Who is responsible for the cloud security controls?

There is a shared security responsibility model when using cloud products. Cloud service providers (CSPs) and customers (agencies or leveraging CSPs) both assume important security roles and responsibilities to ensure data is protected within cloud environments. CSPs are required to submit a Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) workbook as Appendix J to the System Security Plan (SSP). The CIS/CRM workbook identifies security controls that the CSP is responsible for implementing, security controls that the customer is responsible for implementing, security controls where there is a shared CSP/customer responsibility, and security controls that are inherited from an underlying FedRAMP Authorized Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS). CSPs use the CRM to describe the specific elements of each control where the responsibility lies with the customer.