Customer Responsibility Matrix For CMMC

Hi, I'm John Hill, CEO of TechSage Solutions, coming to you from our Strategic Planning deck. Today, we're diving into a crucial challenge for organizations preparing for CMMC Level 2 compliance—what to do when your cybersecurity tools aren't FedRAMP Moderate authorized.

The Problem Many essential cybersecurity tools—like RMMs, endpoint security, and logging systems—aren't FedRAMP certified. But ripping out your infrastructure isn't practical.

The Solution The good news? You can still achieve compliance using these tools—if they're classified correctly as Security Protection Assets (SPAs). SPAs are tools that support security but do not process, store, or transmit Controlled Unclassified Information (CUI).

The Catch To classify tools as SPAs, you must have a Customer Responsibility Matrix (CRM) from the vendor. Unfortunately, most vendors don't offer one—and that's a major hurdle. We've been working hard to convince vendors that providing a CRM opens the door to serving the 80,000 businesses in the Defense Industrial Base.

What to Do

1. Identify your SPAs in your System Security Plan (SSP).

2. Attach the CRM to show shared responsibilities.

3. Document how you logically and physically separate these tools from CUI.

4. Be ready to explain your reasoning to CMMC assessors confidently.

Need Help? Want to talk compliance or cybersecurity strategy? Schedule a free consultation at www.techsagesolutions.com.

Thanks for tuning in to "Thoughts from the Deck.". If you found this video helpful, don't forget to like, share, and subscribe.