TroutTrout
TroutTrout
Language||
Request a Demo
Back to Glossary
CMMC shared responsibility matrixCMMC complianceNIST 800-171OT security

CMMC Shared Responsibility Matrix

2 min read

CMMC shared responsibility matrix (SRM) is a document that maps every NIST 800-171 control required for CMMC Level 2 certification to the party responsible for enforcing it. For on-premise environments using a network security appliance, the SRM typically divides 110 controls into three categories: controls enforced by the security tool at the network layer, controls the customer must own through organizational processes, and controls addressed through compensating controls for OT assets that cannot comply natively.

Purpose

The SRM serves as the evidence roadmap for a C3PAO assessment. It tells the assessor which controls have technical enforcement (with logs, policy configs, and segmentation baselines as evidence) and which are documented through the customer's organizational processes (physical security, personnel screening, media handling).

Structure

A typical SRM organizes controls by NIST 800-171 control family:

  • Access Control (AC): 22 controls covering identity verification, role-based access, and least privilege
  • Audit and Accountability (AU): 9 controls covering session logging and event monitoring
  • Configuration Management (CM): 9 controls covering baseline configurations and change tracking
  • Identification and Authentication (IA): 11 controls covering MFA and credential management
  • System and Communications Protection (SC): 16 controls covering encryption, segmentation, and deny-by-default
  • Incident Response (IR): 3 controls covering detection and response
  • Physical Protection (PE): 5 controls (typically customer-owned)
  • Personnel Security (PS): 2 controls (typically customer-owned)
  • Media Protection (MP): 9 controls (typically customer-owned)
  • Risk Assessment (RA): 3 controls (mixed, with vulnerability scanning often documented as NA for OT)

OT Considerations

For environments with PLCs, CNCs, HMIs, and legacy OT equipment, the SRM must account for assets that invoke the CMMC enduring exception. These assets require documented compensating controls for specific controls they cannot meet natively, such as multi-factor authentication (IA 3.5.3), audit logging (AU 3.3.1), and encryption in transit (SC 3.13.8).

Related Terms

  • CMMC — The certification framework requiring the SRM
  • CMMC Level 2 — The certification level requiring all 110 NIST 800-171 controls
  • CMMC Enduring Exception — The mechanism for OT assets that cannot comply natively
  • NIST SP 800-171 — The underlying control framework

Other Terms

Air-gapped networkPhysical isolation

Air-gapped Network

An air-gapped network is a network that is physically isolated from the public internet and all external networks, with no wired or wireless connectivity path between the isolated environment and outside systems.

CMMC enduring exceptionCMMC compliance

CMMC Enduring Exception

A CMMC enduring exception is a documented acknowledgment that a specific asset cannot natively implement a required security control due to hardware or firmware limitations, requiring a compensating control to mitigate the residual risk.

CUI enclaveCMMC compliance

CUI Enclave

A CUI enclave is an isolated network segment that contains all systems storing, processing, or transmitting Controlled Unclassified Information, enforced through identity-based access controls rather than simple network separation.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles

Have a question? Ask Trout AI.

Get instant answers about our products, pricing, compliance coverage, and deployment options.