What is a shared responsibility matrix in compliance?

A shared responsibility matrix documents who is responsible for what in a compliance engagement. For every control and activity, it specifies whether the MSP is responsible, the client is responsible, or responsibility is shared. It prevents disputes by documenting responsibilities before work begins.

Is a shared responsibility matrix required for CMMC?

Yes. CMMC requires that organizations seeking certification document shared responsibilities when using service providers. The assessor will ask for this documentation. Without it, the assessment cannot proceed.

How often should I update the shared responsibility matrix?

Review annually at minimum, and update whenever services change significantly. If you add new services, new systems come into scope, or responsibilities shift, update the SRM accordingly.

What happens if the client doesn't sign the shared responsibility matrix?

An unsigned SRM provides weaker protection than a signed one. If the client won't sign, document their acknowledgment in meeting notes or email. Include language in your SOW that references the SRM and their acceptance of it.

MSP Shared Responsibility Matrix Template for Compliance

A client failed their CMMC assessment. The assessor asked who was responsible for access control reviews. The client pointed at the MSP. The MSP pointed at the client. Neither had documentation.

The assessment failed. The relationship fractured. Lawyers got involved.

This happens because nobody documented responsibilities upfront. The shared responsibility matrix exists to prevent it.

What Is a Shared Responsibility Matrix?

A shared responsibility matrix (SRM) documents who owns what in a compliance engagement. For every control, activity, and obligation, it specifies whether the MSP is responsible, the client is responsible, or responsibility is shared (and if shared, exactly how it's divided).

Why it matters:

Prevents finger-pointing after incidents
Clarifies scope before work begins
Creates defensible documentation for audits
Reduces liability disputes
Required for CMMC (not optional)

Without an SRM, responsibilities are assumed. Assumptions differ. When something goes wrong, everyone remembers the responsibilities differently, always in their own favor.

SRM Structure

An effective SRM has four columns:

Control/Activity: The specific requirement or task being assigned

MSP Responsibility: What the MSP owns completely (implements, maintains, monitors)

Client Responsibility: What the client owns completely (decides, enforces, funds)

Shared Details: For shared responsibilities, exactly who does what

Each row should be specific enough that there's no ambiguity. "Access control" is too vague. "Quarterly access reviews for systems in scope" is specific enough to assign clearly.

HIPAA Shared Responsibility Matrix Template

Access Controls

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | User access provisioning | Configure access in managed systems per approved request | Submit access requests, approve access levels, define role requirements | MSP executes; Client authorizes | | Access termination | Disable accounts within 24 hours of notification | Notify MSP of terminations within 4 business hours | Client notifies; MSP executes | | Privileged access management | Manage privileged accounts for managed infrastructure, enforce MFA | Approve privileged access requests, conduct privileged access reviews | MSP implements controls; Client approves access | | Access reviews | Provide quarterly access reports | Review reports, approve continued access, document decisions | MSP reports; Client decides | | Password management | Enforce password policies in managed systems | Define password policy requirements, ensure user compliance | MSP configures; Client defines policy |

Audit Controls

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | Audit log configuration | Configure logging on managed systems per requirements | Define logging requirements, specify retention periods | MSP configures; Client specifies | | Log retention | Retain logs for managed systems per agreed schedule | Define retention requirements, provide storage if needed | MSP retains; Client funds | | Log review | Provide log analysis and alerting | Review alerts, investigate anomalies, document findings | MSP alerts; Client investigates | | Audit trail protection | Protect integrity of audit logs for managed systems | Ensure physical security of on-premise log storage | MSP protects electronic; Client protects physical |

Transmission Security

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | Encryption in transit | Implement TLS/encryption for managed systems | Identify systems requiring encryption, fund certificate costs | MSP implements; Client identifies scope | | Secure email | Configure email encryption solution | Train staff on use, enforce usage policies | MSP configures; Client enforces | | VPN management | Maintain VPN infrastructure for remote access | Approve VPN access requests, ensure staff compliance | MSP maintains; Client authorizes |

Integrity Controls

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | Patch management | Patch managed systems per agreed schedule | Approve maintenance windows, test business applications | MSP patches; Client approves timing | | Anti-malware | Deploy and maintain endpoint protection | Report suspected infections, ensure staff compliance | MSP deploys; Client reports | | Backup verification | Test backups per agreed schedule | Define RPO/RTO requirements, approve backup scope | MSP tests; Client defines requirements |

Administrative Safeguards

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | Risk assessment | Conduct annual technical risk assessment | Review findings, make risk decisions, fund remediation | MSP assesses; Client decides | | Security policies | Provide policy templates, recommend updates | Approve policies, enforce with workforce, document exceptions | MSP recommends; Client owns | | Workforce training | Provide training platform and content | Ensure completion, address failures, reinforce training | MSP provides; Client ensures completion | | Incident response | Detect, alert, provide technical response | Determine breach status, handle notifications, engage legal | MSP detects; Client determines and notifies | | Business Associate Agreements | N/A (Client responsibility) | Execute BAAs, maintain inventory, ensure vendor compliance | Client owns entirely |

Physical Safeguards

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | Workstation security | Configure device encryption, endpoint controls | Ensure physical workstation security, report loss/theft | MSP configures; Client secures | | Facility access | N/A (Client responsibility) | Control facility access, maintain access logs | Client owns entirely | | Device disposal | Perform secure data destruction on managed devices | Track devices containing ePHI, arrange for destruction | MSP destroys; Client tracks |

CMMC Level 2 Shared Responsibility Matrix Template

Access Control (AC)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | AC.L2-3.1.1 | Limit system access to authorized users | Implement access controls in managed infrastructure | Define authorized users, approve access | MSP implements; Client authorizes | | AC.L2-3.1.2 | Limit system access to authorized functions | Configure role-based access in managed systems | Define roles and authorized functions | MSP configures; Client defines | | AC.L2-3.1.3 | Control CUI flow | Implement boundary controls, DLP in managed systems | Define CUI boundaries, train workforce on handling | MSP controls technically; Client defines scope | | AC.L2-3.1.5 | Employ least privilege | Configure minimum necessary access | Approve access requests, review periodically | MSP implements; Client approves | | AC.L2-3.1.7 | Prevent non-privileged users from executing privileged functions | Enforce separation in managed systems | Define privileged vs. non-privileged roles | MSP enforces; Client defines | | AC.L2-3.1.12 | Monitor and control remote access | Manage VPN, remote access infrastructure | Authorize remote access users, ensure policy compliance | MSP monitors; Client authorizes | | AC.L2-3.1.20 | Verify and control connections to external systems | Manage firewall rules, external connections | Approve external connections, document business need | MSP implements; Client approves |

Awareness and Training (AT)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | AT.L2-3.2.1 | Security awareness training | Provide training platform and CUI-specific content | Ensure workforce completion, address failures | MSP provides; Client ensures | | AT.L2-3.2.2 | Role-based training | Provide role-specific training content | Define roles requiring specialized training | MSP provides; Client defines |

Audit and Accountability (AU)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | AU.L2-3.3.1 | Create and retain audit logs | Configure audit logging on managed systems | Define retention requirements, fund storage | MSP configures; Client defines | | AU.L2-3.3.2 | Trace actions to users | Ensure user attribution in managed systems | Ensure unique accounts, prohibit sharing | MSP enables; Client enforces policy | | AU.L2-3.3.5 | Correlate audit review and reporting | Provide SIEM/log analysis for managed systems | Review reports, investigate findings | MSP correlates; Client investigates | | AU.L2-3.3.8 | Protect audit information | Protect audit logs in managed systems | Ensure physical security of audit storage | MSP protects; Client secures physical |

Configuration Management (CM)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | CM.L2-3.4.1 | Establish and maintain configurations | Maintain baseline configs for managed systems | Approve baselines, define requirements for mission systems | MSP maintains; Client approves | | CM.L2-3.4.2 | Establish and enforce security config settings | Implement hardening standards | Approve standards, fund required changes | MSP implements; Client approves | | CM.L2-3.4.3 | Track and manage changes | Manage change control for infrastructure | Approve changes, test business applications | MSP tracks; Client approves | | CM.L2-3.4.6 | Employ least functionality | Disable unnecessary functions in managed systems | Define required functionality | MSP disables; Client defines |

Identification and Authentication (IA)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | IA.L2-3.5.1 | Identify and authenticate users | Implement authentication for managed systems | Manage user identities, onboarding/offboarding | MSP implements; Client manages identities | | IA.L2-3.5.2 | Authenticate devices | Implement device authentication where required | Inventory devices, define device requirements | MSP authenticates; Client inventories | | IA.L2-3.5.3 | Use multifactor authentication | Implement MFA for privileged and remote access | Ensure user enrollment, enforce usage | MSP implements; Client ensures adoption | | IA.L2-3.5.10 | Store and transmit cryptographically protected passwords | Configure secure password storage | Define password policy requirements | MSP configures; Client defines |

Incident Response (IR)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | IR.L2-3.6.1 | Incident handling capability | Provide detection, alerting, technical response | Establish IR team, make containment decisions | MSP detects; Client decides | | IR.L2-3.6.2 | Track and document incidents | Document technical findings and response | Report to DIBNet within 72 hours if required | MSP documents; Client reports | | IR.L2-3.6.3 | Test incident response | Participate in tabletop exercises | Plan and conduct exercises, document results | Shared: Both participate |

Maintenance (MA)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | MA.L2-3.7.1 | Perform maintenance | Maintain managed systems per schedule | Approve maintenance windows | MSP maintains; Client approves timing | | MA.L2-3.7.2 | Control maintenance tools | Control tools used on managed systems | Inventory tools on client-maintained systems | MSP controls managed; Client controls others | | MA.L2-3.7.5 | Require MFA for remote maintenance | Enforce MFA for remote maintenance access | N/A | MSP owns |

Media Protection (MP)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | MP.L2-3.8.1 | Protect media | Protect electronic media for managed systems | Protect physical media, paper CUI | MSP protects electronic; Client protects physical | | MP.L2-3.8.3 | Sanitize media | Sanitize media from managed systems | Track all media containing CUI | MSP sanitizes; Client tracks | | MP.L2-3.8.9 | Protect backup CUI | Encrypt backups containing CUI | Define backup scope, verify coverage | MSP encrypts; Client defines scope |

Personnel Security (PS)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | PS.L2-3.9.1 | Screen individuals | Screen MSP personnel with CUI access | Screen employees, maintain screening records | Each screens own personnel | | PS.L2-3.9.2 | Ensure CUI protection during personnel actions | Terminate MSP access upon separation | Notify MSP of separations, revoke own access | Client notifies; both execute |

Physical Protection (PE)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | PE.L2-3.10.1 | Limit physical access | Secure MSP-hosted infrastructure (if applicable) | Secure client facilities processing CUI | Each secures own facilities | | PE.L2-3.10.3 | Escort visitors | Escort visitors in MSP facilities | Escort visitors in client facilities | Each manages own | | PE.L2-3.10.6 | Enforce safeguarding at alternate sites | N/A (client responsibility) | Secure alternate work locations | Client owns |

Risk Assessment (RA)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | RA.L2-3.11.1 | Assess risk periodically | Conduct technical risk assessments | Review findings, make risk decisions | MSP assesses; Client decides | | RA.L2-3.11.2 | Scan for vulnerabilities | Conduct vulnerability scanning on managed systems | Review findings, prioritize remediation | MSP scans; Client prioritizes | | RA.L2-3.11.3 | Remediate vulnerabilities | Remediate per agreed schedule | Approve remediation, fund changes | MSP remediates; Client funds |

Security Assessment (CA)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | CA.L2-3.12.1 | Assess controls periodically | Assess controls in managed systems | Assess non-MSP controls, compile results | Each assesses own scope | | CA.L2-3.12.2 | Develop POA&Ms | Contribute findings for managed systems | Develop overall POA&M, track remediation | MSP contributes; Client owns | | CA.L2-3.12.4 | Develop SSP | Document MSP-implemented controls | Develop and maintain overall SSP | MSP documents own; Client owns SSP |

System and Communications Protection (SC)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | SC.L2-3.13.1 | Boundary protection | Implement firewall, boundary controls | Define CUI boundaries | MSP implements; Client defines | | SC.L2-3.13.8 | Encrypt CUI in transit | Implement encryption for managed systems | Identify CUI transmission requirements | MSP encrypts; Client identifies scope | | SC.L2-3.13.11 | Employ FIPS-validated cryptography | Use FIPS-validated encryption | Verify compliance requirements | MSP uses; Client verifies | | SC.L2-3.13.16 | Encrypt CUI at rest | Implement encryption at rest | Define CUI storage locations | MSP encrypts; Client defines scope |

System and Information Integrity (SI)

| Control ID | Control Description | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---|---| | SI.L2-3.14.1 | Identify and correct flaws | Patch managed systems | Approve timing, test applications | MSP patches; Client approves | | SI.L2-3.14.2 | Malicious code protection | Deploy endpoint protection | Report suspected infections | MSP deploys; Client reports | | SI.L2-3.14.3 | Monitor for indicators | Monitor managed systems | Review alerts, investigate | MSP monitors; Client investigates | | SI.L2-3.14.6 | Monitor communications for attacks | Monitor network for threats | Review findings, approve response | MSP monitors; Client approves | | SI.L2-3.14.7 | Identify unauthorized use | Alert on anomalous activity | Investigate alerts, take action | MSP alerts; Client investigates |

SOC 2 Shared Responsibility Matrix Template

Common Criteria (CC) - Security

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | CC6.1 - Logical access | Implement access controls in managed infrastructure | Define access requirements, authorize users | MSP implements; Client authorizes | | CC6.2 - Prior authorization | Configure approval workflows | Approve access requests, review periodically | MSP configures; Client approves | | CC6.3 - New access removal | Execute access changes within SLA | Notify of onboarding/offboarding, document requirements | MSP executes; Client notifies | | CC6.6 - External threats | Monitor and protect from external threats | Fund security tools, review findings | MSP monitors; Client funds | | CC6.7 - Transmission protection | Implement encryption in transit | Define transmission requirements | MSP implements; Client defines | | CC6.8 - Unauthorized software | Control software installation | Define approved software list | MSP controls; Client defines | | CC7.1 - Configuration standards | Maintain hardened configurations | Approve standards | MSP maintains; Client approves | | CC7.2 - Infrastructure monitoring | Monitor infrastructure, alert on issues | Review alerts, investigate findings | MSP monitors; Client investigates | | CC7.3 - Change management | Implement change control process | Approve changes | MSP implements; Client approves | | CC7.4 - Vulnerability management | Scan and remediate vulnerabilities | Approve remediation timing | MSP remediates; Client approves | | CC7.5 - Incident detection | Detect and alert on incidents | Respond, communicate, document | MSP detects; Client responds |

Availability

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | A1.1 - Capacity management | Monitor capacity, plan scaling | Define requirements, fund expansion | MSP monitors; Client funds | | A1.2 - Environmental controls | Maintain environmental controls for hosted systems | Maintain controls for on-premise equipment | Each maintains own | | A1.3 - Backup and recovery | Implement backup per requirements, test recovery | Define RPO/RTO, verify business requirements | MSP implements; Client defines |

Confidentiality

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | C1.1 - Confidential data identification | Protect data classified as confidential | Identify confidential data, classify appropriately | MSP protects; Client classifies | | C1.2 - Confidential data disposal | Securely dispose of data | Notify when disposal required | MSP disposes; Client notifies |

Processing Integrity

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | PI1.1 - Accurate processing | Maintain system accuracy | Verify processing meets requirements | MSP maintains; Client verifies | | PI1.2 - Error detection | Alert on processing errors | Investigate errors, define resolution | MSP alerts; Client investigates |

Privacy

| Control Area | MSP Responsibility | Client Responsibility | Shared Details | |---|---|---|---| | P1.1 - Privacy notice | N/A | Provide privacy notices to data subjects | Client owns | | P4.1 - Data collection | N/A | Limit collection to stated purposes | Client owns | | P5.1 - Data use | Process data only as authorized | Define authorized uses | MSP processes; Client defines | | P6.1 - Data disclosure | Disclose only to authorized parties | Define authorized disclosure | MSP follows; Client defines | | P7.1 - Data quality | Maintain data accuracy | Verify data quality | MSP maintains; Client verifies |

How to Use This Template

Step 1: Select the Appropriate Framework(s)

Use the HIPAA template for healthcare clients. Use the CMMC template for defense contractors. Use the SOC 2 template for SaaS clients and service providers.

For multi-framework engagements, combine templates and consolidate overlapping controls.

Step 2: Customize for Your Engagement

The templates are starting points. Customize based on:

Actual scope of your services
Client's existing capabilities
Specific systems and applications in scope
Client's other service providers

Don't copy verbatim. Review each row and verify it reflects your actual arrangement.

Step 3: Review with the Client

Walk through the SRM with the client before signing. Verify they understand and agree with each assignment. Address disagreements now, not during an audit or incident.

Step 4: Incorporate into Your Agreement

The SRM should be an exhibit to your MSA or SOW. Reference it in the scope of services. Make it contractually binding.

Step 5: Review and Update Periodically

Circumstances change. Services expand. New controls come into scope. Review the SRM at least annually and update as needed.

Common SRM Mistakes

Mistake 1: "Shared" Without Specifics

"Shared responsibility for incident response" means nothing. Who detects? Who investigates? Who notifies regulators? Who communicates with customers?

Every "shared" responsibility needs specifics. Otherwise, both parties assume the other is handling it.

Mistake 2: Copying Without Customizing

A template SRM doesn't match your actual engagement. If you assign yourself responsibility for something you're not actually doing, you've created liability for no reason.

Review every row. Customize to reality.

Mistake 3: Not Getting Sign-Off

An SRM the client hasn't acknowledged is just your opinion. Get their signature on the document or acknowledgment in the SOW.

Mistake 4: Set and Forget

Your services evolve. The client's environment changes. New requirements emerge. If the SRM doesn't update, it becomes inaccurate.

Review annually at minimum.

Mistake 5: Too Much "MSP Responsible"

If you're taking responsibility for things outside your actual scope, you're creating liability. Be realistic about what you own.

Some things should be client responsibility: policy approval, risk decisions, regulatory notifications, workforce management. Don't take those on unless you intend to do them.

Bottom Line

A shared responsibility matrix isn't paperwork. It's liability protection.

For CMMC, it's required. For every other compliance engagement, it's essential. Without one, responsibilities are assumed, assumptions diverge, and disputes follow.

Document responsibilities before work begins. Get client sign-off. Update as circumstances change.

When something goes wrong (and eventually something will), the SRM is your first reference for who owned what. Read our MSP Compliance Liability Guide for the complete framework on protecting your business. And check out our Compliance Pricing Guide to ensure you're pricing based on what you're actually responsible for.