Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are implemented. If an organization chooses not to implement a specific control requirement or address a requirement at a particular maturity level, this is simply identified in the assessment report. Relying entities can then decide whether or not the controls implemented by the organization meet their needs.
Organizations are free to assess specific controls for other purposes, such as FISMA compliance or audits of specific risk areas like access control. Other organizations may simply choose to view the CSF as a source of industry leading practices, which they would evaluate and determine whether they are appropriate for their organization. Such an organization could still conduct a formal self-assessment or retain an Authorized External Assessor Organization to evaluate the selected controls and receive a validated assessment report.
For more information, refer to the brochure on Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 and the HITRUST CSF Assurance Program Detailed Overview.