Downloads

Shared Responsibility Matrix for CMMC and NIST SP 800-171

If you are using an MSP or MSSP for CMMC compliance, you are required to show an assessor a Shared Responsibility Matrix defining obligations and responsibilities for both your organization and the company that supports you.

A proper Shared Responsibility Matrix (SRM) is the #1 indicator of your likelihood to pass a CMMC assessment.
An SRM is required for CMMC 2.0 compliance (by assumption and reference)
An SRM provides assurance to both assessors and business owners

The goal of this guide is to equip readers with answers to the following questions:

What % of responsibility does my organization have if we’re using external service providers for compliance?
What questions should I be asking my Managed Service Provider (MSP)?
Why am I required to have a Shared Responsibility Model / RACI Matrix for CMMC 2.0 compliance?

Key insights in this download:

The responsibility of external service providers and organizations seeking certification (OSCs) are clearly defined for successful completion of CMMC assessments
The Summit 7 team analyzed the 1,524 assessable objects listed NIST SP 800-171A to determine correct RACI assignments
This download highlights Summit 7 work packages that address large percentages of the assessment objectives defined in CMMC 2.0 and NIST 800-171

Get a Quote

Enter your information below and someone from our team will be in touch shortly.

Cybersecurity & Compliance

Frequently Asked Questions

What is CMMC?

CMMC is the DoW’s method for assessing the ability of organizations in the DoW supply chain to protect sensitive data such as FCI, CUI, and/or ITAR. There are three levels of CMMC certification.

Level 1 (Foundational): For companies handling FCI; requires 17 FAR‑based practices and an annual self‑assessment.

Level 2 (Advanced): For companies handling CUI; requires 110 NIST 800‑171 practices with third‑party assessments for prioritized programs and annual self‑assessments for others.

Level 3 (Expert): For companies with the most sensitive data; based on NIST 800‑172 and requires a government‑led assessment.

What is CUI?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

CUI can include a wide range of information, such as personal information, proprietary information, or information that is considered critical to national security.

When will the CMMC final rule be published?

DoW published the long-awaited 48 CFR Final Rule in the Federal Register on September 10, 2025, officially making the CMMC a binding requirement in defense contracts. A 60-day window followed before clauses could officially begin appearing in contracts, meaning DFARS 252.204-7021 requirements can appear in contracts as of November 10, 2025.

Will Phase 1 of the CMMC rollout only require self-assessments?

Not necessarily. Although many hope for self-assessments, contracting officers retain discretion. Contracts involving specific CUI types may require full third-party assessments (C3PAO) even during Phase 1. Organizations should prepare for the possibility of certification-level requirements immediately.

How much does CMMC certification cost for a small to mid-sized business?

Assessment costs typically range from $40,000 to $80,000. Total compliance costs may exceed $300,000 depending on complexity.

Testimonials

“Working with Summit 7 brings instant credibility. As soon as I tell large defense contractors we’re working with Summit 7, there’s a sigh of relief in the room.”

Matt GustafsonPresident, Clinkenbeard

“Migration would have been a heavy lift on our resources and Summit 7 completed the migration without issue while providing education along the way.”

Justin WillisDirector of Program Management, Seventh Sense Consulting

“The support from everyone at Summit 7—project managers, billing team leads, and even individual techs—has been phenomenal.”

Brad MurryISSM, Cayuse Government Operations

“Summit 7’s guidance significantly enhanced our internal IT expertise, positioning us for sustained excellence.”

Trent EdwardsDirector of IT, KMS Solutions

Protecting the American Dream

Summit 7 is the Defense Industrial Base’s most trusted group of certified experts.

About Us

Why Summit 7

Don't Know Where to Start?

Join the Team