Even if you use an EHR you still have to conduct your own SRA since it scans YOUR environment (not your EHR's software). All APM and MIP healthcare providers under MACRA are individually responsible to attest to the SRA as well as conduct them regulary in order to maximize payments.
Does the SRA performed by CSM Hosting cover all the protected ePHI components required by CMS, HHS and OCR? The short answer is no. Since CSM Hosting doesn't have physical access to all the security systems in place in your office, we cannot ensure on going compliance with users.
HIPAA security rule guidelines are being updated regularily. However, you are required to attest by December 31, 2017. You can do that HERE. But don't wait until the last minute. Government systems tend to be less reliable the closer you get to the deadline.