Social Icon
X

Shared Responsibility Isn’t Shared Risk: What CMMC, NIST, and DFARS Really Require in 2026

Tego Secure IT Solutions | Cloud, Cybersecurity & IT Services > Blog > Blog > Shared Responsibility Isn’t Shared Risk: What CMMC, NIST, and DFARS Really Require in 2026

Shared Responsibility Isn’t Shared Risk: What CMMC, NIST, and DFARS Really Require in 2026

The window for misreading the cloud shared responsibility model has closed. The CMMC 2.0 final rule is in effect, the implementing DFARS clause is appearing in solicitations, and contracting officers are now writing assessment requirements directly into awards. For any organization in the defense industrial base, healthcare, or SLED, the working assumption that the cloud provider absorbs your compliance risk is no longer defensible. It is an audit finding waiting to happen.

The cloud shared responsibility model defines who operates what. It does not transfer regulatory liability. Under CMMC, NIST, and DFARS, audit findings, contract penalties, and False Claims Act exposure all land on the contractor. Not the hyperscaler.

This post explains what the model actually covers in 2026, where the most damaging misunderstandings live, and what defense contractors and regulated organizations need to do this quarter to close the gap.

1. What the Shared Responsibility Model Actually Covers

AWS, Microsoft Azure, Google Cloud, and the rest of the hyperscalers all publish some version of the same model: the provider is responsible for cloud security, and the customer is responsible for security within the cloud. The split is real, but the line is sharper than most teams assume.

The cloud provider is responsible for:

  • Physical security of data centers
  • Power, cooling, and environmental controls
  • Network and hypervisor infrastructure
  • Hardware lifecycle and firmware integrity
  • Service-level availability of platform components
  • Underlying platform certifications (FedRAMP, SOC 2, ISO 27001)

The customer remains responsible for:

  • Identity and access management, including MFA and privileged access
  • Workload, container, and OS configuration
  • Application security and patching above the platform layer
  • Data classification, encryption keys, and key management
  • Logging, log retention, and continuous monitoring
  • Backup configuration, testing, and immutability
  • Incident response planning, exercising, and reporting
  • Documentation, evidence retention, and audit defensibility
  • Contractual flow-down to subcontractors handling CUI

For SaaS-heavy workloads, the customer’s surface shrinks toward configuration, identity, and data. For IaaS, it expands all the way down to the operating system. In every case, the controls auditors check during a CMMC assessment, the documented configurations, the access logs, and the incident response evidence sit on the customer side of the line.

2. Why Shared Responsibility Is Not Shared Risk

Compliance frameworks assign accountability to the entity holding the contract or the regulated data. Under CMMC and DFARS, that is the contractor. Always.

A FedRAMP-authorized cloud platform gives you a defensible substrate. It does not give you a defensible posture. Your environment still has to demonstrate:

  • That NIST SP 800-171 controls are implemented in your tenant, not just available in the underlying service
  • That policies are documented, approved, and traceable to control families
  • That technical configurations match the stated policies
  • That continuous monitoring is operating and being reviewed
  • That evidence is retained, structured, and accessible to assessors

The most common compliance failures we see during readiness work are not exotic. They are predictable side effects of the shared-responsibility misread: overly permissive identity roles; MFA enforced on some accounts but not all; storage buckets exposed with default permissions; log retention shorter than the required window; incident response plans that have never been exercised; and backups writable from the same credentials that run production. Every one of these is on the customer side of the line.

3. How CMMC 2.0, NIST, and DFARS Actually Allocate Responsibility

The current regulatory stack is more explicit about contractor accountability than its predecessors.

CMMC 2.0, codified at 32 CFR Part 170, requires Level 2 contractors to implement all 110 controls from NIST SP 800-171 Rev 2 and to undergo third-party assessment by a C3PAO. Senior official affirmation is now annual and personal. False affirmations carry False Claims Act exposure.

DFARS 252.204-7012 requires adequate security for covered defense information and the rapid reporting of cyber incidents. DFARS 252.204-7019 and -7020 require contractors to post and maintain a current NIST 800-171 self-assessment score in the Supplier Performance Risk System (SPRS). DFARS 252.204-7021 operationalizes the CMMC requirement in contracts.

NIST SP 800-171 remains the underlying control set. Rev 2 is the version currently mapped to CMMC 2.0. Rev 3 has been published and will eventually be incorporated; contractors working on Rev 2 today should track the transition rather than ignore it.

Underneath it all, the CUI Program defines what counts as protected data in the first place. Every contractor that touches CUI, including subcontractors, inherits a responsibility that the cloud provider cannot absorb.

4. Where Defense Contractors and Regulated Organizations Get This Wrong

Patterns repeat across our CMMC Discovery Assessment engagements. A few representative scenarios:

The aerospace subcontractor is running CUI through commercial Microsoft 365. The platform itself is excellent. The tenant is not configured for FedRAMP Moderate equivalency, eDiscovery is open to general counsel, and CUI is sitting in shared mailboxes accessible by accounts without MFA. The provider is compliant. The contractor is not.

The healthcare IT firm assumes the SaaS vendor’s SOC 2 covers HIPAA risk. SOC 2 attests to the vendor’s controls. It does not attest to how the customer configures access, retention, or breach notification. The contractor is the covered entity. The audit findings land there.

The county government is storing sensitive records in a hyperscale tenant with default logging. Three months of activity logs do not meet most regulatory retention windows. When a forensic review is triggered, the contractor discovers the evidence does not exist.

The defense prime that flowed CMMC obligations down to a small subcontractor with no implementation guidance. The prime is still on the hook to ensure controls are in place across the supply chain. A noncompliant sub is a noncompliant prime.

In each case, the misreading is identical: the cloud platform is treated as the compliance solution rather than the foundation on which a compliance posture must be built.

6. Governance Is the Difference Between Compliance and Risk Management

The NIST Cybersecurity Framework 2.0 added Govern as a core function precisely because technical controls without governance produce inconsistent outcomes. In a cloud environment, governance means clearly named control owners, documented risk acceptance decisions, regular validation of provider attestations, and executive visibility into compliance posture. It is the layer that prevents shared responsibility from quietly becoming nobody’s responsibility.

Owning Cloud Compliance With Confidence

Cloud providers carry an enormous burden, and they carry it well. What they cannot carry is your assessment, your contracts, your data classification, or your evidence trail. Those obligations move with the contractor.

Tego works with regulated organizations and defense contractors to architect cloud environments that are not only operational but defensible. As a CMMC Registered Practitioner Organization, our advisory team conducts scoping, gap analysis, and Customer Responsibility Matrix mapping aligned to NIST SP 800-171 and the DoD assessment methodology. Our engineers design and deploy secure cloud enclaves on the platforms your contracts require. Our Enterprise Managed Services team operates the resulting environment with the documentation discipline required by annual affirmations and third-party assessments.

If your organization is preparing for a CMMC assessment, refreshing its cloud architecture, or seeking an honest read on its current posture, start with a Tego CMMC readiness assessment or a compliance and cloud security consultation. The contractors who fare best in 2026 are the ones who stop treating shared responsibility as a transfer of risk and start treating it as a map of who is accountable for what.