Inheritance and Shared Responsibility Program FAQs
Is inheritance all or nothing for each requirement or can it be weighted?
You can assign a weight to the inherited score that will apply to a particular control requirement.
Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?
No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity domains.
Who will need to subscribe to HITRUST MyCSF for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?
Anyone that wishes to allow their assessments to be inherited will need to subscribe to the HITRUST MyCSF. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with a service provider that they can inherit from. This should encourage organizations to do business with those that provide this service.
Will companies still have to pay to allow their assessments to be inherited?
Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.