What is security control inheritance?

Security control inheritance is when a system relies on protections that are provided by another entity rather than implementing all controls itself. In practice, some security controls are established, operated, and monitored by someone else—such as the hosting environment or a third-party service—and the system “inherits” those controls. For example, if a system runs in a cloud environment, the cloud provider’s security measures (infrastructure protection, network controls, logging, etc.) are inherited by the system, while the organization retains responsibility for controls it must manage directly. The description that emphasizes protection coming from controls developed, instrumented, assessed, authorized, and monitored by entities other than the system owner captures this idea. The other options describe specific controls or policies (like encryption at rest, logging, or password management) rather than the arrangement where protection is provided by external or shared sources.