In HITRUST MyCSF, inheritance allows organizations to leverage control implementations from other entities or internal departments to reduce redundancy and streamline assessments.

Cross Organizational inheritance → Accepted, allows borrowing controls from a trusted external organization (e.g., cloud provider).

Internal inheritance → Accepted, allows reuse of controls across internal business units or shared services.

External inheritance → Accepted, typically when outsourcing to a vendor that provides evidence.

Bi-lateral inheritance → Not recognized by HITRUST, as inheritance flows one way only (from provider to relying party).

Extract Reference (HITRUST MyCSF User Guide, CCSFP Program Objectives):

Appropriate inheritance types include cross organizational, internal, and external. Bi-lateral inheritance is not supported in MyCSF, as inheritance is directional and validated only from provider to consumer.