What is a shared responsibility matrix in compliance?

A shared responsibility matrix documents who is responsible for what in a compliance engagement. For every control and activity, it specifies whether the MSP is responsible, the client is responsible, or responsibility is shared. It prevents disputes by documenting responsibilities before work begins.

Is a shared responsibility matrix required for CMMC?

Yes. CMMC requires that organizations seeking certification document shared responsibilities when using service providers. The assessor will ask for this documentation. Without it, the assessment cannot proceed.

How often should I update the shared responsibility matrix?

Review annually at minimum, and update whenever services change significantly. If you add new services, new systems come into scope, or responsibilities shift, update the SRM accordingly.

What happens if the client doesn't sign the shared responsibility matrix?

An unsigned SRM provides weaker protection than a signed one. If the client won't sign, document their acknowledgment in meeting notes or email. Include language in your SOW that references the SRM and their acceptance of it.

Shared Responsibility Matrix Template (HIPAA, CMMC, SOC 2)

A client failed their CMMC assessment. The assessor asked who was responsible for access control reviews. The client pointed at the MSP. The MSP pointed at the client. Neither had documentation.

The assessment failed. The relationship fractured. Lawyers got involved.

This happens because nobody documented responsibilities upfront. The shared responsibility matrix exists to prevent it.

What Is a Shared Responsibility Matrix?

A shared responsibility matrix (SRM) documents who owns what in a compliance engagement. For every control, activity, and obligation, it specifies whether the MSP is responsible, the client is responsible, or responsibility is shared (and if shared, exactly how it's divided).

Why it matters:

Prevents finger-pointing after incidents
Clarifies scope before work begins
Creates defensible documentation for audits
Reduces liability disputes
Required for CMMC (not optional)

Without an SRM, responsibilities are assumed. Assumptions differ. When something goes wrong, everyone remembers the responsibilities differently, always in their own favor.

SRM Structure

An effective SRM has four columns:

Control/Activity: The specific requirement or task being assigned

MSP Responsibility: What the MSP owns completely (implements, maintains, monitors)

Client Responsibility: What the client owns completely (decides, enforces, funds)

Shared Details: For shared responsibilities, exactly who does what

Each row should be specific enough that there's no ambiguity. "Access control" is too vague. "Quarterly access reviews for systems in scope" is specific enough to assign clearly.

HIPAA Shared Responsibility Matrix Template

With the HIPAA 2026 changes eliminating most "addressable" controls, these matrices become even more critical.

Access Controls

Control Area	MSP Responsibility	Client Responsibility	Shared Details
User access provisioning	Configure access in managed systems per approved request	Submit access requests, approve access levels, define role requirements	MSP executes; Client authorizes
Access termination	Disable accounts within 24 hours of notification	Notify MSP of terminations within 4 business hours	Client notifies; MSP executes
Privileged access management	Manage privileged accounts for managed infrastructure, enforce MFA	Approve privileged access requests, conduct privileged access reviews	MSP implements controls; Client approves access
Access reviews	Provide quarterly access reports	Review reports, approve continued access, document decisions	MSP reports; Client decides
Password management	Enforce password policies in managed systems	Define password policy requirements, ensure user compliance	MSP configures; Client defines policy

Audit Controls

Control Area	MSP Responsibility	Client Responsibility	Shared Details
Audit log configuration	Configure logging on managed systems per requirements	Define logging requirements, specify retention periods	MSP configures; Client specifies
Log retention	Retain logs for managed systems per agreed schedule	Define retention requirements, provide storage if needed	MSP retains; Client funds
Log review	Provide log analysis and alerting	Review alerts, investigate anomalies, document findings	MSP alerts; Client investigates
Audit trail protection	Protect integrity of audit logs for managed systems	Ensure physical security of on-premise log storage	MSP protects electronic; Client protects physical

Transmission Security

Control Area	MSP Responsibility	Client Responsibility	Shared Details
Encryption in transit	Implement TLS/encryption for managed systems	Identify systems requiring encryption, fund certificate costs	MSP implements; Client identifies scope
Secure email	Configure email encryption solution	Train staff on use, enforce usage policies	MSP configures; Client enforces
VPN management	Maintain VPN infrastructure for remote access	Approve VPN access requests, ensure staff compliance	MSP maintains; Client authorizes

Integrity Controls

Control Area	MSP Responsibility	Client Responsibility	Shared Details
Patch management	Patch managed systems per agreed schedule	Approve maintenance windows, test business applications	MSP patches; Client approves timing
Anti-malware	Deploy and maintain endpoint protection	Report suspected infections, ensure staff compliance	MSP deploys; Client reports
Backup verification	Test backups per agreed schedule	Define RPO/RTO requirements, approve backup scope	MSP tests; Client defines requirements

Administrative Safeguards

Control Area	MSP Responsibility	Client Responsibility	Shared Details
Risk assessment	Conduct annual technical risk assessment	Review findings, make risk decisions, fund remediation	MSP assesses; Client decides
Security policies	Provide policy templates, recommend updates	Approve policies, enforce with workforce, document exceptions	MSP recommends; Client owns
Workforce training	Provide training platform and content	Ensure completion, address failures, reinforce training	MSP provides; Client ensures completion
Incident response	Detect, alert, provide technical response	Determine breach status, handle notifications, engage legal	MSP detects; Client determines and notifies
Business Associate Agreements	N/A (Client responsibility)	Execute BAAs, maintain inventory, ensure vendor compliance	Client owns entirely

Physical Safeguards

Control Area	MSP Responsibility	Client Responsibility	Shared Details
Workstation security	Configure device encryption, endpoint controls	Ensure physical workstation security, report loss/theft	MSP configures; Client secures
Facility access	N/A (Client responsibility)	Control facility access, maintain access logs	Client owns entirely
Device disposal	Perform secure data destruction on managed devices	Track devices containing ePHI, arrange for destruction	MSP destroys; Client tracks

CMMC Level 2 Shared Responsibility Matrix Template

Access Control (AC)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
AC.L2-3.1.1	Limit system access to authorized users	Implement access controls in managed infrastructure	Define authorized users, approve access	MSP implements; Client authorizes
AC.L2-3.1.2	Limit system access to authorized functions	Configure role-based access in managed systems	Define roles and authorized functions	MSP configures; Client defines
AC.L2-3.1.3	Control CUI flow	Implement boundary controls, DLP in managed systems	Define CUI boundaries, train workforce on handling	MSP controls technically; Client defines scope
AC.L2-3.1.5	Employ least privilege	Configure minimum necessary access	Approve access requests, review periodically	MSP implements; Client approves
AC.L2-3.1.7	Prevent non-privileged users from executing privileged functions	Enforce separation in managed systems	Define privileged vs. non-privileged roles	MSP enforces; Client defines
AC.L2-3.1.12	Monitor and control remote access	Manage VPN, remote access infrastructure	Authorize remote access users, ensure policy compliance	MSP monitors; Client authorizes
AC.L2-3.1.20	Verify and control connections to external systems	Manage firewall rules, external connections	Approve external connections, document business need	MSP implements; Client approves

Awareness and Training (AT)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
AT.L2-3.2.1	Security awareness training	Provide training platform and CUI-specific content	Ensure workforce completion, address failures	MSP provides; Client ensures
AT.L2-3.2.2	Role-based training	Provide role-specific training content	Define roles requiring specialized training	MSP provides; Client defines

Audit and Accountability (AU)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
AU.L2-3.3.1	Create and retain audit logs	Configure audit logging on managed systems	Define retention requirements, fund storage	MSP configures; Client defines
AU.L2-3.3.2	Trace actions to users	Ensure user attribution in managed systems	Ensure unique accounts, prohibit sharing	MSP enables; Client enforces policy
AU.L2-3.3.5	Correlate audit review and reporting	Provide SIEM/log analysis for managed systems	Review reports, investigate findings	MSP correlates; Client investigates
AU.L2-3.3.8	Protect audit information	Protect audit logs in managed systems	Ensure physical security of audit storage	MSP protects; Client secures physical

Configuration Management (CM)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
CM.L2-3.4.1	Establish and maintain configurations	Maintain baseline configs for managed systems	Approve baselines, define requirements for mission systems	MSP maintains; Client approves
CM.L2-3.4.2	Establish and enforce security config settings	Implement hardening standards	Approve standards, fund required changes	MSP implements; Client approves
CM.L2-3.4.3	Track and manage changes	Manage change control for infrastructure	Approve changes, test business applications	MSP tracks; Client approves
CM.L2-3.4.6	Employ least functionality	Disable unnecessary functions in managed systems	Define required functionality	MSP disables; Client defines

Identification and Authentication (IA)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
IA.L2-3.5.1	Identify and authenticate users	Implement authentication for managed systems	Manage user identities, onboarding/offboarding	MSP implements; Client manages identities
IA.L2-3.5.2	Authenticate devices	Implement device authentication where required	Inventory devices, define device requirements	MSP authenticates; Client inventories
IA.L2-3.5.3	Use multifactor authentication	Implement MFA for privileged and remote access	Ensure user enrollment, enforce usage	MSP implements; Client ensures adoption
IA.L2-3.5.10	Store and transmit cryptographically protected passwords	Configure secure password storage	Define password policy requirements	MSP configures; Client defines

Incident Response (IR)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
IR.L2-3.6.1	Incident handling capability	Provide detection, alerting, technical response	Establish IR team, make containment decisions	MSP detects; Client decides
IR.L2-3.6.2	Track and document incidents	Document technical findings and response	Report to DIBNet within 72 hours if required	MSP documents; Client reports
IR.L2-3.6.3	Test incident response	Participate in tabletop exercises	Plan and conduct exercises, document results	Shared: Both participate

Maintenance (MA)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
MA.L2-3.7.1	Perform maintenance	Maintain managed systems per schedule	Approve maintenance windows	MSP maintains; Client approves timing
MA.L2-3.7.2	Control maintenance tools	Control tools used on managed systems	Inventory tools on client-maintained systems	MSP controls managed; Client controls others
MA.L2-3.7.5	Require MFA for remote maintenance	Enforce MFA for remote maintenance access	N/A	MSP owns

Media Protection (MP)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
MP.L2-3.8.1	Protect media	Protect electronic media for managed systems	Protect physical media, paper CUI	MSP protects electronic; Client protects physical
MP.L2-3.8.3	Sanitize media	Sanitize media from managed systems	Track all media containing CUI	MSP sanitizes; Client tracks
MP.L2-3.8.9	Protect backup CUI	Encrypt backups containing CUI	Define backup scope, verify coverage	MSP encrypts; Client defines scope

Personnel Security (PS)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
PS.L2-3.9.1	Screen individuals	Screen MSP personnel with CUI access	Screen employees, maintain screening records	Each screens own personnel
PS.L2-3.9.2	Ensure CUI protection during personnel actions	Terminate MSP access upon separation	Notify MSP of separations, revoke own access	Client notifies; both execute

Physical Protection (PE)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
PE.L2-3.10.1	Limit physical access	Secure MSP-hosted infrastructure (if applicable)	Secure client facilities processing CUI	Each secures own facilities
PE.L2-3.10.3	Escort visitors	Escort visitors in MSP facilities	Escort visitors in client facilities	Each manages own
PE.L2-3.10.6	Enforce safeguarding at alternate sites	N/A (client responsibility)	Secure alternate work locations	Client owns

Risk Assessment (RA)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
RA.L2-3.11.1	Assess risk periodically	Conduct technical risk assessments	Review findings, make risk decisions	MSP assesses; Client decides
RA.L2-3.11.2	Scan for vulnerabilities	Conduct vulnerability scanning on managed systems	Review findings, prioritize remediation	MSP scans; Client prioritizes
RA.L2-3.11.3	Remediate vulnerabilities	Remediate per agreed schedule	Approve remediation, fund changes	MSP remediates; Client funds

Security Assessment (CA)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
CA.L2-3.12.1	Assess controls periodically	Assess controls in managed systems	Assess non-MSP controls, compile results	Each assesses own scope
CA.L2-3.12.2	Develop POA&Ms	Contribute findings for managed systems	Develop overall POA&M, track remediation	MSP contributes; Client owns
CA.L2-3.12.4	Develop SSP	Document MSP-implemented controls	Develop and maintain overall SSP	MSP documents own; Client owns SSP

System and Communications Protection (SC)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
SC.L2-3.13.1	Boundary protection	Implement firewall, boundary controls	Define CUI boundaries	MSP implements; Client defines
SC.L2-3.13.8	Encrypt CUI in transit	Implement encryption for managed systems	Identify CUI transmission requirements	MSP encrypts; Client identifies scope
SC.L2-3.13.11	Employ FIPS-validated cryptography	Use FIPS-validated encryption	Verify compliance requirements	MSP uses; Client verifies
SC.L2-3.13.16	Encrypt CUI at rest	Implement encryption at rest	Define CUI storage locations	MSP encrypts; Client defines scope

System and Information Integrity (SI)

Control ID	Control Description	MSP Responsibility	Client Responsibility	Shared Details
SI.L2-3.14.1	Identify and correct flaws	Patch managed systems	Approve timing, test applications	MSP patches; Client approves
SI.L2-3.14.2	Malicious code protection	Deploy endpoint protection	Report suspected infections	MSP deploys; Client reports
SI.L2-3.14.3	Monitor for indicators	Monitor managed systems	Review alerts, investigate	MSP monitors; Client investigates
SI.L2-3.14.6	Monitor communications for attacks	Monitor network for threats	Review findings, approve response	MSP monitors; Client approves
SI.L2-3.14.7	Identify unauthorized use	Alert on anomalous activity	Investigate alerts, take action	MSP alerts; Client investigates

SOC 2 Shared Responsibility Matrix Template

Common Criteria (CC) - Security

Control Area	MSP Responsibility	Client Responsibility	Shared Details
CC6.1 - Logical access	Implement access controls in managed infrastructure	Define access requirements, authorize users	MSP implements; Client authorizes
CC6.2 - Prior authorization	Configure approval workflows	Approve access requests, review periodically	MSP configures; Client approves
CC6.3 - New access removal	Execute access changes within SLA	Notify of onboarding/offboarding, document requirements	MSP executes; Client notifies
CC6.6 - External threats	Monitor and protect from external threats	Fund security tools, review findings	MSP monitors; Client funds
CC6.7 - Transmission protection	Implement encryption in transit	Define transmission requirements	MSP implements; Client defines
CC6.8 - Unauthorized software	Control software installation	Define approved software list	MSP controls; Client defines
CC7.1 - Configuration standards	Maintain hardened configurations	Approve standards	MSP maintains; Client approves
CC7.2 - Infrastructure monitoring	Monitor infrastructure, alert on issues	Review alerts, investigate findings	MSP monitors; Client investigates
CC7.3 - Change management	Implement change control process	Approve changes	MSP implements; Client approves
CC7.4 - Vulnerability management	Scan and remediate vulnerabilities	Approve remediation timing	MSP remediates; Client approves
CC7.5 - Incident detection	Detect and alert on incidents	Respond, communicate, document	MSP detects; Client responds

Availability

Control Area	MSP Responsibility	Client Responsibility	Shared Details
A1.1 - Capacity management	Monitor capacity, plan scaling	Define requirements, fund expansion	MSP monitors; Client funds
A1.2 - Environmental controls	Maintain environmental controls for hosted systems	Maintain controls for on-premise equipment	Each maintains own
A1.3 - Backup and recovery	Implement backup per requirements, test recovery	Define RPO/RTO, verify business requirements	MSP implements; Client defines

Confidentiality

Control Area	MSP Responsibility	Client Responsibility	Shared Details
C1.1 - Confidential data identification	Protect data classified as confidential	Identify confidential data, classify appropriately	MSP protects; Client classifies
C1.2 - Confidential data disposal	Securely dispose of data	Notify when disposal required	MSP disposes; Client notifies

Processing Integrity

Control Area	MSP Responsibility	Client Responsibility	Shared Details
PI1.1 - Accurate processing	Maintain system accuracy	Verify processing meets requirements	MSP maintains; Client verifies
PI1.2 - Error detection	Alert on processing errors	Investigate errors, define resolution	MSP alerts; Client investigates

Privacy

Control Area	MSP Responsibility	Client Responsibility	Shared Details
P1.1 - Privacy notice	N/A	Provide privacy notices to data subjects	Client owns
P4.1 - Data collection	N/A	Limit collection to stated purposes	Client owns
P5.1 - Data use	Process data only as authorized	Define authorized uses	MSP processes; Client defines
P6.1 - Data disclosure	Disclose only to authorized parties	Define authorized disclosure	MSP follows; Client defines
P7.1 - Data quality	Maintain data accuracy	Verify data quality	MSP maintains; Client verifies

How to Use This Template

Step 1: Select the Appropriate Framework(s)

Use the HIPAA template for healthcare clients. Use the CMMC template for defense contractors. Use the SOC 2 template for SaaS clients and service providers.

For multi-framework engagements, combine templates and consolidate overlapping controls.

Step 2: Customize for Your Engagement

The templates are starting points. Customize based on:

Actual scope of your services
Client's existing capabilities
Specific systems and applications in scope
Client's other service providers

Don't copy verbatim. Review each row and verify it reflects your actual arrangement.

Step 3: Review with the Client

Walk through the SRM with the client before signing. Verify they understand and agree with each assignment. Address disagreements now, not during an audit or incident.

Step 4: Incorporate into Your Agreement

The SRM should be an exhibit to your MSA or SOW. Reference it in the scope of services. Make it contractually binding.

Step 5: Review and Update Periodically

Circumstances change. Services expand. New controls come into scope. Review the SRM at least annually and update as needed.

Common SRM Mistakes

Mistake 1: "Shared" Without Specifics

"Shared responsibility for incident response" means nothing. Who detects? Who investigates? Who notifies regulators? Who communicates with customers?

Every "shared" responsibility needs specifics. Otherwise, both parties assume the other is handling it.

Mistake 2: Copying Without Customizing

A template SRM doesn't match your actual engagement. If you assign yourself responsibility for something you're not actually doing, you've created liability for no reason.

Review every row. Customize to reality.

Mistake 3: Not Getting Sign-Off

An SRM the client hasn't acknowledged is just your opinion. Get their signature on the document or acknowledgment in the SOW.

Mistake 4: Set and Forget

Your services evolve. The client's environment changes. New requirements emerge. If the SRM doesn't update, it becomes inaccurate.

Review annually at minimum.

Mistake 5: Too Much "MSP Responsible"

If you're taking responsibility for things outside your actual scope, you're creating liability. Be realistic about what you own.

Some things should be client responsibility: policy approval, risk decisions, regulatory notifications, workforce management. Don't take those on unless you intend to do them.

Bottom Line

A shared responsibility matrix isn't paperwork. It's liability protection.

For CMMC, it's required. For every other compliance engagement, it's essential. Without one, responsibilities are assumed, assumptions diverge, and disputes follow.

Document responsibilities before work begins. Get client sign-off. Update as circumstances change.

When something goes wrong (and eventually something will), the SRM is your first reference for who owned what. Read our MSP Compliance Liability Guide for the complete framework on protecting your business. And check out our Compliance Pricing Guide to ensure you're pricing based on what you're actually responsible for.