CSF Certification can be achieved when the minimum compliance level (a score of 3+ or 3 with corrective action plans) is met for all 75 CSF controls required for certification (2019 CSF v9.2 requirement). The total amount of time it can take an organization to become certified is therefore dependent on its initial readiness level and the amount of remediation needed to fully implement all the requirements in scope for the assessment. Most organizations will perform at least one self-assessment to gauge their readiness for certification and, once an organization is comfortable that they will meet the certification requirements, they will hire a CSF assessor to perform a validated assessment. These independent assessments can take anywhere from 2-8 weeks on average depending on the size and complexity of the organization and the scoped environment, and it can take a minimum of 8 weeks for the validated assessment to be processed and certification awarded by HITRUST. In general, it can take up to 3-4 months to complete the assessment and obtain certification once an organization is ready.
Reference: HITRUST CSF Assurance Program Requirements