The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations have significant difficulty with the risk analysis process and do not truly understand the impact a particular control failure may have to the organization. So the HITRUST impact ratings, which are based on work by the U.S. Department of Defense (DoD) with respect to the impact and severity codes used under the Defense Information Assurance Certification and Authorization Program (DIACAP), are used to help provide an indication of the relative impact of the controls in the framework should they fail. The key to understanding this approach is that controls are designed to address one or more threats to the organization, which arguably present(s) a certain amount of additional risk should one or more vulnerabilities be successfully exploited. Since the assets in question are information assets of a specific type, i.e., ePHI and other information with similar confidentiality and criticality requirements, estimates of the impact of a control failure can be legitimately made (again as demonstrated by the DoD). The organization would then adjust the impact ratings for their own use (outside of the MyCSF tool) based on a contextual analysis for those controls that require some sort of remediation. By limiting the scope of the analysis to a subset of controls in the environment, the analysis becomes more tractable. The Risk Analysis Guide provides the impact ratings along with an example of how an organization can help prioritize corrective actions for control deficiencies using these ratings. The example also includes the use of priority codes derived from NIST SP 800-53 r4, which indicate relative dependence of the controls upon each other.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.