The Audits and Assessments Utilized webform is completed by the Assessed Entity and External Assessor to document reliance placed on the work of others by either the usage of the inheritance feature within MyCSF or reliance on third-party attestation reports in support of the validation procedures performed by the External Assessor.
13.2.1 Inheritance: When inheritance is applied to a requirement statement by the Assessed Entity, MyCSF automatically adds the associated HITRUST assessment that was inherited from and populates that HITRUST assessment’s details into the Audits and Assessments Utilized webform (including the assessment name, type, report date, and assessment domains for which external inheritance was utilized). The External Assessor will be required to complete the assessed organization name field and map the inherited HITRUST assessment to related in-scope platforms and facilities within the Audits and Assessments Utilized webform.
13.2.2 Reliance: For any third-party attestation reports being relied upon, the External Assessor or Assessed Entity (depending on who uploaded the document) must tag the report within the Documents repository or within the requirement statement (if uploading the document within a particular requirement statement) by checking the box labeled, “Is this an attestation report issued by a third party?” After tagging the document as an attestation report issued by a third party, the External Assessor or Assessed Entity populates the various report details, including assessed organization, report type, and report dates. The External Assessor or Assessed Entity must map the utilized third-party attestation report to the related in-scope platforms and facilities within the Audits and Assessments Utilized webform. NOTE: Each document should be uploaded to MyCSF only once to ensure the Audits and Assessments Utilized webform does not contain duplicate entries.
13.2.3 The Audits and Assessments Utilized webform may only include information related to the assessment’s usage of inheritance and/or reliance. Reports used to support direct testing of a requirement statement (such as Penetration Tests, Vulnerability Assessments, Risk Assessments, etc.) should not be included in the Audits and Assessments Utilized webform.
NOTE: If the offline assessment template is utilized, the External Assessor or Assessed Entity also may tag documents as attestation reports issued by a third party by selecting “Yes” in the “Third Party Report?” column within the Documents tab of the offline assessment workbook. After uploading the offline assessment, the External Assessor or Assessed Entity will follow the remaining steps within the webform.