Streamlining security control ownership and responsibility
with cloud service providers

Overview of the Program

The HITRUST Shared Responsibility Program is an important initiative which addresses the top three challenges organizations face when engaging with their cloud service providers:

  • To ensure cloud service providers can communicate appropriate security and privacy assurances relating to the controls associated with the services a customer has contracted
  • To supply better guidance on the delineation of control ownership, including clarifying the more nuanced, partially shared controls that organizations rely upon
  • To simplify the process of a cloud customers’ own assurance processes by enabling and streamlining control inheritance while promoting full awareness and managed risk

Key Components


HITRUST CSF®
Shareable or inheritable controls that are supported for HITRUST CSF® v9.x to distinguish control ownership and delineate responsibility between cloud service providers and their tenants, also serving as input on the design of HITRUST CSF® v10.

HITRUST MyCSF® Assessment Automation
A new cloud assessment process with enhanced MyCSF control inheritance features and functionality to ensure the HITRUST CSF Certification model is designed as “fit-for-purpose” for cloud service providers and their tenants.

HITRUST Shared Responsibility Matrix
A standard matrix template that can be customized by any SaaS, PaaS, IaaS, or Colo cloud service provider to inform their tenants of which HITRUST CSF® v9.x controls are shareable or inheritable.

HITRUST Shared Assurance® Program
A new cloud assessment assurance methodology for testing and scoring HITRUST CSF® control requirements supported by more granular technology scoping parameters.

The soon to be released beta version of the HITRUST Shared Responsibility Model and Matrix will include control requirements for CSF versions 9.1, 9.2, and 9.3.

The Shared Responsibility working group, which is comprised of assessors, cloud service providers, and other industry leaders throughout the cloud provider and assurance ecosystem, will conduct (as part of a closed peer review) a full review and final analysis of the beta release Shared Responsibility Matrix in anticipation of its general release in Q1 2020.

The HITRUST Shared Responsibility Matrix is designed to solve the challenge of the lack of a common language that is needed for organizations to have a productive dialogue around cloud supply chain risk, helping reach an agreement on how to parse out control responsibility and control inheritance between tenants and their cloud service providers while still maintaining confidence that nothing will fall through the cracks.

  1. It is based on an industry-accepted model with a standard set of core principles and common terminology, which clarifies how compliance is shared for all cloud service model types (e.g., SaaS, PaaS, IaaS, and Colo).
  2. It helps organizations navigate and more readily come to an agreement with their cloud service providers with significant clarity of multi-dimensional shared or delineated control requirement responsibility.
  3. It supports an Assess Once, Inherit Many™ approach to ease the cloud assurance burden on tenants for their cloud-based workloads without introducing undue levels of risk.
  4. It will serve as the basis to further enhance the MyCSF control inheritance functionality and features, supporting full integration with HITRUST CSF v10.

If you would like to join the Shared Responsibility Working Group enter your information below: