The HITRUST Shared Responsibility Program

Streamlining security control ownership and responsibility

What is the HITRUST Shared Responsibility Program?

The HITRUST Shared Responsibility Program has been created to simplify and streamline the process for determining shared control responsibilities between organizations and third-party service providers. The program will provide clarity on the roles and responsibilities regarding ownership and operation of security controls. HITRUST is streamlining the assurance process for implementing and assessing controls that are shared or inherited between service providers and customers. This will address the growing misunderstandings, risks, and complexities that come with sharing control responsibility.

Protecting sensitive information is a challenge for any organization and even more so for organizations that leverage service providers. The risks associated with control failures by third-party service providers — such as cloud hosting, platform-as-a-service, or a business process outsourcer — continue to increase as customers don’t fully understand their responsibilities, coupled with the complexity of assessing security control effectiveness when control responsibility is shared. Responsibility for sensitive information cannot be ignored regardless of the service being provided by the third party.

The Shared Responsibility Program will remove the guesswork, ambiguity, and confusion that comes with defining control responsibility between customer and service provider.

Objectives of the HITRUST Shared Responsibility Program:

  1. Ensure organizations and their third-party cloud providers appropriately identify and assess information security controls
  2. Remove the guesswork, ambiguity, and confusion that comes with defining control responsibility between customer and service provider
  3. Outline data governance, information risk management, and regulatory compliance requirements in clear, concise language
  4. Automated control scoring inheritance in the MyCSF® tool

The Root of the Issue

No matter what type of third-party service provider being used, (SaaS, IaaS, PaaS, BPO, etc.) the issues are the same:

    • Too many frameworks and variety in controls from one organization to another
    • No recommendations for customers and providers on which controls can and should be shared
    • No guidance for the assessor firms on how to test and score shared controls
    • There is no application to allow for the rapid sharing of assessment results
    • Requesting assessment results from service providers and deciphering the specific control scoring and evidence is a time-consuming effort

Key Components of the HITRUST Shared Responsibility Program

  1. HITRUST CSF® — Updates to HITRUST CSF to better delineate responsibility and allow for a clear distinction of accountability for controls that are leveraged in outsourcing arrangements, including those where shared responsibility occurs ensuring more granular requirements are defined and can be assigned.
  2. Shared Responsibility Matrix — Derived from the HITRUST CSF, a matrix designed to list the common set of sharable and inheritable controls that can be used to support the HITRUST CSF Certification of a cloud service provider, with a focus on Infrastructure, Platform, and Software-as-a-Service (IaaS, PaaS, SaaS). The matrix is designed to be used as a tool to ensure alignment between customers and service providers when creating a business agreement. A completed shared responsibility matrix could also be used by the CSF Assessor as part of the CSF Assessment to ensure compliance.
  3. Assurance Program — Assessment & Control Guidance – Update the CSF Assurance program to address the proper assessment of shared responsibility controls and ensure controls with shared responsibility are operating effectively through the use of the CSF control responsibility matrix/worksheet and proper sampling, testing, and scoring. This includes assessment guidance on how evidence can be obtained and validated from third parties.
  4. MyCSF Assessment Automation — Enhance the MyCSF tool to allow organizations to pre-populate their assessments with fully inherited or shared responsibility control results and scores directly from designated HITRUST CSF Certified service providers. MyCSF will streamline the process for customers using CSF Certified Service Providers to complete their assessment and reduce the effort required during the assessment review process.


If you are interested in participating in the next Shared Responsibility Program working group, click here to sign up.

If you would like to listen to our Shared Responsibility Program webinar, or view the presentation, click here.