Reference / Shared Responsibility Matrix

What your cloud covers. What's still on you. Mapped.

All 110 NIST 800-171 controls across the four FedRAMP-authorized clouds — M365 GCC High, Azure Government, AWS GovCloud, GCP Assured Workloads. Filter by your platform, see who handles what, lift the wording straight into your SSP. No email. No gate.

Open the matrix Download as XLSX

Cyber AB Registered Practitioner (in process)·UK government-cleared engineering team·Last verified 17 April 2026·Phase 2 enforcement begins 10 November 2026

110
NIST 800-171
requirements
320
Assessment
objectives
4
FedRAMP cloud
platforms covered
1
That GCC High
fully inherits
The math, control by control

"We're on GCC High, so we're mostly covered."

— first call, every week

It's the most common misread of CMMC. A FedRAMP-authorised cloud gives you the right foundation, but the controls themselves still get split between the platform, your service providers, and you. Even on the most mature platform, you own most of the work. Here's the actual split, control by control, for the four FedRAMP clouds DIB contractors actually run on.

Per-platform breakdown · 110 controls

On every FedRAMP cloud, more than a hundred of the 110 controls still need configuration, evidence, or your direct ownership.

Inherited — platform handles end-to-end Shared — platform provides, you configure Customer — fully on you N/A — scope or carve-out
M365 GCC High
Microsoft FedRAMP High
78 shared
109 on you
Azure Government
Microsoft FedRAMP High
72 shared
35 customer
110 on you
AWS GovCloud
Amazon FedRAMP High
71 shared
36 customer
110 on you
GCP Assured Workloads
Google FedRAMP High
68 shared
39 customer
110 on you

What "inherited" means here. A control is inherited only when the platform handles it end-to-end — no customer configuration, no evidence to produce. On M365 GCC High, that's one control: SC.L2-3.13.4, where Microsoft's FedRAMP High authorisation handles tenant isolation and object-reuse protection at the platform layer. Microsoft's own placemat shows broader "inherited" coverage, but most of those controls still require you to configure, document, and evidence them. We've used the stricter definition because that's what the C3PAO will use.

How to read the matrix

Four labels. Each one tells you who has to prove it.

Every requirement gets one of these four labels for the platform you've picked. No overlap, no ambiguity. Same vocabulary your provider's CRM uses, same vocabulary the assessor will recognize.

Inherited

The platform handles it completely. Your role is to confirm the configuration in your SSP and show the inheritance source.

Strict definition · End-to-end

Shared

The platform supplies the capability. You configure it for your environment, evidence it, and own the policy that wraps it.

Most common · You still work it

Customer

You build and operate it. The platform doesn't help. This is where most of your evidence collection and budget lands.

Where the cost lives

N/A

The control doesn't apply to your environment because of a legacy carve-out, scope decision, or platform equivalent. State the reason in your SSP.

Document the why
The matrix

Pick a platform. Filter by status. See what's on you.

Sourced from FedRAMP packages and provider CRMs Last verified 17 April 2026 Updated for CMMC Phase 2 enforcement
Filter
110 visible 14 control families Platform: M365 GCC High View: All statuses
3.1.1 Shared
RequirementLimit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
What M365 GCC High providesEntra ID + Conditional Access enforce identity and device trust.
What you doDefine access policies. Document in SSP §3.1.1. Evidence CA rules.
3.1.2 Shared
RequirementLimit system access to the types of transactions and functions that authorized users are permitted to execute.
What M365 GCC High providesRBAC + PIM enforce role and just-in-time access.
What you doAssign roles. Document role definitions. Evidence PIM approvals.
3.1.3 Shared
RequirementControl the flow of CUI in accordance with approved authorizations.
What M365 GCC High providesPurview DLP available — policies are yours to build.
What you doAuthor DLP rules per CUI category. Document flow controls. Test quarterly.
3.1.4 Shared
RequirementSeparate the duties of individuals to reduce the risk of malevolent activity without collusion.
What M365 GCC High providesCustom roles + Access Reviews support separation of duties.
What you doDesign role matrix. Review quarterly. Document in SSP §3.1.4.
3.1.5 Shared
RequirementEmploy the principle of least privilege, including for specific security functions and privileged accounts.
What M365 GCC High providesPIM + Access Reviews restrict standing privileged access.
What you doDefine privileged role definitions. Enforce access review cadence.
3.1.6 Shared
RequirementUse non-privileged accounts or roles when accessing nonsecurity functions.
What M365 GCC High providesSeparate admin and user accounts supported natively.
What you doEnforce admin account separation. Evidence via directory review.
3.1.7 Shared
RequirementPrevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
What M365 GCC High providesPlatform enforces non-privileged constraint at the identity layer — fully inherited.
What you doConfirm configuration. Evidence via audit report.
3.1.8 Shared
RequirementLimit unsuccessful logon attempts.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.9 Shared
RequirementProvide privacy and security notices consistent with applicable CUI rules.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.10 Shared
RequirementUse session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.11 Shared
RequirementTerminate (automatically) a user session after a defined condition.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.12 Shared
RequirementMonitor and control remote access sessions.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.13 Shared
RequirementEmploy cryptographic mechanisms to protect the confidentiality of remote access sessions.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.1.14 Shared
RequirementRoute remote access via managed access control points.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.15 Shared
RequirementAuthorize remote execution of privileged commands and remote access to security-relevant information.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.1.16 Customer
RequirementAuthorize wireless access prior to allowing such connections.
What M365 GCC High provides
What you doWireless access authorisation is customer-owned office infrastructure (APs, controllers). Cloud platforms do not provide WiFi.
3.1.17 Customer
RequirementProtect wireless access using authentication and encryption.
What M365 GCC High provides
What you doWireless encryption/authentication is configured on customer-owned APs. Cloud platforms do not provide WiFi.
3.1.18 Shared
RequirementControl connection of mobile devices.
What M365 GCC High providesIntune MDM/MAM provides mobile device compliance controls;
What you doCustomer configures compliance policies and enrolment.
3.1.19 Shared
RequirementEncrypt CUI on mobile devices and mobile computing platforms.
What M365 GCC High providesIntune enforces device encryption policy for enrolled mobile devices;
What you doCustomer configures the policy.
3.1.20 Shared
RequirementVerify and control/limit connections to and use of external systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.1.21 Customer
RequirementLimit use of portable storage devices on external systems.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.1.22 Shared
RequirementControl CUI posted or processed on publicly accessible systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.2.1 Customer
RequirementEnsure managers, administrators, and users are aware of security risks and the applicable policies, standards, and procedures.
What M365 GCC High provides
What you doM365 provides Attack Simulation Training and Viva Learning as optional delivery platforms, but the training programme — content, assignment, tracking, completion records, CUI-specific and insider threat modules — is entirely customer responsibility per Secureframe CMMC Shared Responsibility Model guidance.
3.2.2 Customer
RequirementEnsure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
What M365 GCC High provides
What you doM365 provides Attack Simulation Training and Viva Learning as optional delivery platforms, but the training programme — content, assignment, tracking, completion records, CUI-specific and insider threat modules — is entirely customer responsibility per Secureframe CMMC Shared Responsibility Model guidance.
3.2.3 Customer
RequirementProvide security awareness training on recognizing and reporting potential indicators of insider threat.
What M365 GCC High provides
What you doM365 provides Attack Simulation Training and Viva Learning as optional delivery platforms, but the training programme — content, assignment, tracking, completion records, CUI-specific and insider threat modules — is entirely customer responsibility per Secureframe CMMC Shared Responsibility Model guidance.
3.3.1 Shared
RequirementCreate and retain system audit logs and records needed to monitor, analyse, investigate, and report unlawful or unauthorized system activity.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.3.2 Shared
RequirementEnsure the actions of individual system users can be uniquely traced so they can be held accountable for their actions.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.3.3 Shared
RequirementReview and update logged events.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.3.4 Shared
RequirementAlert in the event of an audit logging process failure.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.3.5 Shared
RequirementCorrelate audit record review, analysis, and reporting processes for investigation and response to unlawful, unauthorized, suspicious, or unusual activity.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.3.6 Shared
RequirementProvide audit record reduction and report generation to support on-demand analysis and reporting.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.3.7 Shared
RequirementSynchronize internal system clocks with an authoritative source to generate time stamps for audit records.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.3.8 Shared
RequirementProtect audit information and audit logging tools from unauthorized access, modification, and deletion.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.3.9 Shared
RequirementLimit management of audit logging functionality to a subset of privileged users.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.1 Shared
RequirementEstablish and maintain baseline configurations and inventories of organizational systems (hardware, software, firmware, documentation) throughout the system development life cycle.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.2 Shared
RequirementEstablish and enforce security configuration settings for information technology products employed in organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.3 Shared
RequirementTrack, review, approve or disapprove, and log changes to organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.4 Shared
RequirementAnalyze the security impact of changes prior to implementation.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.5 Shared
RequirementDefine, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.6 Shared
RequirementEmploy the principle of least functionality by configuring organizational systems to provide only essential capabilities.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.4.7 Shared
RequirementRestrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.8 Shared
RequirementApply deny-by-exception (blacklisting) to block unauthorized software, or deny-all permit-by-exception (whitelisting) to allow only authorized software.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.4.9 Shared
RequirementControl and monitor user-installed software.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.1 Shared
RequirementIdentify system users, processes acting on behalf of users, and devices.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.2 Shared
RequirementAuthenticate (or verify) the identities of users, processes, or devices as a prerequisite to allowing access to organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.3 Shared
RequirementUse multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.4 Shared
RequirementEmploy replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.5.5 Shared
RequirementPrevent reuse of identifiers for a defined period.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.5.6 Shared
RequirementDisable identifiers after a defined period of inactivity.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.5.7 Shared
RequirementEnforce a minimum password complexity and change of characters when new passwords are created.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.8 Shared
RequirementProhibit password reuse for a specified number of generations.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.9 Shared
RequirementAllow temporary password use for system logons with an immediate change to a permanent password.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.10 Shared
RequirementStore and transmit only cryptographically-protected passwords.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.5.11 Shared
RequirementObscure feedback of authentication information.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.6.1 Shared
RequirementEstablish an operational incident-handling capability covering preparation, detection, analysis, containment, recovery, and user response.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.6.2 Customer
RequirementTrack, document, and report incidents to designated officials and authorities both internal and external to the organization.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.6.3 Shared
RequirementTest the organizational incident response capability.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.7.1 Customer
RequirementPerform maintenance on organizational systems.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.7.2 Customer
RequirementProvide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.7.3 N/A
RequirementEnsure equipment removed for off-site maintenance is sanitized of any CUI.
What M365 GCC High provides
What you doN/A only if: (1) all CUI infrastructure is cloud-hosted with no on-premises servers, (2) endpoints access CUI exclusively via VDI with no local CUI processing or storage, and (3) no CUI assets ever leave the premises for maintenance. If endpoints process CUI locally (standard GCC High deployment without VDI), these controls apply and are customer responsibility — sanitise devices before repair, check maintenance media for malicious code, supervise uncleared maintenance personnel.
3.7.4 N/A
RequirementCheck media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
What M365 GCC High provides
What you doN/A only if: (1) all CUI infrastructure is cloud-hosted with no on-premises servers, (2) endpoints access CUI exclusively via VDI with no local CUI processing or storage, and (3) no CUI assets ever leave the premises for maintenance. If endpoints process CUI locally (standard GCC High deployment without VDI), these controls apply and are customer responsibility — sanitise devices before repair, check maintenance media for malicious code, supervise uncleared maintenance personnel.
3.7.5 Customer
RequirementRequire multifactor authentication for nonlocal maintenance sessions and terminate such connections when maintenance is complete.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.7.6 N/A
RequirementSupervise the maintenance activities of maintenance personnel without required access authorization.
What M365 GCC High provides
What you doN/A only if: (1) all CUI infrastructure is cloud-hosted with no on-premises servers, (2) endpoints access CUI exclusively via VDI with no local CUI processing or storage, and (3) no CUI assets ever leave the premises for maintenance. If endpoints process CUI locally (standard GCC High deployment without VDI), these controls apply and are customer responsibility — sanitise devices before repair, check maintenance media for malicious code, supervise uncleared maintenance personnel.
3.8.1 Shared
RequirementProtect (physically control and securely store) system media containing CUI, both paper and digital.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.8.2 Shared
RequirementLimit access to CUI on system media to authorized users.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.8.3 Customer
RequirementSanitize or destroy system media containing CUI before disposal or release for reuse.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.8.4 Customer
RequirementMark media with necessary CUI markings and distribution limitations.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.8.5 Customer
RequirementControl access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.8.6 Shared
RequirementImplement cryptographic mechanisms to protect the confidentiality of CUI on digital media during transport, unless otherwise protected by alternative physical safeguards.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.8.7 Customer
RequirementControl the use of removable media on system components.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.8.8 Customer
RequirementProhibit the use of portable storage devices when such devices have no identifiable owner.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.8.9 Shared
RequirementProtect the confidentiality of backup CUI at storage locations.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.9.1 Customer
RequirementScreen individuals prior to authorizing access to organizational systems containing CUI.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.9.2 Customer
RequirementEnsure organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.10.1 Customer
RequirementLimit physical access to organizational systems, equipment, and operating environments to authorized individuals.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.10.2 Customer
RequirementProtect and monitor the physical facility and support infrastructure for organizational systems.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.10.3 Customer
RequirementEscort visitors and monitor visitor activity.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.10.4 Customer
RequirementMaintain audit logs of physical access.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.10.5 Customer
RequirementControl and manage physical access devices.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.10.6 Customer
RequirementEnforce safeguarding measures for CUI at alternate work sites.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.11.1 Shared
RequirementPeriodically assess risk to organizational operations, assets, and individuals arising from the operation of systems that process, store, or transmit CUI.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.11.2 Shared
RequirementScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting them are identified.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.11.3 Shared
RequirementRemediate vulnerabilities in accordance with risk assessments.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.12.1 Customer
RequirementPeriodically assess the security controls in organizational systems to determine whether the controls are effective in their application.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.12.2 Customer
RequirementDevelop and implement plans of action to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.12.3 Customer
RequirementMonitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.12.4 Customer
RequirementDevelop, document, and periodically update system security plans covering system boundaries, environments, how security requirements are implemented, and connections to other systems.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.13.1 Shared
RequirementMonitor, control, and protect organizational communications at the external boundaries and key internal boundaries of organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.13.2 Shared
RequirementEmploy architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.3 Shared
RequirementSeparate user functionality from system management functionality.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.13.4 Inherited
RequirementPrevent unauthorized and unintended information transfer via shared system resources.
What M365 GCC High providesM365 SaaS tenant isolation and object-reuse controls are handled entirely by Microsoft's FedRAMP High authorization;
What you doCustomer has no tenant-level configuration.
3.13.5 Shared
RequirementImplement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.6 Shared
RequirementDeny network communications traffic by default and allow network communications traffic by exception (deny all, permit by exception).
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.7 Shared
RequirementPrevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via other connections to external networks (split tunneling).
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.8 Shared
RequirementImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, unless otherwise protected by alternative physical safeguards.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.13.9 Shared
RequirementTerminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.13.10 Shared
RequirementEstablish and manage cryptographic keys for cryptography employed in organizational systems.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.11 Shared
RequirementEmploy FIPS-validated cryptography when used to protect the confidentiality of CUI.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.12 Shared
RequirementProhibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
What M365 GCC High providesTeams/Intune policies control collaborative-computing device behaviour (webcam/mic activation, meeting recording).
What you doCustomer configures the policies.
3.13.13 Shared
RequirementControl and monitor the use of mobile code.
What M365 GCC High providesDefender for Office 365 and Defender for Endpoint filter mobile code (ActiveX, macros, scripts).
What you doCustomer configures policies.
3.13.14 Shared
RequirementControl and monitor the use of Voice over Internet Protocol (VoIP) technologies.
What M365 GCC High providesMicrosoft Teams is VoIP; admin controls log/restrict call routing, recording, guest access.
What you doCustomer configures policies.
3.13.15 Shared
RequirementProtect the authenticity of communications sessions.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.13.16 Shared
RequirementProtect the confidentiality of CUI at rest.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.14.1 Shared
RequirementIdentify, report, and correct system flaws in a timely manner.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.14.2 Shared
RequirementProvide protection from malicious code at designated locations within organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.14.3 Customer
RequirementMonitor system security alerts and advisories and take action in response.
What M365 GCC High provides
What you doInterview-based control: customer policy/procedure/governance. Cloud platform has no role.
3.14.4 Shared
RequirementUpdate malicious code protection mechanisms when new releases are available.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.14.5 Shared
RequirementPerform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
What M365 GCC High providesCloud platform provides the technical capability;
What you doCustomer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model.
3.14.6 Shared
RequirementMonitor organizational systems — including inbound and outbound communications traffic — to detect attacks and indicators of potential attacks.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
3.14.7 Shared
RequirementIdentify unauthorized use of organizational systems.
What M365 GCC High providesCollection script covers the technical check for this platform. CSP provides the capability;
What you doCustomer configures and evidences policy/review.
What your assessor actually asks for

SRM is the framework. CRM is what your assessor will ask for.

Most CMMC content blurs these two. The distinction matters because 32 CFR 170.19(c)(2)(ii) names the CRM specifically — and it's the artifact a C3PAO will expect on assessment day. The SRM is upstream of that. Knowing which one you have, and which one you still need to produce, is the difference between a clean assessment and a finding.

SRM

Shared Responsibility Matrix

The strategic framework. Maps how responsibility for each control splits between the cloud provider, any external service providers, and you — usually collaboratively developed across all parties.

Useful for internal scoping, vendor selection, and contracting discussions. Not, on its own, sufficient for a CMMC assessment — assessors will ask for the customer-specific document next.

What this page provides
CRM

Customer Responsibility Matrix

The contract-specific document. Authored by each external service provider, identifying exactly which responsibilities the customer must fulfil for the service to support compliance. One CRM per ESP, ESP-authored, customer-validated.

This is what a C3PAO opens first. Required by 32 CFR 170.19(c)(2)(ii) for any service used to satisfy a NIST SP 800-171 control. If you use Microsoft 365 GCC High, you need Microsoft's CRM. If you also use an MSP, you need theirs too.

Required for assessment
From matrix to CRM

We configure the controls and write the CRM. Inside your tenant.

For contractors who'd rather not work through 320 assessment objectives themselves — configuring each customer-side control across the cloud platform, the MSP stack, every ESP — and then write the CRM that proves it. We do both ends.

What you get back: customer-side controls actually configured in your tenant, plus a CRM mapped per assessment objective for every external service in your boundary. SSP language. Evidence pointers tied to live configurations. Fixed fee. Your CUI never leaves your environment.

Talk about your CRM
01
Map

Walk your boundary. List every ESP.

One-hour scoping call. We list every service that touches CUI — cloud platform, MSP, email, file share, EDR, SIEM. Nothing gets forgotten.

02
Configure

Pull provider CRMs. Configure customer-side controls.

We retrieve each ESP's CRM — Microsoft, AWS, your MSP — and reconcile against the 320 assessment objectives. Then we configure the customer-side controls in your tenant: Conditional Access, audit, DLP, identity, the rest. Evidence captured as it lands.

03
Document

Hand back a single CRM. Assessor-ready.

One document, mapped per assessment objective, with SSP language and evidence pointers. Lift the language into your System Security Plan. Your C3PAO opens it and starts checking, not asking.

Most contractors arrive at assessment with the SRM their cloud provider published and call it done. Then the assessor asks for the CRM — the version specific to their tenant, with evidence — and the engagement stalls. The matrix is the map. Someone still has to do the work.

Deepak Singh · Founder & Principal · Ancitus

Common questions — inheritance, CRMs, and engagement
Q01

Why does your matrix show one inherited control on GCC High when Microsoft says fifty-three?

Different definitions of inherited. Microsoft's product placemat counts a control as inherited if the platform contributes to meeting it. A C3PAO's stricter view: inherited only when the platform handles it end-to-end and the customer has nothing left to configure, document, or evidence. Most "inherited" entries on the placemat still need customer work, so we label them shared. We use the assessor's definition because that's the one that decides whether you pass.

Q02

Can my MSP write our CRM for us?

Your MSP can write their CRM — the document describing what their service handles for you. They can't write yours. Each ESP authors their own CRM, and you reconcile all of them against the 320 assessment objectives in your SSP. If you have GCC High, an MSP, an EDR vendor, and a SIEM provider, that's four CRMs to align. Most contractors don't have someone doing that reconciliation, which is the gap we fill.

Q03

Do we still need a CRM if we're self-assessing at Level 1?

If you only handle FCI and you're at Level 1, the bar is lower — but if any external service supports those 17 basic controls, you still need to know who owns what. Level 2 contractors handling CUI need full CRMs regardless of self-assessment vs. C3PAO. Phase 2 enforcement on 10 November 2026 makes third-party assessments mandatory for many Level 2 solicitations, and the CRM is the first artefact opened.

Q04

How long does a tenant-side configuration plus CRM take?

Typical engagement is 4–6 weeks for a single-tenant GCC High deployment with two or three ESPs in scope. Wider boundaries take longer. Fixed fee, scoped after the discovery call. Your CUI stays in your environment throughout — we work inside your tenant via the access controls you provision, not by exporting data.

Two ways to use this

Take the matrix. Or talk to us about the CRM.

Both options. No funnel tricks. The matrix is free regardless of whether you ever speak to us.

Discovery call · Senior engineer

Get the controls configured. Get the CRM.

30 minutes. We'll scope your boundary, walk through your ESPs, and tell you what implementation looks like and roughly what it costs. The person you talk to is the person doing the work.

Book a discovery call

UK / US time zones · Coordinated manually for transatlantic fit

Free · No email · No catch

Download the matrix

One XLSX. Four tabs (one per platform). All 110 controls with SSP-ready language. Lift it straight into your documentation.

Download (XLSX, 48 KB)

Last verified 17 April 2026 · Sourced from FedRAMP packages and provider CRMs

Related tools

Free things that pair well with this.

Tool

Readiness Assessor

20 questions, your SPRS score, your gaps, your priorities. Sharable with your team. No email.

Open the assessor → Tool

CMMC Grants

23 federal and state programmes that pay for CMMC. Pick your state, see what applies. Free.

Open the grants tool → Reference

CMMC Knowledge Base

Foundations, scoping, every control family. Searchable. The plain-English explanation behind the matrix.

Open the knowledge base ↗