Article by Tom Cornelius and original can be found here: https://www.linkedin.com/pulse/cmmc-reciprocity-vs-inheritance-tom-cornelius
Article highlights:
This is a short article on understanding the compliance ramifications of using a Third-Party Service Provider (TSP), including a Cloud Service Provider (CSP), for Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171.
A fundamental requirement to discuss reciprocity and/or inheritance is the Organization Seeking Certification (OSC) needs to develop a detailed Control Responsibility Matrix (CRM) that clearly identifies what controls the CSP, OSC and other TSP are contractually obligated to perform
The CRM should be created during the process of defining the scope of a CMMC compliance program to not only identify the assets within the accreditation boundary, but also the controls that are relevant to each asset
Comments