top of page

From Tom Cornelius - CMMC: Reciprocity vs Inheritance

Article highlights:

  • This is a short article on understanding the compliance ramifications of using a Third-Party Service Provider (TSP), including a Cloud Service Provider (CSP), for Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171.

  • A fundamental requirement to discuss reciprocity and/or inheritance is the Organization Seeking Certification (OSC) needs to develop a detailed Control Responsibility Matrix (CRM) that clearly identifies what controls the CSP, OSC and other TSP are contractually obligated to perform

  • The CRM should be created during the process of defining the scope of a CMMC compliance program to not only identify the assets within the accreditation boundary, but also the controls that are relevant to each asset


bottom of page