News & Articles | Sera Brynn

Common CMMC Mistakes: Overlooking Legal Requirements from External Service Providers

Written by Sera Brynn | May 16, 2025 at 3:30 PM

 

Common CMMC Compliance Mistakes Series #14

 Welcome back to our expert-driven series: The Top 15 Most Common CMMC Compliance Mistakes (and How to Solve Them). Throughout this series, we're dissecting the frequent errors, misunderstandings, and misconceptions organizations encounter on their path to CMMC certification, drawing insights from seasoned CCPs, CISOs, and CCAs

Today’s focus: We delve into a critical oversight: the failure to obtain formal agreements and detailed Shared Responsibility Matrices (SRMs) from External Service Providers (ESPs), which can leave your organization vulnerable during assessments.

What You’ll Learn

  • The importance of formal agreements with ESPs in CMMC compliance
  • How to develop a detailed SRM aligned with CMMC objectives
  • Common pitfalls in ESP engagements and how to avoid them
  • Best practices for ensuring legal accountability and clear responsibility delineation

 

If You Work With External Service Providers, This Is Essential

When attempting to achieve or maintain CMMC compliance, relying on External Service Providers (ESPs) without formal agreements and detailed Shared Responsibility Matrices (SRMs) is a recipe for non-compliance. Many organizations assume that their ESPs inherently cover certain security controls, leading to gaps in accountability and documentation.

The Department of Defense (DoD) emphasizes the necessity of clearly defined responsibilities between Organizations Seeking Certification (OSCs) and their ESPs. Without formal agreements and comprehensive SRMs, OSCs cannot demonstrate compliance with NIST SP 800-171 requirements, jeopardizing their eligibility for DoD contracts.

 

The Importance of Formal Agreements

Formal agreements, such as contracts or Service Level Agreements (SLAs), are essential to delineate responsibilities between OSCs and ESPs. These agreements should:

  • Specify Security Responsibilities: Clearly outline which party is responsible for each security control, ensuring no overlap or gaps.

  • Include SRMs: Incorporate detailed Shared Responsibility Matrices that map responsibilities to specific CMMC practices and assessment objectives.

  • Define Evidence Requirements: Establish the type of evidence each party must provide to demonstrate compliance.

  • Set Terms for Compliance Monitoring: Include provisions for regular reviews and updates to the SRM and compliance status.

Without these formal agreements, OSCs cannot adequately demonstrate compliance during assessments, as auditors require clear, documented evidence of responsibility allocation.

 

Developing a Detailed Shared Responsibility Matrix

An effective SRM should:

  • Map Responsibilities to CMMC Objectives: Align each control with the responsible party, referencing specific CMMC practices and assessment objectives.

  • Include All Relevant ESPs: Account for all third-party providers that impact your security posture, including cloud service providers, managed service providers, and subcontractors.

  • Be Regularly Updated: Reflect changes in services, responsibilities, or compliance requirements.

  • Be Accessible to Auditors: Ensure the SRM is readily available and understandable for assessment purposes.

For example, if your organization uses a cloud service provider for data storage, the SRM should specify who is responsible for data encryption, access controls, and incident response related to that service.

 

Common Mistakes in ESP Engagements

  • Assumed Responsibilities: Believing that ESPs automatically cover certain controls without verification.

  • Lack of Documentation: Failing to formalize responsibilities in contracts or SRMs.

  • Outdated Agreements: Not updating agreements to reflect changes in services or compliance requirements.

  • Insufficient Evidence: Inability to provide documentation during assessments to prove ESP compliance.

Avoiding these pitfalls requires proactive engagement with ESPs, thorough documentation, and regular reviews of responsibilities and compliance status.

 

 Sample Shared Responsibility Matrix

CMMC Practice

Responsibility

OSC Tasks

ESP Tasks

Evidence Required

AC.L2-3.1.1
(Access Control)

Shared

Define user roles and permissions

Implement access controls in systems

Access control policies, system logs

SI.L2-3.14.1
(System Monitoring)

ESP

Monitor internal systems

Monitor cloud infrastructure

Monitoring reports, incident logs

SC.L2-3.13.8 (Encryption)

OSC

Encrypt data at rest

Encrypt data in transit

Encryption policies, encryption keys documentation

 


 

 

In Summary: Fully Understanding The Legal Requirements of ESPs

Securing formal agreements and detailed Shared Responsibility Matrices with your External Service Providers is not just a best practice, it's a necessity for CMMC compliance. By clearly delineating responsibilities and maintaining thorough documentation, your organization can confidently demonstrate compliance and maintain eligibility for DoD contracts.

Key Takeaways

  • Formal agreements with ESPs are essential for delineating security responsibilities.
  • Shared Responsibility Matrices should map responsibilities to specific CMMC practices and assessment objectives.
  • Regularly review and update agreements and SRMs to reflect changes in services or compliance requirements.
  • Proactive engagement with ESPs and thorough documentation are critical for successful CMMC assessments.

Up Next In Our Top 15 Most Common CMMC Mistakes Series:

In the next installment of our series, we'll explore the challenges organizations face in understanding what can be outsourced and what must remain internal in the context of CMMC compliance.

 

 
View full post