Defense Contract Management Agency says all customer responsibility matrices must be complete prior to the start of their CMMC assessments. Yet only half the people know much about them. Why?

Risk Management Framework

If you come from a Risk Management Framework as traceability matrices or work with federal systems you are familiar with CRM but for many people in the commercial industrial base the idea is new. Many folks in the CMMC heard of customer responsibility matrices when they saw how DCMA

The Institute of Electrical and Electronics Engineers Standard Glossary of Software Engineering Terminology (1990) defines it as

A matrix that records the relationship between two or more products of the development process (e.g., a matrix that records the relationship between the requirements and the design of a given software component).

The NIST glossary then adds two notes to this definition:

Note 1: A traceability matrix can record the relationship between a set of requirements and one or more products of the development process and can be used to demonstrate completeness and coverage of an activity or analysis based upon the requirements contained in the matrix.

Note 2: A traceability matrix may be conveyed as a set of matrices representing requirements at different levels of decomposition. Such a traceability matrix enables the tracing of requirements stated in their most abstract form (e.g., statement of stakeholder requirements) through decomposition steps that result in the implementation that satisfies the requirements.

While NIST-SP-800-37 define how to apply RMF to federal systems NIST-SP-800-171 does not apply RMF to the protection of CUI. The CRM used by DCMA comes from FedRAMP.


The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

The Frequently Asked Questions used to define FedRamp as FISMA for the cloud. You can only choose to use authorized FedRAMP vendors. As part of this application process vendors must upload the “FedRAMP Low or Moderate Control Implementation Summary (CIS) Workbook Template”

This document, artifact 9, is the best template for the customer responsibility matrix.

How do I complete the customer responsibility matrix for CMMC?

Much of the cloud and CMMC remains dark. We do not have official scoping guidance but the DCMA CMMC assessments of C3PAO provide us clues, and as stated, DCMA will not begin a CMMC assessment with all CRMs used for securing or the authorized handling of CUI.

You will get this from the cloud vendor that you have decided is in scope.

1) Implementation Status “Implementation Status” refers to the implementation status of the control (e.g., Implemented, Partially Implemented, Planned, Alternative Implementation, N/A).

2) Control Origination “Control Origination” refers to which entity has responsibility for implementing the control. The following table defines the control origination options.

In your SSP you must make sure you link to the CRM and then describe how you fill your duties

You begin by only using FedRAmp authorized cloud vendors. This will help your CMMC assessor trust the shared responsibility of the cloud vendor.