Breaking Down CMMC Inheritance: Clarity, Challenges, and Compliance
As DIB contractors (and their ESPs) move towards CMMC compliance, one of the more complex and misunderstood areas is control inheritance. This is a particularly relevant topic, especially when working with External Service Providers (ESPs). In Climbing Mount CMMC’s most recent podcast episode, Bobby and Kaleigh explored the nuances of inheritance; emphasizing the importance of documentation, shared responsibilities, and the need for clarity in the roles of all parties involved.
The Role of Inheritance in CMMC
Control inheritance occurs when an organization relies on an ESP to meet certain cybersecurity requirements outlined in the CMMC framework. While this model of an ESP trickling down their controls to the OSA is common, it also introduces several challenges. Many organizations mistakenly assume they can fully “pass off” compliance obligations to their ESPs. And when this happens, it leads to gaps in the OSA’s System Security Plan (SSP) and misalignment during their assessment.
How Can I Inherit Controls?
Not any ESP can waltz in and bring inheritance to an OSA. For the opportunity to have inheritance, there are a few things that MUST happen first:
- The ESP must be CMMC Level 2 Certified: This means the ESP has had the environment that they will be serving the OSA from assessed by a C3PAO.
- The ESP must be doing the Assessment Objective for the OSA: In other words, the provider needs to be providing the exact AO written in NIST 800-171 r2. The ESP is responsible for getting the work done and they are the ones implementing the AO
- The inheritance must be properly documented: The CMMC Assessor needs to be able to see what and how the AO is inherited to give opportunity for inheritance. This means the System Security Plan (SSP) and Customer Responsibility Matrix (CRM) must speak clearly.
Even with these items in place, it doesn’t guarantee full inheritance of the control or AO. Assessors still have every right to pull the ESP into the assessment and request evidence that the AO is met in the OSA’s environment. Even with a top-tier ESP, your organization is still responsible for demonstrating how each control is implemented, documented, and maintained. CMMC assessors will want to see how you uphold your part of shared responsibility.
Your SSP and CRM: Foundational Documents for Compliance
An organization must clearly document their relationships with ESPs within their SSPs. This documentation MUST outline which controls are inherited, how they are implemented, and who holds responsibility for monitoring and maintaining them. Additionally, a Customer Responsibility Matrix (CRM) is vital to delineate the division of control ownership between the organization and its ESP. These documents are essential (and mandatory) during a CMMC assessment and can be the difference between success and remediation.
32 CFR states, “The use of the ESP, its relationship to the OSA, and the services provided are documented in the OSA’s SSP and described in the ESP’s service description and CRM” (83228).
The Relationship Between an OSA and their ESP
The conversation also highlighted a key issue among Organizations Seeking Assessment (OSAs): a lack of clarity. When OSAs fail to explicitly define how and where inheritance applies, organizations may find themselves unprepared for CMMC assessments. While ESPs play a critical role in supporting compliance efforts, not all of their controls can be fully inherited. Each organization must still fulfill specific requirements that cannot be delegated or outsourced. This includes things like policy ownership, user access oversight, and incident response readiness.
The MSP Myth: Why Compliance Isn’t a Hand-Off
An MSP can be a powerful ally in achieving compliance, but they are not a substitute for organizational ownership of cybersecurity or information on security practices. OSAs must actively participate in their compliance journey. By understanding the controls, maintaining awareness of inherited responsibilities, and preparing thoroughly for assessments.
If approached correctly, CMMC inheritance can be an extremely valuable compliance strategy. It requires more than just selecting the right MSP; it demands shared accountability. If you have any questions about anything MSP or CMMC related, feel free to reach out to us.
If you’d like to watch the full podcast episode, check it out on our Climbing Mount CMMC YouTube channel.