Inheritance vs Reciprocity

In GRC operations, words have specific meanings. The concept of inheritance vs reciprocity is a common "word crimes" incident, since the terms are not interchangeable.

Inheritance / Control Inheritance 

The NIST Glossary defines INHERITANCE as, "A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control."

The NIST Glossary defines CONTROL INHERITANCE as, "A situation in which a system or application receives protection from security or privacy controls (or portions of controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control."

Reciprocity

The NIST Glossary defines RECIPROCITY as, "Mutual agreement among participating organizations to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information."

Understanding The Difference Between Inheritance vs Reciprocity

If an organization has a contract in place with an External Service Provider (ESP), it is possible that certain controls the ESP controls can be inherited by an organization using its services. For instance, the ESP's physical security practices at the ESP's data center that the ESP controls would be inherited by its clients.

If an organization has a certification (e.g., ISO 27001, CMMC L2, SOC 2, etc.) and wants to apply that certification as evidence of controls being met to minimize control scoping. For instance, the Secure Controls Framework Conformity Assesment Program (SCF CAP) offers reciprocity to organizations with a current CMMC L2 certification, where those in-scope controls would be removed from the scope of controls to be evaluated as part of a SCF CAP assessment, due to the reciprocity agreement in place for the SCF CAP to accept CMMC L2.