Advisories

HAA 2023-009: Shared Responsibility Matrix (SRM) V1.4.1 Update

Written by HITRUST | Feb 28, 2024 8:24:16 PM

Overview
The HITRUST Shared Responsibility Matrix® (SRM) has been updated to V1.4.1. The upgrade could impact Assessed Entities and their External Assessors who utilize inheritance within their HITRUST assessments. Assessed Entities and External Assessors who do not utilize inheritance within their HITRUST assessments are not impacted by this Advisory.

SRM V1.4.1 Changes
SRM V1.4.1 adds inheritability values (e.g., fully, partially, or not inheritable) at the evaluative element (EE) level. Transparency at the EE-level inheritability has several benefits, including:

  • Better precision in pre-assessment inheritance strategy-setting efforts.
  • More easily identifying requirement statements containing a mix of inheritable and not inheritable EEs.
  • More informed determination of inheritance weights, especially in partial inheritance scenarios.

As a result of taking the SRM down to the EE level, 129 requirement statements increased inheritability and 73 requirement statements decreased inheritability totaling 202 (7%) changes applied to the 2,724 SRM baseline requirement statements spanning CSF v9.1 to v11.1.0. The rollout of the SRM V1.4.1 update via the timeline below is intended to minimize the impact to assessments using the legacy SRM V1.4 inheritability values that are already planned or in process. For further details on these inheritability changes, refer to the following:

  • The SRM V1.4.1 baseline template overview includes a table with the number of requirement statements impacted by inheritability changes per each HITRUST Assessment Domain.
  • All V1.4.1 SRMs include the legacy SRM V1.4 inheritability values in column C to be viewed side-by-side with SRM V1.4.1 inheritability values in column B that may have been updated.

SRM V1.4.1 Rollout and Timeline
Concurrent with the release of this advisory:

  • The HITRUST SRM baseline template available for download in MyCSF (full version) and hitrustalliance.net (public version) has been updated to SRM V1.4.1 and includes the legacy SRM V1.4 inheritability values for references purposes.
  • All SRMs tailored for inheritance providers (e.g., AWS, GCP, Azure) have also been updated to SRM V1.4.1.

For the requirement statements with changed inheritability values in SRM V1.4.1, all inheritance providers with a published SRM have confirmed that external inheritance requests in a “Submitted” status within MyCSF with a weight using either SRM V1.4 or SRM V1.4.1 will be approved by the inheritance provider, assuming all other criteria set by the inheritance provider have been met, until January 31, 2024.

All external inheritance requests submitted to inheritance providers after January 31, 2024, are expected to be weighted in observance of inheritability values in the latest SRM version.

Additional resources
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager. Learn more about the HITRUST Shared Responsibility and Inheritance program.