD only (logs, configs, security data—no CUI) | The CSP’s services are assessed as Security Protection Assets | The provider’s services are assessed as Security Protection Assets |
| Neither CUI nor SPD | Not an ESP under CMMC | Not an ESP under CMMC |
A quick decision path you can run in your head:
- Does the provider process, store, or transmit CUI?
- Does it process, store, or transmit Security Protection Data? The Scoping Guide defines SPD as security-relevant information that could help an attacker—explicitly including configuration data for a security tool, log files, data on the configuration or vulnerability status of in-scope assets, and passwords that grant access to your environment.
- Is it a CSP (a cloud service offering), or a non-CSP MSP / MSSP / SOC / cybersecurity-as-a-service provider?
- Does it provide a security function for your CMMC scope?
- Does your SSP rely on it to satisfy any requirement?
If the answer to 1 or 2 is yes, the provider is in your matrix. If the answer to both is a clean, documented no—backed by a data-flow diagram and the service description, not a guess—it’s likely out.
The Scoping Guide gives concrete examples of both. Out: cloud-based HR and accounting SaaS that don’t contribute to your security and don’t touch CUI or SPD typically aren’t ESPs. In:a SIEM service that never touches your CUI is still in scope, because it contributes to meeting your requirements—and the guide lists firewalls, SIEM, EDR, hosted VPN, co-located data centers, and SOCs among Security Protection Assets. The difference is the data and the function, not the vendor’s logo.
Not sure which providers land in your matrix?
See how cloud providers, MSPs, MSSPs, SOCs, and GRC tools are each treated under the CMMC rule—and which documentation each type is required to supply.
CMMC provider categories guide →The DCR scoping matrix: who owns what, by provider situation
The hardest part of building a shared responsibility matrix isn’t the spreadsheet—it’s knowing how each kind of provider is treated under the rule, what to request, and where it goes in your SSP. We built the table below by cross-reading 32 CFR § 170.19 (including Table 4), the DoD Level 2 Scoping Guide, DFARS 252.204-7012, and the Cyber AB conflict-of-interest rules into one operational worksheet.
| Provider / situation | SRM/CRM needed? | CMMC scope treatment | What to request | What goes in your SSP | The mistake that bites |
|---|---|---|---|---|---|
| CSP stores/processes/transmits CUI (cloud enclave, file storage, collaboration) | Yes | CSP must meet FedRAMP requirements via DFARS 252.204-7012; you still own scope and configuration | FedRAMP status/package, service boundary, CRM, services in scope, incident-reporting duties, your configuration responsibilities | Cloud boundary, services used, CUI flow, inherited/shared/customer controls, evidence references | Assuming “FedRAMP” or “GovCloud” equals your company-level CMMC compliance |
| CSP handles SPD only (security telemetry, logs, configs—no CUI) | Yes | Services are in scope and assessed as Security Protection Assets | CRM, service description, log/data-handling description, evidence for the security functions provided | How the CSP supports security functions; SPD flow; which Level 2 requirements are relevant | Treating “no CUI” as “out of scope” when the provider handles security data |
| Non-CSP MSP/MSSP handles CUI | Yes | Services are in scope and assessed as part of your assessment | Service description, CRM mapped to NIST SP 800-171 Rev. 2 objectives, evidence support, assessment-participation commitment | Provider relationship, services, assets, CUI flow, evidence handoff | Treating a generic SOC 2 report or marketing page as proof of CMMC responsibility |
| Non-CSP MSP/MSSP handles SPD only (SIEM, EDR, RMM, SOC, vuln data) | Yes | Services are in scope and assessed as Security Protection Assets | CRM, SPD-handling description, security-tooling evidence, logs, configurations, interview availability | Security Protection Asset treatment, evidence source, monitoring/response handoff | Believing only CUI creates provider scope |
| Provider handles neither CUI nor SPD | Usually no | Does not meet the CMMC definition of an ESP | Written confirmation of no CUI/SPD access; architecture/data-flow support | A short note explaining why it’s out of ESP scope, if relevant | Pulling every vendor into scope unnecessarily |
| MSP as staff augmentation using only your systems | Maybe—depends on actual access/data | Treat based on whether the provider’s people, tools, or facilities touch CUI or SPD | Role descriptions, access list, privileged-access evidence, service boundaries | Who performs activities, where evidence lives, whether provider assets are involved | Calling it “staff aug” while the provider’s RMM or ticketing tool stores logs and configs |
| On-prem environment connected to a CSP | Yes—cloud responsibilities plus your on-prem controls | You’re still assessed for the on-prem infrastructure connecting to the CSP | CSP CRM, network diagrams, cloud-config evidence, on-prem control evidence | On-prem boundary, cloud boundary, CRM references, data-flow diagram | Treating the cloud CRM as if it covers your endpoints, identity, local network, and users |
| Centralized corporate SOC/NOC supporting multiple business units | Yes—if external to the assessed entity and handles CUI/SPD/security functions | The same ESP analysis applies even inside the corporate family | Internal service description, responsibility matrix, evidence handoff, interview availability | Relationship to the assessed organization, services, SPD/CUI flow, evidence owner | Assuming “same parent company” means “not external” |
| Subcontractor receives FCI only | Usually not, unless shared IT/security services are involved | Flow down the correct CMMC level for FCI systems | Contract flow-down, Level 1 status/affirmation as applicable, shared-system details | FCI flow, subcontractor systems, any shared provider services | Demanding Level 2 evidence before confirming whether CUI actually flows down |
| Subcontractor receives CUI under a prime contract | Possibly, if shared systems or providers support CUI | Correct CMMC level flows down; CUI systems need a current status | Subcontractor scope, CMMC status, affirmation path, shared-provider CRM if applicable | CUI flow-down, subcontractor role, system boundary, provider dependencies | Treating subcontractor compliance as a one-time vendor questionnaire |
| Level 3 environment with ESPs | Yes—and it matters more | Level 3 builds on the Level 2 scope relationship; ESP rules apply at Level 3 too | CRM, Level 2 prerequisite evidence, Level 3 responsibility mapping, DIBCAC readiness | Level 3 enclave/scope, Level 2 dependencies, selected NIST SP 800-172 responsibilities | Adding Level 3 protections before resolving Level 2 provider-responsibility evidence |
| GRC/compliance software stores evidence (no CUI) | Maybe—depends on whether it stores SPD or sensitive security evidence | If it holds Security Protection Data, treat it in your SPA/ESP analysis | Data classification, service boundary, security-responsibility docs, access-control and audit evidence | Evidence-repository role, access control, data stored, backup/export process | Uploading diagrams, vulnerability reports, or program data into a tool without classifying its scope |
Two things to notice. First, the “no CUI” answer rarely ends the analysis—Security Protection Data brings many security providers back into scope. Second, the same analysis applies to a sister company in your own corporate family if it’s external to the entity being assessed; the Scoping Guide is explicit that an ESP can sit inside the broader corporate structure yet still be external to the assessed organization.
Who builds the matrix—you, your MSP, or your cloud provider?
You—the Organization Seeking Assessment (OSA)—are accountable for the matrix and for keeping it current, but it’s assembled from inputs your providers supply. Your provider authors a CRM describing what you must do; your cloud provider supplies its FedRAMP customer responsibility documentation; you stitch those into one matrix covering all 110 requirements and reconcile it with your SSP. In practice, a capable MSP or MSSP will fill out most of a shared matrix for the services it runs—often under NDA—and hand it back for you to integrate.
Think of it as artifacts versus evidence: different parties own different pieces.
| Party | What they own |
|---|---|
| You (OSA/OSC) | The final matrix, the SSP references, the scope and data-flow diagrams, accuracy, and maintenance after any change |
| MSP / MSSP | Their service description, objective-level responsibility mapping, evidence exports, and interview support |
| CSP | Its FedRAMP package/status, its CRM, the service boundary, and incident/data commitments |
| Readiness advisor / RPO | Gap mapping, SSP integration, and evidence-readiness help |
| C3PAO | Assessment review only—not readiness implementation for the same engagement where the independence rule applies. The Cyber AB Code of Professional Conduct v2.0 bars a C3PAO from assessing an organization it consulted within the prior three years. |
A practical note on the NDA reality: detailed provider matrices and evidence are frequently shared under non-disclosure agreement, and some providers restrict what an assessor can see. Sort that out early—confirming that the CRM is available and that ESP personnel will participate in the assessment is something a C3PAO expects you to have arranged before the assessment, not something to negotiate on assessment day.
Where do you get the Microsoft, AWS, FedRAMP, or MSP/MSSP CRM?
Start with each provider’s official compliance channel: the FedRAMP package access path for a cloud platform, the provider’s service description and customer responsibility documentation for an MSP/MSSP, and the vendor’s compliance portal for a security tool. For cloud, verify the exact in-scope services; for MSPs and MSSPs, ask for a CMMC-specific CRM mapped to your services and the NIST SP 800-171 Rev. 2 objectives—not a generic one-pager.
- Microsoft (GCC, GCC High, Azure Government): Validate the exact cloud service offering and its status on the FedRAMP Marketplace, then request Microsoft’s customer responsibility documentation for the services you use. Different Microsoft offerings carry different authorizations—confirm the one that applies to your tenant and workloads. See also our GCC High for CMMC guide.
- AWS (GovCloud):AWS states it publishes a CMMC customer package, responsibility matrices, and customer implementation guidance through AWS Artifact, and tells customers to confirm which services are in scope via its “Services in Scope by Compliance Program” list. Treat those as provider-stated resources to verify, not as a DCR endorsement.
- MSP / MSSP:Ask for a CMMC-specific CRM mapped at the objective level. Quality varies widely—some providers hand over a clean, objective-level matrix; others can’t produce one at all, which is itself a signal (see the FAQ below on what to do when a provider refuses).
- Security tools (SIEM, EDR, GRC):Request the customer responsibility documentation and confirm what data the tool stores. One watch-out worth knowing: if a security product can ingest your files for analysis, that feature can pull CUI into the tool’s boundary and turn it into a CUI asset—which raises the bar to FedRAMP. Confirm and configure accordingly.
What goes in a CMMC shared responsibility matrix?
A useful matrix records, for each requirement and ideally each assessment objective: the control ID, the control family, the owner (you, provider, shared, inherited, or not applicable), an implementation summary, the evidence source, the SSP reference, the asset or service in scope, the CUI/SPD status, and a last-verified date. The point is not a tidy spreadsheet—it’s a document an assessor can use to confirm that every objective has an owner and final-form evidence.
Minimum columns that make a matrix assessment-ready:
| Column | What it captures and why it matters |
|---|---|
| CMMC Level | L1 / L2 / L3. Determines which requirements apply and which ESPs are in scope for this environment. |
| Control ID | NIST SP 800-171 Rev. 2 requirement number (e.g., AC.L2-3.1.1) and, for full assessment readiness, each 800-171A assessment objective beneath it. |
| Control family | One of the 14 families (AC, AT, AU, CA, CM, IA, IR, MA, MP, PE, PS, RA, SC, SI). Allows filtering by domain for review. |
| Requirement / objective text | The verbatim NIST requirement or assessment objective—so there’s no ambiguity about what’s being addressed. |
| Owner | You / Provider / Shared / Inherited / N/A. This is the core field—every row must have one. “Shared” means split tasks with separate evidence; “Inherited” means a parent entity fully covers this control. |
| Implementation summary | One-to-two sentences on how the control is actually met in your environment—specific enough for an assessor to understand the approach before requesting evidence. |
| Evidence source | The artifact that proves the control—policy doc, config screenshot, log export, training record, ticket number. Must be final-form. Draft evidence does not satisfy the DoD Assessment Guide standard. |
| SSP reference | The SSP section or control-narrative entry that covers this requirement. Assessors cross-check the matrix against the SSP; a mismatch between the two is a finding. |
| Asset or service in scope | The specific system, cloud service, MSP tool, or enclave that implements the control. Required to tie evidence to a bounded environment, not a generic statement. |
| CUI / SPD status | Whether this row relates to CUI handling, Security Protection Data, or neither. Determines the depth of evidence required and which ESP scoping rules apply. |
| Last-verified date | The date the owner last confirmed the control was in place and the evidence was current. CMMC’s annual affirmations require your documentation to stay current; a stale date is a warning sign. |
| Notes / open items | Any POA&M reference, NDA restriction, open remediation task, or provider follow-up needed. Links to the POA&M where applicable. |
If your matrix exposed a provider gap, don’t book an assessment until you know whether the fix is readiness help, MSP/MSSP support, cloud/enclave work, GRC evidence workflow, or a C3PAO path. That’s the decision this page exists to make easier.
Start from the NIST CUI documentation package
NIST publishes the official CUI System Security Plan template and CUI Plan of Action template free and ungated alongside SP 800-171 Rev. 2. Use those as the authoritative skeleton, then add the 14-family ownership columns, the three-state classification (you / provider / shared), and your evidence references on top.
Get the NIST CUI documentation package (free, official) →How we verified this guide
This guide is built from primary CMMC and DoD sources, then structured around the friction we see real buyers describe. Every regulatory claim was checked against the eCFR, the Federal Register, Acquisition.gov, the DoD CMMC guides, NIST publications, and Cyber AB documents. Forum and community language was used only to understand buyer questions—never as regulatory authority.
On , we:
- Read 32 CFR § 170.19 in the eCFR and confirmed the customer-responsibility-matrix language in § 170.19(c)(2)(ii) and the ESP scoping rules in Table 4;
- Confirmed the current DoD CMMC Level 2 Scoping Guide (v2.13, Sept 2024) uses “customer responsibility matrix (CRM),” defines Security Protection Data, and gives the HR/accounting-SaaS and SIEM scope examples—and noted that the earlier 2021 scoping guide used “shared responsibility matrix,” which is why the term persists;
- Confirmed the DoD CMMC Level 2 Assessment Guide scoring rule—all applicable objectives must be MET or not applicable, and draft evidence is unacceptable;
- Verified the FedRAMP requirement for CUI clouds in DFARS 252.204-7012 and the December 2023 DoD CIO equivalency guidance;
- Confirmed CMMC Level 2 still maps to NIST SP 800-171 Rev. 2 (110 requirements, 320 objectives), not Rev. 3;
- Confirmed the phase dates on DoD’s CMMC program pages; and
- Read the Cyber AB Code of Professional Conduct v2.0 to confirm the three-year consultant-assessor independence prohibition.
What we did notdo: claim Cyber AB or DoD endorsement, verify any named provider’s private matrix, treat vendor marketing as authority, or offer legal advice. This is editorial compliance research from an independent trade publication—confirm contract obligations, assessment strategy, and legal questions with qualified counsel, your contracting officer, and appropriate CMMC professionals.
Last verified: . Next review: , or sooner if DoD updates 32 CFR Part 170, the Level 2 Scoping Guide, DFARS 252.204-7012, or the Cyber AB Code of Professional Conduct. See our editorial standards, methodology, and corrections policy.
Frequently asked questions
Is a CMMC shared responsibility matrix the same as a customer responsibility matrix?
In practice, yes—both describe a map of who owns which security responsibility between you and a provider. The CMMC rule (32 CFR § 170.19) and the current DoD Level 2 Scoping Guide use the term “customer responsibility matrix (CRM)”; “shared responsibility matrix” is the common market and search term. A CRM is typically provider-authored and one-directional; an SRM is collaborative and bidirectional.
Is a shared responsibility matrix legally required for CMMC Level 2?
The exact phrase isn’t a standalone mandate, but the documentation effectively is. 32 CFR § 170.19 requires that an external service provider’s relationship and services be documented in your SSP and described in the provider’s service description and CRM. If you use an in-scope provider, you can’t pass without it.
Does using GCC High or AWS GovCloud mean I don't need a matrix?
No. A cloud authorization handles the provider’s own compliance, but you still document your scope, configurations, users, and every control the provider’s CRM assigns back to you. A CSP handling CUI must meet FedRAMP requirements under DFARS 252.204-7012, and you must show how you meet your assigned responsibilities in your SSP. See our GCC High for CMMC guide for how GCC High authorization and your CMMC documentation interact.
Does my MSP need to be CMMC certified?
Not always. If the MSP processes, stores, or transmits CUI, its services are in your assessment scope and assessed as part of your assessment. An MSP that only handles Security Protection Data is assessed as a Security Protection Asset. A provider can voluntarily certify to reduce the effort during your assessment, but you still document the relationship, services, and CRM responsibilities in your SSP. See our CMMC MSP guide for more.
Can the matrix alone make a requirement MET?
No. The DoD Assessment Guide requires meeting all applicable assessment objectives for a requirement, supported by final-form evidence. The matrix documents who’s responsible; the evidence proves it’s actually done.
Should I map to the 110 requirements or the 320 assessment objectives?
At minimum, map to all 110 NIST SP 800-171 Rev. 2 requirements for Level 2. For real assessment readiness, map to the 320 objectives wherever provider and customer responsibilities differ—because findings are scored at the objective level. See our CMMC Level 2 requirements guide for a breakdown of all 14 families.
Can the C3PAO that assesses me also help me build the matrix?
No, where the independence rule applies. The Cyber AB Code of Professional Conduct v2.0 bars a C3PAO and its assessment team from a Level 2 certification assessment for an organization they consulted to prepare for any CMMC assessment within the prior three years. Use an RPO or readiness consultant for buildout, and keep the assessing C3PAO independent.
What if a provider refuses to give me a matrix or evidence?
Treat it as a scope and readiness risk that scales with how close the provider sits to your CUI and security controls. You may need compensating documentation, contract clarification, or a provider change before you book an assessment.
Does the matrix belong in my SSP?
Yes—it should be referenced in or reflected by your SSP. 32 CFR § 170.19 and the DoD scoping guidance tie ESP services, relationships, and responsibilities to your SSP and the provider’s service description and CRM, and assessors cross-check the matrix against the SSP at the objective level.
Does the matrix change if NIST moves to Revision 3?
Possibly, later. As of this writing, CMMC Level 2 still maps to NIST SP 800-171 Rev. 2, so build your matrix and evidence against Rev. 2 today. We re-verify this against NIST and the Federal Register on a quarterly cadence.
Is this legal or compliance advice?
No. This is editorial compliance research from The Defense Compliance Report, an independent trade publication on CMMC 2.0 and DIB compliance. Confirm your obligations with qualified counsel, your contracting officer, and appropriate CMMC professionals.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline and we’ll match you with source-checked CMMC provider options. Please don’t include CUI, export-controlled technical data, credentials, or Security Protection Data in the form—a short description of your level, scope, and timeline is all we need.
Get matched with CMMC providers →Primary sources
- 32 CFR Part 170, §§ 170.4, 170.16, 170.19, 170.22, 170.24 — eCFR
- CMMC Program, Final Rule — Federal Register, Oct. 15, 2024 (effective Dec. 16, 2024)
- DFARS 252.204-7021 and DFARS 252.204-7012 — Acquisition.gov
- DoD CIO FedRAMP Moderate Equivalency guidance — December 2023
- DoD CMMC Assessment Guide — Level 2 and CMMC Scoping Guide — Level 2 (v2.13)
- NIST SP 800-171 Rev. 2; NIST SP 800-171A; NIST SP 800-172 — NIST CSRC
- Cyber AB CMMC Code of Professional Conduct (CoPC) v2.0
- FAR 52.204-21; FedRAMP Marketplace; DoD CIO — About CMMC