One of the most time consuming tasks in performing assessments is the linkage of documentation. I think it would be helpful if our documentation repository creates a slot for each document. The slot is then mapped in a one to many relationship model to control requirements. The documents are then uploaded to the virtual slot. The big advantage is that documents in the slots can be automatically mapped to any assessment object and if the most recently reviewed version of a policy is uploaded to the slot to replace the old version, the new one automatically mapped as well. This will make the heavy lift the first assessment an organization performs. Subsequent assessments retain the linkages to the version of the document in the mapped slot. The only updates would be to review the slot linkages to make sure they still are valid. It would save a great deal of mindless hours of point and click. Also, from an assessor stand point, if there is a document in the slot and the assessor gives it a thumbs up, then the tool should automatically link it as the assessor to the control requirement. Again saving some expensive and low value assessor time in performing validations.

Like in 1.0 click a document that is associated and bring up the information related to it.
Document Preview without Downloading would be niceThis reader should be view-only (no edits)… in a future version we’d like edit capability (e.g. to allow annotations such as textboxes… if we can even get a read-only viewer for the time being that would be a big win)
Allows a document to be viewed in the browser and optionally downloaded
Maybe mimic the O365 outlook model or Google Drive model of handling files?
only supports these file types:
PICTURES: jpg png bmp tiff jpeg
PORTABLE DOCS: xps pdf
OFFICE: doc docx xls xlsx ppt pptx
TEXT: txt csv dat json xml
if not a supported file type defaults to browser behavior (download then let windows handle how to open)
should be used for:
Evidence uploaded by assessor or subscriber
Any contracts such as rep letter participation letter
Test plans QA checklists
(Anything attached really)

Enhance the Average Domain by Maturity Rating Report to also report on the Assessor's suggested maturity scores. The current Average Domain by Maturity Rating Report only reports the maturity scores entered by the subscriber. During an assessment project, there is not a method for the customer to generate a report that reflects the proposed maturity scores from the assessor. In order to prioritize their efforts, subscribers often need to understand whether a domain has obtained a passing score or not. Currently, they need to accept all the scores from the assessors or create a manual report outside of the MyCSF portal to obtain this information. In either case, it is time-consuming and tedious to manually report this information.

After deciding that a control was inheritable, we saw the link in the bottom left menu, but when the page displayed there was no active buttons and nothing to indicate that the request had not been submitted to the cloud service provider.

After our inheritance requests sat in pending status for 3 days, we checked with HITRUST support to discover that we must select the Created link at the top, first, and then select the Submit to Vendor button that appears only after the create step in order to properly send the request.

There is an opportunity to eliminate some potential confusion by making the Submit to Vendor button appear without the need for the create step.

There are times when the addition of assessor team quality review pushes past the 90-day window. We get backlogged the same way you do. We always adhere to the 90-day window for accepting and reviewing evidence, and we can demonstrate that reasonably. But it would be helpful if there was some flexibility around the submission date. If we plug in the real dates of assessment, and then submit 91 days after we started testing, the system errors due to >90.

Introducing the notion of the defined assessment window of 90 days, and the CHQP review period (stated dates) might help to explain the assessment and offer the assessor firm a few additional days when needed to complete a quality review.