AzureFeeds

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program officially went into effect on December 16, 2024, and it kicked off with a bang. Level 2 assessments began on January 2, 2025, and according to the Cyber AB, 168 assessments have already been completed as of June 2025. With many CMMC 3rd Party Assessment Organizations (C3PAOs) now booking well into next year, the message is clear: CMMC validation is here, and momentum is building fast. At Redspin, that momentum is tangible – we’ve expanded from just 1-2 assessment teams last year (preforming Joint Surveillance Assessment Program (JSVA) assessments) to 6 (soon to be 7) full teams, each consisting of a Lead CCA, a CCA and a QA, to meet the growing demand. At the heart of CMMC is the need to assess and certify that defense contractors securely store, process, and transmit Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in accordance with existing DFARS and NIST SP 800-171 Revision 2 requirements which have been a requirement since 2017 (DFARS) and 2020 (NIST SP 800-171 Revision 2).  

Based on our experience, customers commonly consider multiple ways an organization can secure unclassified data. This article explores three common approaches:  

• On-Premises – Meaning an organization has either physical or virtual appliances that it manages within its own facilities onsite. This assumes all assets are on-prem and not connected to the cloud in any way. This is very difficult to achieve because most services call back to cloud.  


• Cloud-Based – Meaning an organization is leveraging a cloud environment to store unclassified information securely. 


• Hybrid Approach – Meaning a combination of both on-premises (on-prem) and cloud-based 

The Cloud Shift and a Common Misconception 

More DoD contractors are shifting to the cloud to help meet CMMC requirements. Cloud and hybrid environments typically present an opportunity for enterprise IT to provide additional services to end-users, enabling the business to grow its revenue. For instance, collaboration platforms like Microsoft Teams can allow users to chat externally, meet with customers to collaborate on files, or organize project teams into channels based on programs. In addition to expanding services, Cloud environments can offer a scalable, cost-effective, and secure approach to managing CUI, depending on implementation. But here’s the catch: just moving to the cloud doesn’t eliminate your compliance responsibilities. Some contractors commonly assume that using a third-party provider means their CMMC obligations are fully covered. CMMC compliance cannot be inherited. Security in the cloud is a shared responsibility, and the accountability doesn’t disappear when your data leaves your server room.  
 
That’s why it’s critical to approach cloud adoption with both enthusiasm and caution. The benefits are real scalability, flexibility, and innovation, but they must be matched with a robust security posture. DIB Organizations must ensure they configure cloud environments correctly, monitor them continuously, and implement the proper controls to protect sensitive data. In short, the cloud is a powerful enabler, but only when paired with intentional, well-executed security strategies. 

The Power of Shared Responsibility 

FedRAMP-authorized cloud providers, like Microsoft, already have key security controls in place, along with continuous monitoring and other infrastructure that is aligned with NIST 800-171Revision 2. This gives contractors a strong head start on compliance. It can reduce risk, streamline implementation, and speed up assessment readiness. More importantly, it helps sustain compliance after certification. 

Remember: “cloud” doesn’t mean “covered”. Using a compliant cloud platform makes CMMC easier, but not automatic. Your organization is still responsible for implementing and maintaining many controls yourself. 

To help companies understand how to configure their FedRAMP authorized cloud service, two key tools come into play:  

1. Shared Responsibility Matrix (SRM): The big-picture guide that outlines how responsibilities are split between you and your providers, from infrastructure to applications and data. It’s a conceptual framework often published publicly or provided in documentation. 


2. Customer Responsibility Matrix (CRM): A detailed contract-specific document from your cloud provider (typically a FedRAMP-authorized one) that maps exactly who is responsible for each CMMC-related objective. 

Think of the SRM as your strategy, and the CRM as the play-by-play plan. 

Why the CRM Matters 

As part of our business, we perform readiness and assessment work for CMMC. Through that work, we have found that many small and mid-sized contractors don’t review their CRM. It may be buried in vendor documents, overly technical, or simply overlooked. But skipping it can result in major compliance gaps. 

CMMC includes 14 domains, 110 requirements, and a total of 320 objectives. Even in the cloud, you’re still accountable for meeting those. The CRM identifies which of those objectives you own and which are covered by your provider based on the shared responsibility matrix from the technologies a company uses.  

Within the CRM and SRM, there is typically a breakout of 3 roles: Customer, Cloud Service Provider, and External Service Provider (ESP). An ESP is any third-party that delivers a service that affect the confidentiality, integrity, or availability of CUI. In the traditional sense, an ESP could be a managed IT services partner, outsourced security provider, managed print service, virtual desktop provider, and more. For any ESPs that are implementing or using a cloud service as part of their service delivery, they should be able to provide you with an SRM and CRM.  

Below, you’ll find a snapshot example of an SRM (Figure 1) and a CRM (Figure 2) to help illustrate how responsibilities are typically divided. Please note that this is not a full version, but rather a simplified view.  

Figure 1: 

Figure 2:  

FedRAMP, Microsoft, and CUI 

When cloud services are used, whether in the cloud or a hybrid form, any cloud service must meet a specific requirement called FedRAMP. Recently, the DoD published a memo defining this requirement further. Based on that memo, there are two types of cloud environments contractors can leverage:  

1. FedRAMP Authorized: These have been assessed by a third-party assessment organization (3PAO) as meeting NIST 800-53 security requirements. They will be listed on the FedRAMP Marketplace as “authorized”. 


2. FedRAMP Equivalent: These have not gone through the FedRAMP authorization process completely, but a 3PAO has completed a FedRAMP assessment, a first step toward getting there. To meet the definition of FedRAMP Equivalent, the CSP must have multiple documents that form a “Body of Evidence” (BOE). This information will need to be made available to a company’s assessor when going through a CMMC assessment.  

Microsoft offers two productivity and security FedRAMP-approved platforms for handling CUI:  

1. Microsoft 365 GCC: A strong option for handling basic CUI. Built on Azure Commercial but includes features like compliance certifications, restricted access, and isolated from the public version of Office 365 to help meet government needs. FedRAMP Package MSO365MT:  Office 365 Multi-Tenant & Supporting Services | FedRAMP Marketplace 


2. Microsoft 365 GCC High: Supports compliance with requirements typically associated with CUI Specified, such as ITAR-controlled data. Built with enhanced safeguards and meets FedRAMP High requirements. FedRAMP Package FR1824057433:  Microsoft Office 365 GCC High | FedRAMP Marketplace 

Some contractors believe that using GCC or GCC High automatically makes them CMMC-compliant. Spoiler: it doesn’t. In addition, contractors often confuse the two, but the “High” is important. These are completely distinct and isolated clouds with no shared services between the two.  

Breaking Down the CRM: Three Types of Controls 

Too often, contractors assume their cloud provider, like Microsoft, or IT partner, also known as an ESP, has it all covered, but that’s not how shared responsibility works. The first step is to ensure that the cloud technology you use is FedRAMP authorized or equivalent. From there, the CRM comes into play. It categorizes responsibilities into three buckets:  

1. Common Controls: Shared responsibilities between you and your provider.                                                                                                       Example: AC.L1-3.1.1a. Authorized users are identified. In the shared responsibility model, the organization is responsible for identifying users, while the ESP/CSP is responsible for providing backend support to ensure that those identified users have access. 


2. Inherited Controls: Fully managed by your provider.                                                                                                                                           Example: SC.L2-3.13.11a. Federal Information Processing Standards (FIPS) – validated cryptography is employed to protect the confidentiality of     CUI. One of the benefits of leveraging a Microsoft Government Cloud is that it supplies encryption for the organization. 


3. System-Specific Controls:  Fully your responsibility.                                                                                                                                               Example: IR.L2-3.6.3a. The incident response capability is tested. The organization is responsible for conducting an annual tabletop exercise. This can be completed by the organization’s internal teams or by engaging a third-party vendor for assistance. The ESP/CSP is not involved with this requirement for your organization. 

What Contractors Must Still Own 

No matter the technology, Contractors are responsible for several ongoing tasks, including: 

• Documentation reviews and updates 


• User/group/roles reviews 


• Inventory reviews 


• Awareness & training 


• Audit log reviews 


• Risk assessments 


• Security assessments 


• Tabletop exercises 


• System maintenance 


• Properly identifying & labeling CUI 


• Physical security requirements 


• Monitoring 

For example, you are responsible for ensuring users are trained on security risks and procedures. Partnering with an experienced ESP that is familiar with CMMC can help achieve this goal. However, the ESP’s internal training doesn’t count. Similarly, even if your ESP monitors security and event logs, you must ensure that the monitoring taking place is not only happening but is also configured to be effective based on the CMMC scope. 

Don’t Overlook the SSP 

One of the most common things contractors overlook is the System Security Plan (SSP). Contractors must develop their own SSP, but they must also review and understand the SSP of any technologies they use. The SSP is a foundational document for CMMC. It clearly outlines:  

• What your environment looks like (aka scope) 


• Who manages it  


• Its security rating (what FedRAMP level it meets) 


• Users and devices operating within the environment  


• Network and data flow diagrams 

When a contractor develops their own SSP, it must address all 320 CMMC objectives, not just the 110 control requirements. Many contractors build documentation that hits the 110 requirements, but CMMC assessors are looking for objective-level implementation details. If your documentation stops at the requirement level, you’ll come up short during a C3PAO audit for CMMC. 

CMMC isn’t about what you plan to do. It’s about what you’ve done and what you can prove. If it’s not fully implemented and documented, it won’t count or pass a CMMC Level 2 assessment. Similarly, if you have an implementation documented in your SSP but you cannot demonstrate that control is in place in accordance with the assessment methodology, you will not pass. The assessment methodology requires a C3PAO to examine, Interview, and test each of the 320 objectives.  

The Role of ESPs 

Many contractors rely on ESPs to help set up cloud environments and manage security. For instance, a contractor might use an ESP to help configure, manage, or migrate data to a GCC High environment. But if the contractor doesn’t understand the documentation the ESP creates, or doesn’t take ownership of it, they risk failing their certification assessment. 

Your ESP is your co-pilot (no pun intended, Microsoft friends), not your proxy. They can guide you, build documentation, and run scans, but you still need to own the process. 

ESPs offer managed compliance packages that help guide clients through the full lifecycle of certification and recertification. They lead quarterly board reviews, tabletop exercises, and provide scheduling for required annual activities. But even then, contractors seeking CMMC certification must still participate in those activities. You have to show up and do the work. 

Taking Responsibility Is Not Optional 

Today, only 168 organizations are fully CMMC Level 2 certified, and many will struggle to pass recertification. Why? Because they didn’t stay on top of their responsibilities. Some used an ESP to help set up their environment, but didn’t operationalize it, and later expanded their scope without updating controls or documentation 

The good news? If you’re reading this, there’s still time to get it right. 

The most successful contractors aren’t waiting for the DoD to force their hand. They understand that CMMC isn’t a one-and-done project. It’s an ongoing effort. As more contracts come with CMMC requirements built in, the pressure will only increase. 

Soon, when you go to bid on a new contract, the first question will be: 

• Are you CMMC certified? 

If your answer is no, the next question will be: 

• Are you working with a C3PAO, and when do you expect to be certified? 

If you don’t have a clear answer, you may lose the opportunity. It’s that simple. 

Need Help?  

Redspin is an experienced Authorized C3PAO in the CMMC ecosystem and a trusted MSP offering:  

• CMMC readiness and consulting  


• Managed cloud services  


• C3PAO, mock, and gap assessments 


• Managed Compliance services  


• Training for you and your team 

All designed to guide DoD contractors through the full CMMC lifecycle. Whether you’re planning your cloud migration, tightening documentation, preparing for a Level 2 assessment, or managing compliance between certifications, we’re here to help. We’ll work with you to understand your shared responsibilities, configure your environment, and get you assessment-ready with confidence.  

5 quick takeaways to get you started:  

1. Using GCC or GCC High does not make you automatically CMMC Compliant. You’re still responsible for properly implementing and documenting the required controls.  


2. CMMC Compliance can’t be 100% inherited. Even in the cloud, you must own your responsibilities.  


3. FedRAMP (or FedRAMP Equivalency) is essential. Confirm that your cloud provider and your ESPs meet the standard.  


4. Your SSP must reflect your actual environment. Address all 320 objectives, not just the 110 high-level requirements or high-scoring point values.  


5. Ongoing security operations remain your job. Training, monitoring, conducting tabletop exercises, and reviewing documentation remain your responsibility.  

Contact us to learn more about how we support your CMMC journey 

Additional resources:  

• Support for FedRAMP in Microsoft 365 Government (GCC High) | Microsoft Community Hub 


• Ecosystem Roles  


• CMMC Terminology 

About the Author

Robert Teague is a Lead CMMC Certified Assessor (CCA) and CMMC Certified Professional (CCP) with over 30 years of operational and strategic leadership experience in IT and cybersecurity operations in the U.S. Army.

As a CMMC Advisor and Lead CCA at Redspin, a Microsoft partner and Authorized C3PAO, Robert helps defense contractors prepare for and achieve CMMC certification—enabling them to win and maintain Department of Defense contracts. His deep expertise ensures organizations are well-positioned for both compliance and long-term cybersecurity resilience.

Disclaimer: The information in this blog is provided for general informational purposes only and does not constitute legal advice, compliance advice, or any other professional counsel. Organizations should consult with their own legal, compliance, or cybersecurity advisors to determine how these concepts apply to their specific circumstances and regulatory obligations. 

This article was authored by Robert Teague of Redspin, a Microsoft partner and Authorized C3PAO. The content reflects the author’s expertise and perspective and does not represent official Microsoft guidance.