Overview

The Risk Management Handbook presents risk management concepts and methodologies foundational to the HITRUST Approach™. This handbook is intended to help support integration of HITRUST products, services, and tools into an organization’s existing risk management program.
 

Details
Since its release in 2009, HITRUST has developed and communicated specific elements of its Risk Management Framework (RMF) through various whitepapers, presentations, and other documents. The new Risk Management Handbook consolidates and aligns these elements by providing a centralized discussion of the underlying methodologies that make up the HITRUST RMF. The Risk Management Handbook helps illustrate how those concepts support the various products, services, and tools that collectively make up the HITRUST Approach.

The original risk analysis guidance present in the following documents will be removed from the HITRUST website on December 12, 2023.

• Risk Analysis Guide
• Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection
• Risk Management Frameworks

While the Risk Management Handbook illustrates the foundational risk management concepts underlying the HITRUST risk management framework (also known as the HITRUST Approach), the Assessment Handbook (announced in exposure draft alongside the Risk Management Handbook in HAA 2023-008) defines the requirements for Assessed Entities and External Assessors completing readiness or validated assessments and provides guidance and expectations of the assessment and certification processes. Please note that the final version of the HITRUST Assessment Handbook will be published in a future Advisory.

Additional resources

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

Overview

The HITRUST Shared Responsibility Matrix® (SRM) has been updated to V1.4.1. The upgrade could impact Assessed Entities and their External Assessors who utilize inheritance within their HITRUST assessments. Assessed Entities and External Assessors who do not utilize inheritance within their HITRUST assessments are not impacted by this Advisory.
 

SRM V1.4.1 Changes
SRM V1.4.1 adds inheritability values (e.g., fully, partially or not inheritable) at the evaluative element (EE) level. Transparency at the EE-level inheritability has several benefits, including:

• Better precision in pre-assessment inheritance strategy-setting efforts.
• More easily identifying requirement statements containing a mix of inheritable and not inheritable EEs.
• More informed determination of inheritance weights, especially in partial inheritance scenarios.

As a result of taking the SRM down to the EE level, 129 requirement statements increased inheritability and 73 requirement statements decreased inheritability totaling 202 (7%) changes applied to the 2,724 SRM baseline requirement statements spanning CSF v9.1 to v11.1.0. The rollout of the SRM V1.4.1 update via the timeline below is intended to minimize the impact to assessments using the legacy SRM V1.4 inheritability values that are already planned or in process. For further details on these inheritability changes, refer to the following:

• The SRM V1.4.1 baseline template overview includes a table with the number of requirement statements impacted by inheritability changes per each HITRUST Assessment Domain.
• All V1.4.1 SRMs include the legacy SRM V1.4 inheritability values in column C to be viewed side-by-side with SRM V1.4.1 inheritability values in column B that may have been updated.

SRM V1.4.1 Rollout and Timeline

Concurrent with the release of this advisory:

• The HITRUST SRM baseline template available for download in MyCSF (full version) and hitrustalliance.net (public version) has been updated to SRM V1.4.1 and includes the legacy SRM V1.4 inheritability values for references purposes.
• All SRMs tailored for inheritance providers (e.g., AWS, GCP, Azure) have also been updated to SRM V1.4.1.

For the requirement statements with changed inheritability values in SRM V1.4.1, all inheritance providers with a published SRM have confirmed that external inheritance requests in a “Submitted” status within MyCSF with a weight using either SRM V1.4 or SRM V1.4.1 will be approved by the inheritance provider, assuming all other criteria set by the inheritance provider have been met, until January 31, 2024.

All external inheritance requests submitted to inheritance providers after January 31, 2024 are expected to be weighted in observance of inheritability values in the latest SRM version.

Additional resources

For any additional questions, please contact our support team at support@hitrustalliance.net or a HITRUST Customer Success Manager. For more information about the HITRUST Shared Responsibility and Inheritance program please visit, https://hitrustalliance.net/hitrust-srm-inheritance-program.

Overview

HITRUST has published exposure drafts of the Risk Management Handbook and Assessment Handbook.

• The Risk Management Handbook presents risk management concepts and methodologies foundational to the HITRUST Approach™. The handbook is intended to help support integration of HITRUST products, services, and tools into an organization’s existing risk management program.
• The Assessment Handbook defines the requirements for organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. The assessment handbook is intended to provide guidance and expectations of the assessment process to the HITRUST community.

HITRUST invites all stakeholders to review the proposed Risk Management Handbook and Assessment Handbook, then submit feedback using the links below.

Exposure Drafts

Risk Management Handbook Exposure Draft
Submit Comments

Assessment Handbook Exposure Draft
Submit Comments

Timeline

The exposure drafts of the Risk Management Handbook and Assessment Handbook are available now for review. Please use the links above to access the handbooks and submit all comments by July 7, 2023.

The Risk Management Handbook and Assessment Handbook are not yet final and will not be enforced during the exposure draft review period. HITRUST will continue to enforce the existing guidance published within the HITRUST website (www.hitrustalliance.net).

Additional Information

For any additional questions, please contact our Support team.

Overview

Upon the release of CSF v11.1, HITRUST is announcing the deadline for creating e1 and i1 assessments using CSF v11.0.

Timeline

Details

New e1 and i1 assessments may continue to use CSF v11.0 until July 31, 2023.

• Effective July 31, 2023, the ability to create new e1 and i1 assessments using CSF v11.0 will be disabled.
• e1 and i1 assessments using CSF v11.0 can continue to be submitted after July 31, 2023. The v11.0 e1 and i1 assessment submission deadline will be announced a minimum of 90 days in advance.

e1 and i1 Assessment Change Summary

e1 Assessment
The e1 assessment requirement statements have not changed between v11.0 and v11.1.

i1 Assessment
One requirement statement (0506.09m1Organizational.12) included in the i1 assessment has been updated for clarity in v11.1.

• v11.1:

  Where a specific business need for wireless access has been identified the organization requires end points to encrypt traffic prior to transmitting information over a wireless network. For devices that do not have an essential wireless business purpose, the organization disables wireless access in the hardware configuration (basic input/output system or extensible firmware interface).

• v11.0:

  Where a specific business need for wireless access has been identified, the organization configures wireless access on client machines to allow access only to authorized wireless networks. For devices that do not have an essential wireless business purpose, the organization disables wireless access in the hardware configuration (basic input/output system or extensible firmware interface).

 
No other changes have been made to the i1 assessment requirement statements between v11.0 and v11.1.

Additional Information

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

Overview

The HITRUST CSF v11.1 framework (v11.1) is available within MyCSF and downloadable here as of April 4, 2023.

Included in v11.1 are several new and refreshed authoritative sources.

New and Refreshed Authoritative Sources

v11.1 includes the following new and refreshed Authoritative Sources:

• Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2”
  • The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable as of v11.1.
• Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor, “IRS Pub. 1075 (Rev. 11-2021)”
  • The existing “IRS Pub. 1075” Compliance factor, will not be selectable as of v11.1.
• Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”

Changes to the r2 Assessment Baseline

One requirement statement (0506.09m1Organizational.12) included in the r2 assessment baseline has been clarified in v11.1.

• v11.1:

  Where a specific business need for wireless access has been identified the organization requires end points to encrypt traffic prior to transmitting information over a wireless network. For devices that do not have an essential wireless business purpose, the organization disables wireless access in the hardware configuration (basic input/output system or extensible firmware interface).

• v11.0:

  Where a specific business need for wireless access has been identified, the organization configures wireless access on client machines to allow access only to authorized wireless networks. For devices that do not have an essential wireless business purpose, the organization disables wireless access in the hardware configuration (basic input/output system or extensible firmware interface).

 
No other changes have been made to the baseline r2 assessment requirement statements between v11.0 and v11.1.

Additional Information

For additional questions please contact our Support team.

Overview

HITRUST is introducing the Rapid Recertification option for i1 assessments which provides an accelerated way to obtain your next i1 certification.

The HITRUST i1 Rapid Recertification Assessment allows Assessed Entities and their External Assessors to evaluate a selection of i1 requirement statements to demonstrate that the control environment has not materially degraded since the previous i1 Certification was obtained. Upon successfully demonstrating that the control environment has not materially degraded, the Assessed Entity is permitted to roll forward scores from their previous, certified i1 Assessment for the remaining requirement statements – thus reducing the amount of testing required to complete the assessment. The i1 Rapid Recertification results in the same i1 Assessment Reports and i1 Certification as a full i1 Assessment.

Leveraging the i1 Rapid Recertification Assessment

The i1 Rapid Recertification assessment may be leveraged by organizations who meet all of the following conditions:

• The Assessed Entity currently holds an i1 Certification based on CSF v11 or later.
• The Assessed Entity intends to assess the same scope assessed in the prior i1 assessment.
• No significant changes have occurred since the previous i1 Certification date in the Assessed Entity’s business or security policies, processes, controls, hosting locations, or technologies.
• The control environment has not materially degraded since the previous standard i1 Assessment was performed.
• The Assessed Entity has an available assessment object in MyCSF.

When Assessed Entities are not eligible to complete an i1 Rapid Recertification Assessment, a full i1 Assessment must be completed in order to obtain an i1 Certification.

Key similarities between the i1 Assessment and the i1 Rapid Recertification Assessment

The i1 Rapid Recertification Assessment is comparable to the full i1 Assessment in many ways, the most notable of which include:

• Both provide a means to convey information protection assurances over the assessed entity’s scoped and implemented control environment through a shareable, final report with certification issued by HITRUST.
• Both use the same i1 requirements resident in the HITRUST CSF and use MyCSF.
• Both require an Authorized HITRUST External Assessor Organization to inspect documented evidence to validate control implementation.
• Both leverage the HITRUST Control Maturity Scoring Rubric.
• Final reports resulting from i1 Rapid Recertification Assessments can be shared through the HITRUST Assessment XChange and the HITRUST Results Distribution System.

HITRUST CSF requirements included in i1 Rapid Recertification Assessments

Just like a full i1 Assessment, the i1 Rapid Recertification Assessment consists of all i1 requirement statements for the current CSF version at the time the i1 Rapid Recertification Assessment is created. The i1 Rapid Recertification Assessment is different in that some requirement statements are not required to be evaluated and may instead have scores carried over from the previously completed full i1 Assessment. The following sections detail the selection of requirement statements that are required to be evaluated during the i1 Rapid Recertification Assessment and those that are not.

Requirement statements that are required to be evaluated during the i1 Rapid Recertification Assessment

• If the i1 Rapid Recertification Assessment is created using a newer CSF version than that which was utilized for the Assessed Entity’s full i1 assessment, there may be additional requirement statements included in the i1 Rapid Recertification due to the quarterly threat analysis that impacts the i1 requirement statement selection. The additional requirement statements included in the newer CSF version are required to be evaluated in the i1 Rapid Recertification Assessment.
• A sample of 60 requirement statements that were scored (not N/A) in the full i1 Assessment need to be evaluated in the i1 Rapid Recertification Assessment Note that any requirement statements that are not included in the i1 requirement selection for the current CSF version are excluded from this sample.
• Requirement statements that were marked as N/A during the full i1 assessment are required to be reviewed during the i1 Rapid Recertification Assessment to confirm that the N/A rationale remains accurate. Note that any requirement statements marked N/A that are not included in the i1 requirement selection for the current CSF version are excluded.
• Requirement statements that required a CAP during the full i1 Assessment are required to be assessed during the i1 Rapid Recertification Assessment. Note that any requirement statements requiring a CAP that are not included in the i1 requirement selection for the current CSF version will be excluded.

Requirement statements that are not required to be evaluated during the i1 Rapid Recertification Assessment

All other i1 requirement statements for the current CSF version are included within the i1 Rapid Recertification Assessment object, but are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the previous i1 Assessment. The Assessed Entity may optionally include any of these requirement statements by toggling the requirement statement to an editable state.

Detection of Control Degradation

Before creating an i1 Rapid Recertification Assessment, the Assessed Entity must attest that the control environment has not materially degraded since the full i1 Assessment was performed.
During the performance of the i1 Rapid Recertification Assessment, MyCSF monitors the scoring of requirement statements that are evaluated in the current i1 Rapid Recertification Assessment and compares the scores to the previously completed i1 Assessment.

• If scores are lowered for two or fewer requirement statements, the i1 Rapid Recertification assessment may be submitted to HITRUST.
• If MyCSF detects either three or four requirement statements with lower scores in the i1 Rapid Recertification Assessment, the Assessed Entity and External Assessor will be presented with two options for how to proceed:

  Option 1: Expand the sample of requirement statements to be evaluated in the i1 Rapid Recertification Assessment. If this option is selected, an additional sample of 60 requirement statements will be required to be assessed in the i1 Rapid Recertification Assessment. When the additional 60 requirement statements are introduced, MyCSF will allow a total of five requirement statements with lower scores than the previously completed i1 Assessment. If MyCSF detects six or more requirement statements with lower scores in the i1 Rapid Recertification Assessment, option 2 must be followed.

  Option 2: Complete a full i1 Assessment. If this option is selected, the i1 Rapid Recertification Assessment may be converted to a full i1 Assessment so that the scoring and documentation already entered in MyCSF is retained.

• If MyCSF detects five or more requirement statements with lower scores in the i1 Rapid Recertification Assessment, a full i1 Assessment will be required to be completed. If this occurs, the i1 Rapid Recertification Assessment may be converted to a full i1 Assessment so that the scoring and documentation already entered in MyCSF is retained.

HITRUST’s Quality Assurance (“QA”) Review of i1 Rapid Recertification Assessments

i1 Rapid Recertification Assessments feature the same high quality of deliverables as full i1 Assessments, as ensured through HITRUST’s robust Quality Assurance process using HITRUST’s Assurance Intelligence Engine. Additionally, just like on full i1 Assessments, HITRUST’s QA review of i1 Rapid Recertification Assessments must be scheduled using the HITRUST QA Reservation System. Full i1 Assessments and i1 Rapid Recertification Assessments use the same type of report credits to book a reservation.

HITRUST performs a sample-based QA review of the requirement statements in the i1 Rapid Recertification Assessment in much the same manner as a full i1 Assessment. The notable difference is that HITRUST does not QA any requirement statements with scores that were carried from the previous assessment.

Detection of control degradation during QA
If scores are lowered during the QA review process, HITRUST will consider whether the scores have been lowered due to an issue with the operation of the control or due to an error in testing approach or testing documentation. Scores lowered due to an error in testing approach or testing documentation are not considered to be control degradation. Only scores lowered due to an issue with the operation of the control will count toward the threshold for control degradation.

If scores are lowered due to an issue with control operation, there is a possibility that the threshold for number of scores lowered to indicate material degradation is met during the QA review process. If this occurs, the Assessed Entity and External Assessor will be required to expand the sample of requirement statements evaluated in the i1 Rapid Recertification Assessment or complete a full i1 assessment according to the guidelines presented in the previous section.

HITRUST QA timeline for i1 Rapid Recertification Assessments
HITRUST’s established i1 post-submission service level agreement (SLA), not greater than 45 business days with HITRUST, also applies to the i1 Rapid Recertification Assessment. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued. i1 Rapid Recertification submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions.

CAPs, Scoring, and Certification Thresholds on i1 Rapid Recertification Assessments

The scoring and certification thresholds for i1 Rapid Recertification Assessments are the same as those for full i1 Assessments. For the requirement statements that were not assessed during the i1 Rapid Recertification Assessment, the scores from the previous i1 Assessment are utilized for the calculation of average domain scores and the identifications of CAPs and gaps.

Assessment Reports

The i1 Rapid Recertification Assessment results in the same assessment reports that are issued for a full i1 assessment. These reports can be shared through the HITRUST Assessment XChange and assessment results can be shared through the HITRUST Results Distribution System.

Implementation and Timeline

A subsequent advisory will provide additional details and announce the release of the i1 Rapid Recertification Assessment in MyCSF.

Additional Resources

For a list of anticipated questions please click here. For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

Overview

HITRUST now offers a new, lower-effort, validated cybersecurity assessment and accompanying certification—the HITRUST Essentials, 1-year (e1) Assessment—which is designed to move at the speed of business.

Key Characteristics of the e1 Assessment

• The HITRUST e1 Assessment focuses on a curated set of cybersecurity controls encompassing fundamental cybersecurity practices, or “good cybersecurity hygiene”.
• When viewed side-by-side with the HITRUST i1 and HITRUST r2, the HITRUST e1 shows a depth of control consideration that is significantly leaner by design.
• The HITRUST e1 is designed to be an evolving, threat-adaptive certification. The requirements included in the HITRUST e1 address the most pressing active cyber threats (e.g., phishing, ransomware), while the requirements included in the HITRUST i1 controls address a broader range of active cyber threats. The e1 achieves threat-adaptiveness through the quarterly HITRUST reconciliation of cyber threat intelligence to the HITRUST CSF requirements.
• Controls nest into the i1 and r2 to be fully inheritable, so e1 work can be reused.
• When changes to the e1 requirement selection are deemed necessary, they will be included in major and minor releases of the HITRUST CSF. Consequently, all e1 Assessments performed against a particular version of the HITRUST CSF will include the same requirements, currently 44 requirements.
• The e1 Assessment can be performed as a readiness or validated assessment. The e1 Readiness Assessment may be performed with an External Assessor or as a self-assessment.

Use Cases

The HITRUST e1 is built for use by organizations seeking assurance for cybersecurity essentials that is more robust than questionnaires or other self-assessments (such as the HITRUST bC). This supports the following use cases:

• When relying parties need to request a less rigorous, less demanding, easy-to-understand, and easy-to-execute assurance from vendors who pose a lower level of inherent risk.
• An organization is seeking assurance for a limited set of controls that are inherently expected for nearly all entities.
• An initial assessment of security maturity for a limited set of essential cybersecurity controls is quickly needed (such as for a newly onboarded vendor or for an entity still developing their cybersecurity program).

Secondary use cases for the HITRUST e1 include:

• When a demonstrable assurance report is needed to establish a foundational benchmark for an organization’s assurance continuum.
• Situations where an e1 assurance is the first step towards the eventual achievement of a HITRUST i1 or r2 Certification.

The e1 Assessment in the HITRUST Assessment Portfolio

The addition of the e1 Assessment is a continuation of the HITRUST Assessment Portfolio expansion designed to equip organizations with a broader range of validation and certification options to address varied assurance requirements. Not all vendor or third-party relationships warrant the level of assurance, or time and effort, required for HITRUST i1 or r2 Certifications. Validation of essential cybersecurity practices is still warranted for many vendors traditionally viewed as lower risk. Validated HITRUST e1 assessments and certifications meet this need.

How the e1 Fits into the HITRUST Assessment Family

The HITRUST Essentials, 1-year Validation + Certification Assessment complements other assessments in the HITRUST portfolio by providing suitable assurances for lower-risk scenarios, focusing on foundational, essential cybersecurity controls, and acting as an entry-level HITRUST Certification. The HITRUST Implemented, 1-year (i1) Certification introduced in 2022 provides suitable assurances for moderate-risk scenarios, focusing on cybersecurity best practices controls. The HITRUST Risk-based, 2-year (r2) Certification will continue to provide the highest level of information protection assurance for situations with greater risk exposure due to data volumes, regulatory compliance, and other risk factors. This assurance model is designed to support progression from an e1 to either an i1 or r2 where required for organizations or their relying parties. This traversable assessment approach supports situations where inherent risk is evolving and entities are seeking a higher level of assurance over time as well as when an assessed entity is still maturing their program and an initial assurance report is required for the most essential controls.

Comparison of the e1, i1, and r2 Certifications

More Information About the e1 Certification and e1 Assessment

Control Maturity Levels Considered in e1 Assessments

• Like the HITRUST i1, the HITRUST e1 focuses on the “Implemented” control maturity level of HITRUST’s control maturity evaluation model. Even though the e1 focuses on control Implementation, like the i1, some requirement statements necessitate reviewing Policy and Procedure documents. For example, implementing the HITRUST CSF requirement included in the e1 involves the creation of a written information protection program document: “0113.04a1Organizational.2- The organization’s information security policy is developed, published, disseminated, and implemented. The information security policy documents: state the purpose and scope of the policy; communicate management’s commitment; describe management and workforce members’ roles and responsibilities; and establish the organization’s approach to managing information security.”.

HITRUST Control Scoring Rubric Update (Version 4)

e1, i1, and r2 Assessments all leverage the HITRUST Control Maturity Scoring Rubric, although the e1 and i1 do not use the entire rubric. The rubric has been updated in support of the e1 Assessment to indicate that only the implemented control maturity level is considered for v11.

External Inheritance on e1 Assessments

External assessors and assessed entities of e1 Assessments will have two options of how to address situations in which a HITRUST CSF requirement is fully or partially performed by a service provider (e.g., by a cloud service provider): Inclusive and Exclusive (or Carve-out). These methods, detailed below, are the same two methods that can be used for i1 assessments.

• The Inclusive method, whereby HITRUST CSF requirements performed by the service provider are included within the scope of the HITRUST Assessment and addressed through full or partial inheritance, reliance on third-party assurance reports, and/or direct testing.
• The Exclusive (or Carve-out), method, whereby HITRUST CSF requirements performed by the service provider are excluded from the scope of the HITRUST Assessment and marked as N/A with supporting commentary that specifies that the HITRUST CSF requirement is fully performed by a party other than the assessed entity (for fully outsourced controls) or through commentary describing the excluded partial performance of the control (for partially outsourced controls).

Refer to HAA 2021-012 for additional details.

Cross-assessment-type inheritance is allowed, meaning that i1 or r2 Assessment results can be inherited into an e1 Assessment (and vice versa). However, only the implemented level’s scoring can be inherited when inheriting from an e1 Assessment into an r2 Assessment given that e1 Assessments only consider the implemented maturity level. This limitation does not absolve those involved in the inheriting r2 Assessment from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on supplemental validation procedures or (b) scoring the policy, procedure, measured and managed scores at 0 to reflect the inability to ascertain scoring on these control maturity levels.

HITRUST Quality Assurance (“QA”) Review of e1 Assessments

e1 assessments will feature the same high quality of deliverables as i1 and r2 Assessments, as ensured through HITRUST’s robust Quality Assurance process by HITRUST’s Assurance Intelligence Engine. Additionally, just like on i1 and r2 Assessments, the HITRUST QA review of e1 Assessments must be scheduled using the HITRUST QA Reservation System. Please be aware that e1, i1, and r2 Assessments require different types of report credits to book a reservation. For additional information on acquiring the correct type of report credit please contact your Customer Success Manager (CSM).

HITRUST will perform a sample-based QA review of requirement statements within e1 Validated Assessments much in the same manner as is performed on i1 and r2 Validated Assessments.

HITRUST QA for e1 Assessments is designed for speed
The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the external assessor’s documentation, the quality and consistency of the external assessor’s validation procedures, and on many other factors. However: The established e1 post-submission service level agreement (SLA) is not greater than 30 business days with HITRUST (otherwise the customer’s next e1 Validated Assessment Report credit is complementary).

This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase) or the last day of the QA block from the reservation. Days are counted for any weekdays where the assessment is in a HITRUST owned phase before the draft report is posted. Validated assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.

CAPs, Scoring, and Certification Thresholds on e1 Assessments

The scoring and certification thresholds for e1 Assessments are the same as those for i1 assessments. Refer to HAA 2021-012 for details.

e1 HITRUST CSF Reports

Upon completion of a e1 Assessment that meets the scoring thresholds for certification, HITRUST will issue the following reports:

• HITRUST e1 Certification Report
• HITRUST e1 Certification Letter
• HITRUST e1 Certification Letter with Scope

Upon completion of an e1 Assessment that does not meet the scoring thresholds for certification, HITRUST will issue only the HITRUST e1 Validated Assessment Report.

Implementation and timeline

The ability to perform e1 Assessments in MyCSF is available as of the release of this advisory.

Additional Resources

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

Overview

Upon the release of CSF v11, HITRUST is announcing the deadline for creating and submitting i1 assessments using CSF v9.6.2 and earlier.

Details

• Between the release of v11 on January 18, 2023 and April 30, 2023, i1 assessments may be created using either v11 or v9.6.2.
• Effective April 30, 2023, the ability to create new i1 assessments using CSF v9.6.2 will be disabled.
• Effective July 31, 2023, the ability to submit i1 assessments using CSF v9.6.2 and earlier will be disabled.
  • Effective as of the release of this advisory, the QA Reservation system will not allow the selection of a submission date after July 31, 2023 when booking a reservation for an i1 assessment object using v9.6.2.
  • As of July 31, 2023, any unsubmitted i1 assessment objects utilizing v9.6.2 and earlier will be marked with a MyCSF banner indicating that they cannot be submitted to HITRUST for processing. These assessments must be upgraded to v11 in order to be submitted to HITRUST.

Additional Resources

For a comparison of the v9.6 i1 requirement statements to the v11.0 i1 requirement statements click here.
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

Overview

HITRUST invests in continuously evaluating new control requirements and expanding the coverage of security and privacy authoritative sources supported by the HITRUST CSF framework. To facilitate and empower customers to take advantage of this investment and ensure HITRUST assessments are generated and inherited from (and/or relied upon) the latest available HITRUST CSF controls and mappings, HITRUST is decommissioning CSF v9.1 through v9.4 according to the timeline below.

Notice and Timeline Details
Support of CSF v9.1 through v9.4

Effective as of the release of this advisory, maintenance support (i.e. CSF updates that would result in an errata release according to HAA 2021-005: CSF Versioning Policy) of v9.1 through v9.4 will be discontinued. Questions related to these library versions will continue to be addressed via support tickets until the libraries are removed from MyCSF on March 31, 2026. All Assessments using v9.1 – v9.4 will remain in MyCSF.

Key Assessment Dates

• Effective September 30, 2023, the ability to create new v9.1 through v9.4 assessment objects will be disabled. All new assessment objects created on or after September 30, 2023, must be created using HITRUST CSF v9.5.x or later.
• Effective December 31, 2024, the ability to submit v9.1 through v9.4 assessment objects to HITRUST for report processing will be disabled.
  • Effective as of the release of this advisory, the QA Reservation system will not allow the selection of a submission date after December 31, 2024 when booking a reservation for an assessment object using v9.1 through v9.4.
  • As of December 31, 2024, any unsubmitted assessment objects utilizing v9.1 through v9.4 will be marked with a MyCSF banner indicating that they cannot be submitted to HITRUST for processing.

Note that the following will not be impacted by the above notice:

• Interim and Bridge Assessments will continue to utilize the same version of the HITRUST CSF that was used to create the original r2 Validated Assessment.
• Internal and external inheritance will continue to be available from v9.1 through v9.4 assessment objects until their expiration—for Uncertified r2 Validated Assessments, a period of one (1) year from report date, and for Certified r2 Validated Assessments, a period of two (2) years from report date and timely completion of its Interim Assessment.

Additional Resources

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

Overview

The HITRUST CSF version 11 (v11) enables a fully traversable portfolio, which facilitates seamless movement between HITRUST assessments based on the use of common requirement statements to maximize reusability. As risk and compliance program maturity or information protection needs change, v11 allows organizations to use what they have already done to easily upgrade to higher levels of HITRUST assurance with just incremental effort. v11 enables cyber threat adaptive HITRUST Assessments across the portfolio that continuously evolve to address emerging threats such as ransomware and phishing. 

The HITRUST CSF v11 framework includes new and refreshed Authoritative Sources powered by the speed and efficiency of Artificial Intelligence (AI). Plus, changes to Evaluative Elements and Illustrative Procedures that make it easier for MyCSF users to parse and score Requirement Statements. 

Traversable and Threat-Adaptive Portfolio
Traversable Portfolio

For v11, HITRUST has aligned the selection of requirement statements used for the e1 assessment (HAA 2023-004), i1 assessment, and r2 assessment baseline so that each assessment builds upon the core requirement statements that are included in the e1 assessment.

• The e1 assessment includes a selection of 44 requirement statements that address a curated set of cybersecurity controls generally viewed as fundamental essential cybersecurity practices, or “essential cybersecurity hygiene”.
• The i1 assessment includes a selection of 182 requirement statements that are comprised of the 44 e1 requirement statements along with an additional 138 requirement statements that address cybersecurity best practices and a broader range of active cyber threats than the e1 assessment.
• The r2 assessment includes the 182 i1 requirement statements as a baseline along with additional requirement statements that are included through the r2 assessment tailoring process.

This nesting of requirement statements allows organizations to begin with the entry-level e1 or moderate level i1 assessment and subsequently move through the assessment portfolio to demonstrate increased levels of information protection assurance without losing the investment made by completing previous assessments.

Threat-Adaptive Portfolio

As described in HAA 2021-012 and HAA 2023-004, e1 and i1 assessments are designed to be threat-adaptive through the selection of requirement statements that address active cyber security threats based on HITRUST’s quarterly reconciliation of cyber threat intelligence to the HITRUST CSF requirements. The inclusion of the i1 requirement statements in the r2 assessment introduces the threat-adaptive nature of the e1 and i1 to the r2.

Inheritance

External Inheritance can be used between v11 assessments and v9.1 – v9.6.2 assessments. However, due to the change in the r2 baseline described above, there may be requirement statements present in baseline v9.x assessments that are not present in baseline v11 assessments and vice versa. To address this, a Community Supplemental Requirement (CSR) and associated factor called “Legacy Inheritance Support” will be introduced for use in v11 assessments. The Legacy Inheritance Support factor includes additional inheritable 9.x requirement statements into v11 r2 Assessments. For additional information regarding the functionality and limitations of this factor, please see v11 FAQs.

HITRUST encourages inheritance providers using v11 to include the Legacy Inheritance Support factor so that their v11 r2 Assessment includes v9.x requirement statements that Assessed Entities may hope to inherit.

New and Refreshed Authoritative Sources

The Authoritative Source updates in v11 are powered by new AI processing technologies that enhance the efficiency of producing Authoritative Source mappings.

v11 contains the following new and refreshed Authoritative Sources:

• Added NIST SP 800-53 revision 5 mapping and selectable Compliance factor
• Added Health Industry Cybersecurity Practices mapping and selectable Compliance factor
• Refreshed NIST SP 800-171 mapping
• Refreshed NIST Cybersecurity Framework mapping
• Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping

Evaluative Elements Moved to the Requirement Statement

For assessments using v11, HITRUST has moved the evaluative elements from the policy level illustrative procedure to the requirement statement for improved visibility. Further, the requirement statement text is formatted to display each evaluative element in a numbered list.

v11 Requirement Statement Example

For v9.1 – v9.6, the evaluative elements remain within the policy level illustrative procedures. Like v9.6, the illustrative procedure for v9.1 – v9.5 are now formatted to specifically enumerate each evaluative element as described in HAA 2021-014.

Illustrative Procedure Updates

Due to the move of the evaluative elements from the policy level illustrative procedure into the requirement statement, the v11 policy level illustrative procedures have been updated to standard text for all requirement statements. Additionally, the formatting of the v11 implemented and measured illustrative procedures have been updated to more clearly display the requirement specific implementation and measured testing guidance.

Clarification of Factor Definitions

HITRUST has updated the factor definitions to improve tailoring for v11 r2 assessments. Within MyCSF, the Factors page for r2 assessments using v11 will contain information icons that display the factor definition for reference.

The legacy factor definitions found at help.mycsf.net/factors should continue to be used for v9.1 – v9.6 r2 assessments.

Implementation and Timeline

v11 is available within MyCSF and for download here as of January 18, 2023.

Additional Information

In addition to the updates detailed above, CSF v11 includes assorted errata updates consistent with the CSF Versioning Policy. The errata updates include refreshes to BUIDs primarily based on changes to requirement statement levels and control references. Further, the following seven Authoritative Sources have been removed in CSF v11:

• CAQH CORE Phase 1 [CAQH Core Phase 1]
• CAQH CORE Phase 2 [CAQH Core Phase 2]
• Cloud Security Alliance (CSA) Cloud Controls Matrix Version 3.0.1 [CSA CCM v3.0.1]
• Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) version 1.0 [CMMC v1.0]
• Department of Homeland Security (DHS) Critical Resilience Review (CRR) v1.1 [DHS CISA CRR (2016)]
• ISO/IEC 29151:2017: Information Technology – Security Techniques – Code of Practice for Personally Identifiable Information Protection [ISO/IEC 29151:2017]
• Precision Medicine Initiative Data Security Policy Principles and Framework v1.0 (PMI DSP): Achieving the Principles through a Precision Medicine Initiative Data Security Policy Framework [PMI DSP Framework]

The CSF Summary of Changes document offers additional details regarding CSF changes. MyCSF subscribers can utilize the preview functionality described in HAA 2021-006 to determine impact on an existing assessment prior to upgrading to v11 including a detailed look at the direct changes that will apply to the assessment.

For a list of anticipated questions please click here.
For a comparison of the v9.6 i1 requirement statements to the v11.0 i1 requirement statements click here.
For additional questions please contact our Support team.

Overview

On February 15, 2022, HITRUST implemented a suite of enhancements to the MyCSF platform that are described in the following Assurance Advisories:

• HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
• HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
• HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
• HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
• HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST Report Format Changes

This suite of enhancements was applied to HITRUST r2 Validated Assessments, r2 Readiness Assessments, Interim Assessments, and Bridge Assessments meeting certain criteria outlined in the Advisories listed above.

On October 1, 2022, HITRUST will convert any remaining r2 Validated Assessments and r2 Readiness Assessments that have not previously been submitted to HITRUST for processing to utilize the enhancements outlined in the advisories listed above.

Note: i1 Assessments incorporate these enhancements by default, so i1 Assessments will not need to be converted.

Details

The suite of enhancements will be automatically implemented for all r2 Validated Assessments and r2 Readiness Assessments that meet all the following criteria on October 1, 2022:

• The assessment has not previously been submitted to HITRUST
• The assessment is using the legacy assessment workflow

Note: r2 Validated Assessments that are in the Assessment Submitted to External Assessor state on October 1, 2022, will be automatically reverted to the Answering Assessment state prior to the enhancements being implemented.

Refer to FAQs: Retirement of Legacy Assessment Workflows for more information and instructions for determining whether your assessment is utilizing the legacy assessment workflow.

 Save as PDF

Implementation and Timeline
v9.6 is available within MyCSF and for download here as of December 30, 2021.

Overview
The CSF Version 9.6 Release includes both CSF and MyCSF enhancements which are described further below. The CSF enhancements are changes related to the HITRUST CSF framework, while MyCSF enhancements are related to the MyCSF platform.

CSF Enhancements

CSF Version 9.6 (v9.6) contains the following enhancements:

• Refreshed NIST SP 800-53 revision 4 mapping and added NIST SP 800-53 revision 4 as a selectable compliance factor
• Updates to some requirement statements and illustrative procedures in anticipation of the HITRUST Implemented, 1-year (i1) Validated Assessment release
• Assorted errata updates consistent with the CSF Versioning Policy

The CSF Summary of Changes document offers additional details regarding CSF. MyCSF subscribers can utilize the preview functionality described in HAA 2021-006 to see the potential impact on an existing assessment prior to upgrading to v9.6.

MyCSF Enhancements

1. CMMC Compliance Factor
The CMMC Compliance factor will now contain a “Deprecated” flag (see Figure 1) to indicate that the version of CMMC currently mapped to the CSF has been superseded. The CMMC Compliance factor appears in versions 9.4, 9.5, and 9.6 of the CSF and each of these versions will display the “Deprecated” flag. More information about the CMMC program is available here.

2. Illustrative Procedure Enhancements
Beginning in v9.6, the Policy and Implemented illustrative procedures have been formatted to enhance usability and clarity. The Policy illustrative procedures have been formatted to specifically enumerate each evaluative element when the illustrative procedures are displayed from the “More Information” menu as shown in Figure 2. Additionally, the evaluative element count will be shown when the requirement is displayed as shown in Figure 3. For assessments that are performed using v9.6, the evaluative element count displayed within MyCSF must be the denominator for the calculation of coverage for scoring of the requirement statement for the Policy, Procedure, Implemented, and Measured maturity levels in the HITRUST Control Maturity Scoring Rubric. Note that these illustrative procedure enhancements are present on all HITRUST assessments performed using v9.6 and later of the HITRUST CSF where applicable, regardless of assessment type (i1 or r2).

The Implemented and Measured illustrative procedure formatting has been updated to identify each testing procedures should the maturity level be scored (see Figure 2).

3. Sampling Badge
In addition, the requirement statement view within MyCSF will now contain a badge (see Figure 4) when the Implemented illustrative procedure requires the External Assessor to select a sample of items and/or occurrences to test. If circumstances exist which prevent sample-based testing (such as a lack of control occurrences), the external assessor must document a rationale for not performing sample-based testing for that HITRUST CSF requirement’s implemented control maturity level.

Additional Information
For additional questions please contact our Support Team.

 Save as PDF

Overview
HITRUST’s Control Maturity Scoring Rubric (“Rubric”), which assists assessed entities and their external assessors in assessment scoring, has been updated in support of the i1 assessment and to reflect previously announced changes. Key changes to the rubric include:

• The Policy and Procedure maturity levels had their criteria and strength tiers updated based upon HAA 2021-002, which was released on June 7, 2021. The revised Policy and Procedure criteria presented in the Advisory were added to the ‘Other Key Concepts’ section of the rubric and, the five strength tiers for the Policy and Procedure maturity levels in the version 2 Rubric were reduced to three tiers in the version 3 Rubric as follows:
  • Tier 0 – No documented Policy and/or Procedure
  • Tier 1 – Undocumented Policy and/or Procedure
  • Tier 2 – Fully documented Policy and/or Procedure
• HITRUST has updated the “minimum number of days that a remediated or newly implemented control must operate prior to assessor testing” to reflect 60 days for any policy or procedure remediation, corresponding to the revision communicated in HAA 2021-002.
• HITRUST has included the current Bridge Certificate timing guidance into the Rubric.
• HITRUST has added the following sample-based testing requirements:
  • Guidance requiring sampling lead sheets in the test plan to document the sampling approach.
  • Guidance stating that evidence used during sample testing must be retained.
  • Sampling guidance for semi-annual controls.
  • Guidance on the required population timeframe to consider when pulling samples of control occurrences over time as: “Minimum of 90 days prior to the date of testing with a maximum of one-year prior to the date of testing”.
  • Guidance that the control frequency should be defined prior to determining the sampling approach.

In addition to the above key changes, HITRUST has made other minor adjustments to the Rubric:

• HITRUST has reformatted the guidance for supporting documentation to qualify as a measure for HITRUST assessment purposes.
• The applicability of the timeframes has been updated to reflect whether they correspond to a HITRUST r2 validated assessment or i1 validated assessment.
• HITRUST has removed sections from the “Timeframes” to streamline presentation of the key timeframes – not intended to reflect a change in prior guidance:
  • Access window for a HITRUST MyCSF “Report Only” object.
  • Targeted window for HITRUST’s performance of QA and draft report assembly procedures.
  • Window during which HITRUST will accept grammatical changes to a draft report.
  • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF.
  • Interim assessment object submission due date.
• HITRUST has updated the links on the Rubric where additional guidance can be found.

Timetable for Implementation
The updated HITRUST Control Maturity Scoring Rubric is immediately available for download at https://hitrustalliance.net/content/uploads/HITRUST-CSF-Control-Maturity-Scoring-Rubric-Version-3.pdf. For HITRUST i1 validated assessments, use of the version 3 Rubric is required. For the HITRUST r2 validated assessments, either version 2 or version 3 of the Rubric may be used for assessments submitted prior to May 1, 2022. As of May 1, 2022, r2 validated assessment submissions must use the version 3 Rubric.

Additional Resources
Click https://hitrustalliance.net/content/uploads/HITRUST-Control-Maturity-Scoring-Rubric-Update-FAQs.pdf for a list of anticipated questions and answers. For additional questions please contact our Support team.

 Save as PDF

Implementation and Timeline
The ability to perform HITRUST Implemented 1-Year (i1) assessments in MyCSF will be released at the start of the 2022 calendar year. The updates to the Risk-based, 2-Year (r2) assessment (formerly the HITRUST CSF Validated Assessment) reports described in this advisory will be reflected in all r2 reports issued 12/31/21 and later.

Overview
To date, HITRUST has offered only one information protection certification, the HITRUST CSF Certification, achievable only by demonstrating sufficiently strong control maturity through the performance of a validated assessment. By design, this single HITRUST certification offers a gold standard level of assurance due to the comprehensive control requirements and assurance program requirements. However, completion of a HITRUST validated assessment can be a significant undertaking for an organization. HITRUST acknowledges that the highest level of information protection assurance is not needed by every organization or vendor relationship.

A broader range of certification options is necessary to address varying assurance requirements and needs—as determined by factors such as level of effort, budget, and purpose. To address these needs, HITRUST is introducing the HITRUST Implemented, 1-year (i1) Certification, a new assessment mechanism and accompanying certification that requires reduced effort and cost than today’s validated assessment, while still living up to the gold standard level of quality for which HITRUST certifications are known. To differentiate the certifications in our newly expanded assessment portfolio, HITRUST is also renaming our existing certification to the HITRUST Risk-based, 2-year (r2) Certification. Further, HITRUST is taking this opportunity to update the content, layout, and formatting of HITRUST-issued certification reports.

The HITRUST Risk-based, 2-year r2 Certification will continue to provide the highest level of information protection assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The new HITRUST Implemented, 1-year i1 Certification will provide, when compared to the r2, a relatively moderate level of information protection assurance, focusing on good security hygiene and cybersecurity best practices controls. Both the i1 and r2 certifications will uphold the high-quality bar for which HITRUST is known.

Key similarities between i1 and r2 certifications
The HITRUST Implemented, 1-year i1 Certification shares several characteristics with the HITRUST Risk-based, 2-year r2 Certification, the most notable of which include:

• Both provide a means to convey information assurances over the assessed entity’s scoped control environment through a shareable, final report with certification issued by HITRUST.
• Both use requirements resident in the HITRUST CSF and use MyCSF.
• Readiness assessments and validated assessments can be performed for both.
• Both require an Authorized HITRUST External Assessor Organization to inspect documented evidence to validate control implementation.
• Both leverage the HITRUST Control Maturity Scoring Rubric (although the i1 does not use the entire rubric). While the rubric has been updated in support of the i1 assessment (as described in HAA 2021-013), no significant changes were made to the rubric to accommodate its use on i1 assessments other than indicating that only the Implemented control maturity level is considered during i1 assessments.
• Final reports resulting from i1 assessments (such as the HITRUST i1 Validated Assessment Report) can be shared through the HITRUST Assessment XChange just like those resulting from r2 assessments, and i1 assessment results can be shared through the HITRUST Results Distribution System just like the results of r2 assessments.
• The external assessor’s fieldwork window is capped at a maximum of 90 days on both i1 and r2 assessments.

Key differences between i1 and r2 certifications
The i1 and r2 are distinct in many ways, the most notable of which are:

• r2 certifications are valid for 2 years, while i1 certifications are valid for 1 year.
• While the HITRUST CSF requirements considered in r2 assessments are tailored based on the assessed entity’s inherent risk factors (such as whether in-scope systems are accessible from the Internet, whether wireless networks are used in the scoped environment, etc.), the HITRUST CSF requirements in an i1 assessment are carefully curated by HITRUST and only vary when performed against different versions of the HITRUST CSF.
• r2 assessments can be tailored to optionally convey assurances over dozens of information protection regulations and standards (including: HIPAA, NIST CSF, PCI DSS) while i1 assessment are pre-set.
• While r2 assessments can be tailored to include all security control references present in the HITRUST CSF through use of the “comprehensive assessment” option, i1 assessments cannot.
• Privacy-centric HITRUST CSF controls and requirements can optionally be added into an r2, but not into an i1. While certain requirements within domain 19 are included in i1 assessments, the i1 is designed to focus on cybersecurity only.
• Many control maturity levels (policy, process, implemented, and optionally measured and managed) are considered when scoring HITRUST CSF requirements included in r2 assessments, while the scoring of HITRUST CSF requirements included in i1 assessments considers only control implementation. In other words: only control implementation is considered during i1 assessments.
• HITRUST CSF requirements performed by the assessed entity’s service providers (such as cloud service providers) on behalf of the organization can be carved out / excluded from consideration in i1 validated assessments, but such carve-outs are not permitted in r2 assessments.
• Interim assessments are not necessary for i1 certifications, as a full re-assessment is necessary each year to maintain i1 certification status.
• r2 certifications can be bridged through a HITRUST Bridge Certificate, while i1 certifications cannot.
• Validated r2 assessments can result in a HITRUST-issued certification over the NIST Cybersecurity Framework, while i1 validated assessments cannot.
• Newly created i1 assessments must use the most current version of the CSF available at time of object creation.
• Minor differences are present on the External Assessor QA checklist used on i1 assessments, as certain checklist items are only applicable on r2 assessments.

More information about the i1 certification and i1 assessments
HITRUST’s quality assurance (“QA”) review of i1 assessments

i1 assessments will feature the same high quality of deliverables as r2 assessments, as ensured through HITRUST’s robust Quality Assurance process, which includes the HITRUST Assurance Intelligence Engine. In addition, just like on r2 assessments, HITRUST’s QA review of i1 assessments must be scheduled using the HITRUST QA Reservation System. Please be aware that i1 and r2 assessments require different types of report credits to book a reservation. For additional information on acquiring the correct type of report credit please contact your Customer Success Manager (CSM).

HITRUST will perform a sample-based QA review for i1 validated assessment submissions much in the same manner as is performed on r2 validated assessment submissions. The notable difference is that HITRUST will not QA a sample of requirements with measured and/or managed scores on i1 submissions in addition to reviewing a “Core QA” sample of requirements (as i1 assessments do not consider the measured and managed control maturity levels).

The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the external assessor’s documentation, the quality and consistency of the external assessor’s validation procedures, and on many other factors. However: HITRUST’s established i1 post-submission Service Level Agreement (SLA) is not greater than 45 business days with HITRUST (otherwise the customer’s next i1 validated assessment report credit is complimentary). This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST.” The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase) or the last day of the QA block from the reservation. Days are counted for any business days where the assessment is in a HITRUST owned phase before the draft report is posted. Validated assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.

Usability improvements on i1 assessments
Those performing i1 assessments will enjoy several usability and quality-of-life enhancements in MyCSF, including:

• All i1 assessments feature HITRUST’s enhanced Assessment Workflows, webforms, and Kanban-style status tracking boards. For additional details, see HITRUST Advisories HAA 2021-007 through HAA 2021-011.
• Illustrative procedures of HITRUST CSF requirements for versions 9.6 and later feature formatting and list items to aid in easily identifying the illustrative procedure’s unique content. In i1 assessments, this illustrative procedure enhancement applies only to the implemented level (as only the implemented control maturity level is considered in i1 assessments). In r2 assessments, this illustrative procedure enhancement applies to both the policy and implemented levels. Pictured below is an example of an implemented illustrative procedure featuring this enhancement:
  
• On i1 assessments, the unique elements associated with each HITRUST CSF requirement which must be implemented by the assessed entity and evaluated by the External Assessor (referred to as “evaluative elements”) are not shown in the requirement’s policy illustrative procedure (as they are in r2 assessments), because i1 assessments do not consider the policy control maturity level. Instead, i1 assessments present each HITRUST CSF requirement’s evaluative elements as stand-alone sentences in a numbered list. Further, the count of evaluative elements associated with each HITRUST CSF requirement is clearly shown in MyCSF for i1 and r2 assessments using HITRUST CSF v9.6 and later. An example of the new “Evaluative Elements” count is pictured below as well as an example of enumerated and numbered evaluative elements.
  
  
• In i1 and r2 assessments using HITRUST CSF v9.6 and later, a new sampling badge is shown in MyCSF for each HITRUST CSF requirement having an implemented illustrative procedure that calls for testing a sample. This sampling badge helps external assessors quickly and easily identify areas where sampling may be required during the testing of the implemented control maturity level. When this sampling badge is present, the external assessor is expected to perform sample-based testing. If circumstances exist which prevent sample-based testing (such as a lack of control occurrences), the external assessor must document a rationale (in the test plan and/or in external assessor comment fields in MyCSF) for not performing sample-based testing for that HITRUST CSF requirement’s implemented control maturity level. Pictured below is an example of this sampling badge and accompanying mouse-over tooltip. An indicator is present in the new, downloadable test plan template (discussed below) showing the requirements possessing this sampling badge.
  
• A new, Excel-based test workbook template will be available for use by assessors performing i1 assessments. This template can be downloaded from the test plan upload page in MyCSF. External assessors are not required to use this test plan template.
• Assessed entities and their external assessors have flexibility with respect to who populates an i1 assessment in MyCSF. Personnel from either the assessed entity or their external assessors are allowed to enter control maturity scoring and assessment scoping information in i1 assessments. When a member of the external assessor enters control maturity scoring and/or assessment scoping information, MyCSF will automatically apply the external assessor’s thumbs-up / agreement. However, when control maturity scoring and/or assessment scoping information is initially entered by the assessed entity, a member of the external assessor team is required to evaluate the entered data and manually enter their thumbs-up / agreement. This added flexibility allows control maturity scoring and assessment scoping information to be either (a) initially populated in MyCSF by the assessed entity and then manually agreed to by the external assessor (just like in r2 assessments), and/or (b) populated and auto-agreed entirely by the external assessor. There is no preference or option to configure; MyCSF will recognize the role (external assessor, standard user) and adjust accordingly. As a result of this added flexibility and to reflect that submission of a completely and accurately populated MyCSF assessment to HITRUST is ultimately the External Assessor’s responsibility, an i1 validated assessment’s not-yet-scored requirements are shown in the Kanban-style status view as pending the External Assessor team.

HITRUST CSF requirements included in i1 assessments
HITRUST CSF requirements are included in r2 assessments through the combination of a purposive sample of 75 HITRUST CSF control references required for certification, the inherent risks present in the assessed environment (such as whether the scoped system is accessible from the Internet), and the optional inclusion of regulations and standards such as PCI DSS, HIPAA, and EU GDPR. As a result, the HITRUST CSF requirements included in r2 assessments can vary from as few as 198 requirements to nearly 2000 requirements.

A completely different approach drives the selection of HITRUST CSF requirements included in i1 assessments. HITRUST has carefully selected the HITRUST CSF v9.6 requirements to be included in i1 assessments in light of several factors:

• The i1 is designed to be an industry-agnostic assessment, so the HITRUST CSF requirements included in the i1 assessment and their associated illustrative procedures and evaluative elements are also industry-agnostic and do not use any terminology specific to the US federal government or germane to any specific legislation or authoritative source (e.g. does not include terms such as “protected health information”, “cardholder data”, or “authority to operate”).
• The i1 is designed to be an evolving, threat-adaptive certification that leverages threat intelligence and best practice controls to deliver an assessment that addresses relevant practices and active cyber threats. HITRUST evaluated existing information security controls to identify those relevant to mitigating known risks and leveraged cyber threat intelligence data from a leading threat intelligence provider spanning May 2021 to Oct. 2021 to influence the selection of technically-focused HITRUST CSF requirements included in i1 assessments. As a result, the i1 includes controls that were selected exclusively to address emerging cyber threats actively being targeted today. HITRUST will review cyber threat intelligence data for potential updates to the i1 requirements on a quarterly basis to maintain the threat responsive nature of the i1. Updates to the i1 requirement statement selection will be published as part of either a major or minor release of the HITRUST CSF. Consequently, all i1 assessments performed against a particular version of the HITRUST CSF will include the same requirement statements.
• The i1 is designed to be a combination of good security hygiene controls and cybersecurity best-practice controls. The design affords a high degree of coverage against authoritative sources generally viewed as security best practices. As a result, the HITRUST CSF requirements included in i1 assessments provide a high degree of coverage against sources such as the HIPAA Security Rule; NIST SP 800-171; the NAIC Data Security Law; the FTC’s GLBA Safeguards Rule (both the current version as well as the 2021 proposed update); NISTIR 7621: Small Business Information Security Fundamentals; the DOL’s EBSA Cybersecurity Program Best Practices; and the HITRUST CSF requirements included in HITRUST’s Basic, Current-state (“bC”) assessment.
• All HITRUST CSF assessment domains and CSF control categories are represented in the i1.

Because the i1 consists of a selection of HITRUST CSF requirement statements, and because HITRUST CSF requirement statements are not included in the free HITRUST CSF PDF download, organizations interested in seeing the HITRUST CSF requirements included in an i1 assessment are encouraged to create an i1 assessment in MyCSF.

CAPs, scoring, and certification thresholds on i1 assessments
The scoring and certification thresholds for i1 assessments are different than those for r2 assessments, as follows:

• i1 assessment scoring will always be shown as the overall score (e.g., 75, 100) rather than the maturity rating (e.g., 1-, 3+). Because i1 assessments do not include all control maturity levels (and instead focus solely on control implementation), the control maturity rating scheme used on r2 assessments are not suitable for use on i1 assessments. Instead, only scores between 0 and 100 are used on i1 assessments.
• For an i1 validated assessment to result in certification, no assessment domain’s straight-average score can be below 83. (To contrast this scoring against r2 assessments: For an r2 validated assessment to result in an r2 certification, no assessment domain’s straight-average score can be below 62.)
• For i1 assessments, assessed entities are required to define Corrective Action Plans (CAPs) for all HITRUST CSF requirements meeting the following criteria: the requirement’s implemented maturity level scores less than “fully compliant” / 100 and the associated control reference (e.g., 00.a) averages less than 80. For any requirements where the implemented maturity level scores less than “fully compliant” / 100 and the associated control reference (e.g., 00.a) averages 80 or more, a gap is identified instead of a CAP. The difference between a gap and a CAP on an i1 assessment is that management of the assessed entity is required to provide a written plan of action for remediation of CAPs, but not for gaps.

External inheritance on i1 assessments
External assessors and assessed entities of i1 assessments will have two options to address situations in which a HITRUST CSF requirement is fully or partially performed by a service provider (such as by a cloud service provider):

• The Inclusive method, whereby HITRUST CSF requirements performed by the service provider are included within the scope of the HITRUST assessment and addressed through full or partial inheritance, reliance on third-party assurance reports, and/or direct testing.
• The Exclusive (or Carve-out), method, whereby HITRUST CSF requirements performed by the service provider are excluded from the scope of the HITRUST CSF assessment and marked as N/A with supporting commentary that specifies that the HITRUST CSF requirement is fully performed by a party other than the assessed entity (for fully outsourced controls) or through commentary describing the excluded partial performance of the control (for partially outsourced controls).

HITRUST has always and will continue to require that the inclusive method be used on all r2 assessments, but HITRUST will allow use of both the inclusive and exclusive methods on i1 assessments. Regardless of the assessment type or the approach utilized, the external assessor and/or assessed entity will be required to specify which method is utilized for each service provider relevant to the scope of an i1 assessment. Within the assessment object in MyCSF, the assessed entity and/or the external assessor is required to select Included or Excluded from a “Consideration in this Assessment” drop-down menu within the “Services Outsourced for In-Scope Platforms and Facilities” table on the “Scope of the Assessment” screen. (This value is locked to “Included” for all identified service providers relevant to the scope of r2 assessments.) This selected method will then be reflected in the final reports resulting from both r2 and i1 assessments.

Both approaches may be utilized in the same i1 assessment (e.g., using the inclusive approach on one service provider and the exclusive approach on another). Applying both the inclusive and carve-out methods for the same service provider is not permitted, and therefore only one method can be selected for each service provider relevant to the scope of the assessed entity’s assessment. In instances in which a requirement is partially performed by the assessed entity and partially performed by a carved-out service provider, the assessed entity’s and/or external assessor’s commentary must clearly reflect that the requirement’s control maturity scoring is reflective of just the requirement’s performance by the assessed entity.

When the Inclusive method is utilized on i1 assessments, the same options are available for using the work of others as exist on r2 assessments:

• Inheritance of results or reliance upon another validated HITRUST CSF assessment,
• Reliance on audits and/or assessments performed by a third party, and/or
• Reliance on testing performed by the assessed entity (i.e., by internal assessors).

When inheritance or reliance methods are utilized to address requirements performed by a service provider, that service provider must be marked as Included within the “Services Outsourced for In-Scope Platforms and Facilities” table on the “Scope of the Assessment” screen within MyCSF.

Cross-assessment-type inheritance is allowed, meaning that an r2 assessment’s results can be inherited into an i1 assessment (and vice versa). However, only the implemented level’s scoring can be inherited when inheriting from an i1 assessment into an r2 assessment given that i1 assessments only consider the implemented maturity level. This limitation does not absolve those involved in the inheriting r2 assessment from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on supplemental validation procedures or (b) scoring the policy, procedure, measured and managed scores at 0 to reflect the inability to ascertain scoring on these control maturity levels.

While HITRUST anticipates that most organizations who publish their HITRUST assessments for external inheritance will use r2 assessments instead of i1 assessments, service providers such as Cloud Service Providers (CSPs) do have the option to only perform and publish i1 assessments. In this case, their customers/tenants inheriting from them will be limited to inheriting only the implemented scoring and commentary (no policy, procedure, measured, or managed scoring will be available for inheritance).

Changes to HITRUST CSF reports
In addition to introducing the HITRUST Implemented, 1-year i1 Certification, HITRUST is applying layout and formatting updates to the HITRUST Risk-based, 2-year r2 Certification reports, as follows:

Changes to r2 reports

 
*As defined in HITRUST Assurance Advisory 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

**Various sections noted above may include minor wording changes in order to differentiate between the HITRUST Risk-based, 2-year r2 Validated Assessment and the HITRUST Implemented, 1-year i1 Validated Assessment.

Differences between i1 and r2 reports

 
*Various sections noted above may include minor wording changes in order to differentiate between the HITRUST Risk-based, 2-year r2 Validated Assessment and the HITRUST Implemented, 1-year i1 Validated Assessment.

Additional resources
For a list of anticipated questions please click here. For an example of the HITRUST Implemented, 1-year (i1) Certification Report click here and for an example of the HITRUST Risk-based, 2-year (r2) Certification Report click here. For any additional questions, please contact our Support Team or a HITRUST Customer Success Manager.

 Save as PDF

Overview

Several changes have been introduced to the contents and format of the CSF Validated Assessment Reports and Readiness Assessment Report in order to:

• Streamline the presentation of information
• More clearly present assessment scope
• Accommodate changes to format of organization and scoping information introduced in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms

The changes to the HITRUST CSF Validated Assessment and Readiness Assessment Reports are being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

• HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
• HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
• HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
• HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
• HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

HITRUST CSF Validated Assessment Report

The updates to the HITRUST CSF Validated Assessment Report are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Validated Assessment Report to view a sample report.

HITRUST CSF Validated Assessment Letter with Scope

The updates to the HITRUST CSF Validated Assessment Letter with Scope are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Validated Assessment Letter with Scope to view a sample report.

HITRUST CSF Readiness Assessment Report

The updates to the HITRUST CSF Readiness Assessment Report are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Readiness Assessment Report to view a sample report.

Assessment Context

The Assessment Context section of the HITRUST CSF Validated Assessment Report, HITRUST CSF Validated Assessment Letter with Scope, and HITRUST CSF Readiness Assessment Report has been updated to remove the following content:

• Organization Name and Mailing Address have been removed because this information is also included in the Letter of Certification or Validation section of the reports and letter.
• Contact Name, Job Title, and Email Address have been removed as relying parties typically already have a point of contact at the Assessed Entity.
• Company Background has been removed because this information is already included in the Scope of Systems in the Assessment section.
• Number of Employees has been removed because it was not a tailoring question to derive the Assessed Entity’s customized set of HITRUST CSF requirements.

Scope of the Assessment

The Scope of Systems in the Assessment section of the HITRUST CSF Validated Assessment Report and HITRUST CSF Validated Assessment Letter with Scope has been redesigned to more clearly communicate the scope of the assessment. The updates to this section also reflect the introduction of Webforms, which replaced the legacy Organizational Overview and Scope document. For more information related to the Organization Information and Scope of the Assessment Webforms, see HAA 2021-009: HITRUST MyCSF Enhancements – Webforms.

The Scope of Systems in the Assessment section now contains the following subsections:

• Company Background: The Company Background is populated with the contents of the Organization/Company Background field of the Organization Information Webform within MyCSF. This section may include information that would have previously been included within the legacy Organization and Industry Segment Overview and Services / Products Provided subsections.
• In-scope Platforms and Facilities: The In-scope Platforms and Facilities is populated with the contents of the Platforms/Systems table and Facilities table of the Scope of the Assessment Webform within MyCSF. This section displays the in-scope platforms/systems that would have previously been included within the legacy Scope Overview subsection.
• Services Outsourced: The Services Outsourced is populated with the contents of the Services Outsourced for In Scope Platforms and Facilities table of the Scope of the Assessment Webform within MyCSF. This section displays the same information as the legacy Services Outsourced subsection, but in a tabular format for clarity.
• Overview of the Security Organization: The Overview of the Security Organization is populated with the contents of the field of the same name in Organization Information Webform within MyCSF. This section includes information that would have previously been included within the legacy HITRUST CSF Validated Assessment Report section Security Program Analysis.

The subsections of the legacy Scope of Systems in the Assessment section that have been removed from the HITRUST CSF Validated Assessment Report and HITRUST CSF Validated Assessment Letter with Scope are:

• Primary Systems: The Primary Systems subsection has been removed because this information now appears in the In-scope Platforms and Facilities subsection.
• Scope Diagram: The optional Scope Diagram has been removed because the information typically displayed in the diagram will now be included in the In-Scope Platforms and Facilities subsection.

Removal of Security Program Analysis

The legacy Security Program Analysis section of the HITRUST CSF Validated Assessment Report has been removed. The subsections of the legacy Security Program Analysis section have been moved to other sections of the report or removed as follows:

• Overview of the Security Organization: The Overview of the Security Organization has been moved to the Scope of the Assessment section.
• Types of Security Tools Deployed: The list of security tools deployed has been removed from the HITRUST CSF Validated Assessment Report as it is not necessary to readers of the report.
• Third-Party Assessments: Any attestation reports issued by a third-party that are utilized during the External Assessor’s validation procedures through external inheritance or reliance are now captured in MyCSF within the Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms). The contents of that webform are included in the new Procedures Performed by the External Assessor section of the HITRUST CSF Validated Assessment Report.

Procedures Performed by the External Assessor

The Procedures Performed by the External Assessor section has been added to the HITRUST CSF Validated Assessment Report. This section contains a description of the procedures performed by the External Assessor to validate the Assessed Entity’s asserted control maturity scores. This section also includes a table outlining all attestation reports issued by third-parties that were utilized by the External Assessor in lieu of direct testing. The table is populated from the Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms).

Removal of Appendix A – Testing Summary

The legacy Appendix A – Testing Summary of the HITRUST CSF Validated Assessment Report has been removed. The External Assessor will no longer be required to provide the lists of documentation reviewed, interviews conducted, and technical testing performed. Instead, the Procedures Performed by the External Assessor section now includes a standard description of the types of procedures that the assessor may have performed, which include:

• Inquiry with key personnel
• Inspection of system-generated access listings, logs, configuration settings, sample items and/or evidence,
• On-site observations
• Reperformance of procedures performed by customer personnel

Implementation

HITRUST CSF Validated Assessment

These report updates will affect HITRUST CSF Validated Assessment Reports and HITRUST CSF Validated Assessment Letters with Scope for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all of the following criteria on February 15, 2022:

• Assessment has not previously been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state
• No Assessment Domains have been submitted to the External Assessor for review

The HITRUST CSF Letter (without scope) and HITRUST CSF NIST Reports are not affected by the changes described in this advisory.

HITRUST CSF Readiness Assessments

These report updates will affect HITRUST CSF Readiness Assessment Reports for all Readiness Assessments created on or after February 15, 2022 as well as all existing Readiness Assessments meeting all of the following criteria on February 15, 2022:

• Assessment has never been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state

HITRUST CSF Interim and Bridge Assessments

Interim Letters and Bridge Certificates are not affected by the changes described in this advisory.

Additonal Resources

Sample – HITRUST CSF Validated Assessment Report
Sample – HITRUST CSF Validated Assessment Letter with Scope
Sample – HITRUST CSF Readiness Assessment Report

 Save as PDF

Overview

Tasks in MyCSF give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to track and respond to questions and follow-up items from HITRUST during assessment check-in and QA. Each task contains an action item for the Assessed Entity or External Assessor resulting from the check-in or QA review of the assessment by HITRUST.

Some benefits of tasks in MyCSF include:

• Eliminates email communication from QA Analyst to Assessed Entity or External Assessor
• Automates notifications to Assessed Entity or External Assessor when tasks are created
• Clearly outlines (through individualized action items) what is needed to complete QA, including which party is responsible for completion
• Better tracking of open items that need to be addressed by either Assessed Entity or External Assessor to complete QA
• Better visibility on how long QA items have been open and the state the assessment is in
• Ability to categorize tasks for trending analysis and the ability for HITRUST to provide more meaningful feedback to assessor firms

Task functionality is being introduced into MyCSF as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

• HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
• HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
• HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
• HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
• HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

Tasks During Check-in

When HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments are submitted to HITRUST, they enter the Performing Check-In phase in which HITRUST performs automated QA checks and a high-level review of the assessment. Refer to HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows for more information related to the Check-In phase.

For Validated Assessments, when the check-in review identifies a small number of potential issues, typically related to the required documents and webforms (e.g. Organization Information, Scope of the Assessment, Factors, VRA, Management Representation Letter, Test Plans, External Assessor Time Sheet, QA Checklist, and Audits and Assessments Utilized), HITRUST will create Check-In Tasks within the assessment for the External Assessor and Assessed Entity to address prior to the assessment being accepted by HITRUST. After the necessary Check-In Tasks have been resolved by the External Assessor and Assessed Entity, the assessment will be accepted by HITRUST and the QA review will begin during the reserved QA Block.

For Validated Assessments, when the check-in review identifies a larger number of potential issues, rather than creating Check-In tasks, HITRUST reverts the assessment back to the Performing Validation phase and supplies the External Assessor and Assessed Entity with a set of pre-QA quality recommendations to address the potential issues identified. For more information, refer to the Performing Check-In section of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.

For Interim and Bridge Assessments, when questions arise during the check-in review, HITRUST will create Check-In Tasks within the assessment for the External Assessor and Assessed Entity to address prior to the assessment being accepted by HITRUST. After the necessary Check-In Tasks have been resolved by the External Assessor and Assessed Entity, the assessment will be accepted by HITRUST and enter a queue to await the QA review.

For Readiness Assessments, when the check-in review identifies an error with the Management Representation Letter, HITRUST will create a Check-In Task for the Management Representation Letter to be corrected. After the Check-In Task has been resolved by the Assessed Entity, the assessment will be accepted by HITRUST and HITRUST will prepare the draft report.

Tasks During QA

HITRUST CSF Validated, Interim, and Bridge Assessments undergo a Quality Assurance Review performed by a HITRUST QA Analyst.

As the QA Analyst performs their review of the assessment, they will create QA Tasks for the External Assessor and Assessed Entity to address. All Assessed Entity and External Assessor users with access to the assessment in MyCSF will have access to view all tasks created within an assessment and may edit the Tasks assigned to their group.

Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. However, if the QA review identifies more significant QA concerns than normal, rather than creating tasks, HITRUST will provide the External Assessor with a workbook outlining the QA concerns, communicate via email to the External Assessor and Assessed Entity, and will meet with the External Assessor to review those concerns to bring them to resolution.

Task Management View

Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment will contain an Assessment Task Management page that can be accessed by clicking Tasks in the left navigation bar within an assessment. The Assessment Task Management page is where Check-In and QA Tasks for a particular assessment can be addressed and where the status of open and pending tasks can be tracked.

When the Assessment Task Management page is accessed by an Assessed Entity or External Assessor user, the My Task Queue displays all open tasks assigned to the user’s group. For a listing of all tasks within the assessment, the All Tasks tab may be viewed by any user.

The My Task Queue and All Tasks tabs contain the following task information:

• Assessment Task Number: The unique identifier assigned to the task
• Name: The name of the task
• Organization Name: The Assessed Entity organization name
• Assessment Name: The name of the Assessment that the task is for
• Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST)
• Type: The type of task (General or Proposed. See the Types of Tasks section below for the details of each task type)
• Date Opened: The date that HITRUST initially opened the task
• Date Assigned: The date the task was assigned to the group it is currently assigned
• Days Assigned: The number of days the task has been assigned to the current group since it was last assigned
• Date Completed: The date that HITRUST closed the task
• Status: The status of the task (Open, Pending, or Closed)
  • Open: The task is assigned to the Assessed Entity or External Assessor awaiting a response.
  • Pending: The Assessed Entity or External Assessor has responded to the task and the task is awaiting review by the Check-in or QA Analyst.
  • Closed: the HITRUST Check-in or QA Analyst agrees that the task has been addressed and can be considered complete.

The Assessment Task Management page also contains a pie chart displaying the number of open and pending tasks assigned to each group, as well as a banner indicating whether there are any requirement statements or CAPs within the assessment that require attention due to a change made via a task.

In addition to the assessment-specific Task Management page, Assessed Entity and External Assessor users may access a global Task Management page from the top navigation bar of MyCSF to view tasks within all assessments to which the user has access. When accessing either the global Task Management page or an assessment-specific Task Management page, the user may sort and filter the tasks displayed based on the task type, current assigned group, status, and more. Additionally, users have the option to download a .CSV file containing task information.

Additional information related to the status of tasks and other open items may be accessed via the Assessment Details View (see HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards for details).

Types of Tasks

During Check-in and QA, two types of tasks may be created: General Tasks and Proposed Tasks.

General Tasks

A general task opens a screen or a field to be edited by the Assessed Entity or External Assessor.

For example, a general task could allow the:

• Assessed Entity to edit the Organization Information or the Scope of the Assessment Webform.
• External Assessor or Assessed Entity to edit the Audit and Assessments Utilized Webform.
• Assessed Entity to edit the Representation Letter Webform.
• Assessed Entity to edit the Validated Report Agreement Webform.
• Assessed Entity to update a CAP (Corrective Action Plan) response.
• Assessed Entity to edit a Not Applicable rationale.
• External Assessor to edit document linkages for a requirement statement.

Within a general task, the Assessed Entity and External Assessor will see the following:

• Assessment Task Number: The unique identifier assigned to the task
• Description: A description of the task
• Name: The name of the task
• Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST)
• Created: The date that HITRUST initially opened the task
• Last Assigned: The date that the task was assigned to the group to which it is currently assigned
• Status: The status of the task (Open, Pending, or Closed)
• Assessment Location: A link to the area of the assessment to which the task pertains (example: Factors page, a specific requirement statement, etc.)
• Field to be Updated: When the assessment field that the task pertains to can be updated within the task itself, the field name and its current value are present within the task. If an assessment field is not present within the task, an Assessment Location link can be used to access the area of the assessment to which the task pertains to make the requested update in that location.
• HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to describe the question or request within the task
• New Comments: A field to allow the Assessed Entity, External Assessor, and HITRUST Check-In or QA Analyst to comment to each other within the task.
• History: A log of the creation and assignment changes of the task, as well as any changes to assessment fields made within the task

During Check-In and QA, HITRUST will initially assign all general tasks to the External Assessor. This allows the External Assessor to review each general task and take one of the following next steps:

• Address the task: When the general task includes a request from HITRUST to update document linkages, Test Plans, the External Assessor Time Sheet, or the Audits and Assessments Utilized Webform, the External Assessor may address the task by making the requested update on the relevant assessment page. After making the requested update, the External Assessor should leave a comment within the task to state the update that was made and should send the task back to HITRUST.
• Leave a comment within the task and send it back to HITRUST: If the External Assessor would like to respond to the task by leaving a comment or question for the Check-in or QA Analyst, the External Assessor may enter their comment within the task and send the task back to HITRUST. Some examples for when this option may be used are:
  • The task contains a question from HITRUST that does not require any assessment content to be updated. In this case, the External Assessor may answer the question by leaving a comment within the task and sending the task to HITRUST.
  • The task contains a request from HITRUST for assessment content to be updated, but the External Assessor does not understand the request or has a question related to the request. In this case, the External Assessor may leave their question as a comment within the task and send the task to HITRUST.
  • The task contains a request from HITRUST for assessment content to be updated, but the External Assessor does not agree with the request. In this case, the External Assessor may leave a comment within the task to explain their disagreement and send the task to HITRUST.
• Send the task to the Assessed Entity to be addressed: When the general task is a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the general task should be sent to the Assessed Entity.

When the External Assessor has assigned a general task to the Assessed Entity, the Assessed Entity may take one of the following next steps:

• Leave a comment within the task and send it back to the External Assessor: If the Assessed Entity would like to respond to the task by leaving a comment or question for the External Assessor or the HITRUST Check-in or QA Analyst, the Assessed Entity may enter their comment within the task and send the task back to the External Assessor.
  • The task contains a question from HITRUST that does not require any assessment content to be updated. In this case, the Assessed Entity may answer the question by leaving a comment within the task and sending the task to External Assessor.
  • The task contains a request from HITRUST for assessment content to be updated, but the Assessed Entity does not understand the request or has a question related to the request. In this case, the Assessed Entity may leave their question for the External Assessor or HITRUST as a comment within the task and send the task to the External Assessor.
  • The task contains a request from HITRUST for assessment content to be updated, but the Assessed Entity does not agree with the request. In this case, the Assessed Entity may leave a comment within the task to explain their disagreement and send the task to the External Assessor.
• Address the task: When the general task includes a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the Assessed Entity may address the task by making the requested update. Depending on the instructions within the task, the requested update will either be made within the task itself or on the relevant page of the assessment. After addressing the task, the Assessed Entity should leave a comment within the task to state the update that was made and should send the task back to the External Assessor.

General tasks may be sent back and forth between the Assessed Entity and External Assessor as many times as needed for the task to be addressed. When the task has been addressed, the External Assessor should send the task to HITRUST. After the general task has been sent back to HITRUST by the External Assessor, HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to explain any additional action needed and send the task back to the External Assessor.

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a general task may generate additional requirement statements or CAPs that must be addressed before Check-in or QA is completed. (For more information refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.) When any requirement statements or CAPs within the assessment require attention during Check-in or QA, the Task Management page will display a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the Assessment Homepage where those requirement statements and CAPs will be identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during Check-In or QA:

• When a requirement statement score is updated through a general task, the requirement statement will have a status of External Assessor Review Pending to allow the External Assessor to review and thumb up the updated score and link documents as needed.
• When a requirement statement score is lowered through a general task, after the External Assessor has reviewed and thumbed up the score, new required CAPs may be generated. Any requirement statements requiring CAPs during QA will have a status of CAP Required to allow the Assessed Entity to enter a CAP and then the External Assessor to review the CAP.

Proposed Tasks:

A proposed task allows HITRUST to propose a specific value for a field. For this type of task, the Assessed Entity or External Assessor can only apply the value proposed by HITRUST and cannot change any other fields within MyCSF.

For example, a proposed task can be used to change a:

• Technical Factor answer from ‘No’ to ‘Yes’ or vice versa.
• Geographical Factor answer from drop-down menu options.
• Requirement which has been scored to Not Applicable.
• Maturity level score to a specific proposed value.

Within a proposed task, the Assessed Entity and External Assessor will see the following:

• Assessment Task Number: The unique identifier assigned to the task
• Description: A description of the task
• Name: The name of the task
• Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST)
• Created: The date that HITRUST initially opened the task
• Last Assigned: The date the task was assigned to the group it is currently assigned
• Status: The status of the task (Open, Pending, or Closed)
• Assessment Location: A link to the area of the assessment to which the task pertains (example: Factors page, a specific requirement statement, etc.).
• Field to be Updated: The name of the assessment field that the proposed change is for, as well as its current value and proposed value
• HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to describe the question or request within the task
• New Comments: A field to allow the Assessed Entity, External Assessor, and HITRUST Check-In or QA Analyst to comment to each other within the task.
• History: A log of the creation and assignment changes of the task as well as any changes to assessment fields made within the task.

During Check-In and QA, HITRUST will initially assign all proposed tasks to the External Assessor. This allows the External Assessor to review each proposed task and take one of the following next steps:

• Apply the Proposed Change: The External Assessor may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. The External Assessor is expected to discuss any proposed changes with the Assessed Entity prior to applying them. After applying the change proposed within the task, the task will automatically be sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment will be notified of the change via email and MyCSF notifications. The notifications outline whether a factor response or requirement statement score was changed, the email address of the individual who applied the proposed change, and whether there is a new requirement statement or CAP to be addressed.
• Reject the Proposed Change: If the External Assessor does not agree with the proposed change, the External Assessor may reject the proposed change. When rejecting the proposed change, the External Assessor is required to enter a comment within the task to explain why the change was rejected. The task will automatically be sent back to HITRUST.
• Send the task to the Assessed Entity to be addressed: If the External Assessor would like the Assessed Entity to review the task and make the decision to either apply or reject the proposed change, the External Assessor may send the task to the Assessed Entity.

When the External Assessor has assigned a proposed task to the Assessed Entity, the Assessed Entity may take one of the following steps:

• Apply the Proposed Change: The Assessed Entity may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. After applying the change proposed within the task, the task will automatically be sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment will be notified of the change via email and MyCSF notifications. The notifications outline: whether a factor response or requirement statement score was changed; the email address of the individual who applied the proposed change; and whether there is a new requirement statement or CAP to be addressed.
• Reject the Proposed Change: If the Assessed Entity does not agree with the proposed change, the Assessed Entity may reject the proposed change. When rejecting the proposed change, the Assessed Entity will be required to enter a comment within the task to explain why the change was rejected. The task will automatically be sent back to HITRUST.

When the proposed task has been either applied or rejected by the Assessed Entity or the External Assessor, it will be automatically sent back to HITRUST. HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to provide additional explanation or answer a question and send the task back to the External Assessor. If a proposed task has been rejected and a different change needs to be proposed, HITRUST will create a new proposed task. Additionally, if any new issues are identified during check-in or QA, a new proposed task will be created.

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a proposed task may generate additional requirement statements or CAPs that must be addressed before QA is completed (for more information refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows). When any requirement statements or CAPs within the assessment require attention during Check-in or QA, the Task Management page will display a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the Assessment Homepage where those requirement statements and CAPs will be identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during Check-In or QA:

• When a factor response updated through a proposed task, additional requirement statements may be added to the assessment in the status Response Needed for New Statement to allow the Assessed Entity to score the requirement statement and then the External Assessor to review and link documents.
• When a requirement statement score is lowered through a proposed task, new required CAPs may be generated. Any requirement statements requiring CAPs during QA will have a status of CAP Required to allow the Assessed Entity to enter a CAP and then the External Assessor to review the CAP.

Notification of Check-in and QA Tasks

Throughout the Check-in and QA processes, the Assessed Entity and External Assessors assigned to the assessment will receive email and MyCSF notifications each time that the assessment changes phase. Those notifications include information related to tasks and other open items. For more information see HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.

Assessed Entities and External Assessors will also receive two summary emails for assessments that are undergoing Check-In and QA. The two additional email notifications are:

• Open Item Summary: A summary of all open items (tasks, requirement statements, and PQIs) assigned to the Assessed Entity, External Assessor, and HITRUST for assessments that have been submitted to HITRUST and are undergoing check-in or QA. This email will be received weekly by default. However, users have the option to set their email preferences to receive it daily.
• New Item Summary: A summary of all new items (tasks, requirement statements, and PQIs) assigned to you for assessments that have been submitted to HITRUST and are undergoing check-in or QA. This email will be received daily by default. However, users have the option to set their email preferences to receive it hourly, daily, weekly, or never.

For instructions on configuring the frequency of these summary emails please see Summary Email Preferences.

Implementation

HITRUST CSF Validated Assessments

Tasks will be utilized during the Check-In and QA Reviews for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all the following criteria on February 15, 2022:

• Assessment has not previously been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state
• No assessment domains have been submitted to the External Assessor for review

HITRUST CSF Interim and Bridge Assessments

Tasks will be utilized during the Check-In and QA Reviews for all Interim and Bridge Assessments created on or after February 15, 2022. Interim and Bridge assessments created prior to February 15, 2022, will not be affected.

HITRUST CSF Readiness Assessments

Tasks will be utilized during the Check-In Review for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all the following criteria on February 15, 2022:

• Assessment has never been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state

Additional Resources

A video walk-through of the process for responding to tasks is available here.

 Save as PDF

Overview

New webforms are being introduced into MyCSF assessments as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts build upon each other:

• HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
• HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
• HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
• HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
• HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

The new webforms give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to enter organization and scope information directly into MyCSF; electronically sign key documents; and easily request draft report revisions.

Benefits of these newly added webforms:

• Streamlines MyCSF data entry to prevent redundancy and clarify assessment scope.
• Eliminates risk of uploading incomplete offline documents and unreadable scanned images.
• Introduces new quality check automation and tool tips that provide real time feedback to help avoid common scoping issues.
• Streamlines presentation of scope in a tabular format inclusive of in-scope platforms and facilities.
• Clarifies association between platforms and their residing facilities.
• Simplifies identification of relevant third-party service providers.
• Introduces ability for Assessed Entities to specify draft report revisions and clearly track HITRUST responses to revision requests.

Summary of Changes

The introduction of webforms eliminates the need for the Assessed Entity and External Assessor to populate and upload the following offline templates: Organizational Overview & Scope document, Management Representation Letter, Validated Report Agreement, and QA Checklist.

The Organizational Overview and Scope document will no longer be utilized. The organization and scoping information previously included within the Organizational Overview and Scope document will now be entered into MyCSF via webforms as follows:

The Management Representation Letter, Validated Report Agreement, and QA Checklist are integrated into MyCSF, providing the Assessed Entity and External Assessor the ability to sign the documents electronically.

Additionally, the draft report revision request form has been updated to include new input fields that allow the Assessed Entity to clearly identify each revision request.

Organization Information Webform

The Organization Information section for HITRUST CSF Validated and Readiness assessments has been redesigned to serve as the primary location for entering background information about the Assessed Entity and their security organization, as well as their contact information and mailing address.

To prevent redundancy, the Organization/Company Background and Overview of the Security Organization (previously provided in both MyCSF and the offline Organizational Overview and Scope document) will now be provided only through completion of the Organizational Information webform in MyCSF. The Organization Information webform contains guidance and tips to aid the Assessed Entity in providing appropriate content for the Organization/Company Background and Overview of the Security Organization fields.

For more information, see the instructions for completing the Organization Information webform in Pre-Assessment Webforms. To view an example of the Organization Information webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.

Scope of the Assessment Webform

For HITRUST CSF Validated and Readiness assessments, the new Scope of the Assessment section of MyCSF streamlines the existing Systems and Facilities tables into a single webform that is now required to be completed by the Assessed Entity. The webform also includes a section for identifying outsourced service providers in tabular format, which replaces the free text field labeled “List any IT or security services outsourced and the third party(ies) involved” which was previously included on the Organization Information page.

Prior to the introduction of webforms, the Assessed Entity was required to identify the in-scope systems, facilities, and outsourced services within the offline Organizational Overview and Scope document, in addition to (optionally) identifying the in scope systems and facilities within the Systems and Facilities table in MyCSF. For Validated and Readiness Assessments with webforms enabled, the offline Organizational Overview and Scope document will be retired and the new Scope of the Assessment webform will become the primary location for defining the platforms/systems, facilities, and services outsourced for the in-scope environment.

For more information, see the instructions for completing the Scope of the Assessment webform in Pre-Assessment Webforms. To view an example of the Scope of the Assessment webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.

QA Checklist Webform

The QA Checklist for HITRUST CSF Validated Assessments (previously manually signed by the External Assessor’s Engagement Executive and QA Reviewer) has been digitally integrated into MyCSF.

Prior to signing the QA Checklist webform, the Engagement Executive and QA Reviewer must be assigned by an External Assessor via a drop-down menu on the assessment’s Name & Security page. Each drop-down will contain a list of all External Assessors with access to the assessment. The user making the assignments must select an individual holding a CCSFP certification for Engagement Executive and an individual holding a CHQP certification for QA Reviewer.

The QA Checklist webform introduces several business rules that eliminate incomplete submissions and errors, and reduces the risk of uploading unreadable scanned images.

• To ensure that the correct individuals sign each QA Checklist webform item, only assigned Engagement Executives and QA Reviewers can sign the QA Checklist webform. Further, the Engagement Executive and QA Reviewer can only sign those items on the QA Checklist that apply to their role.
• MyCSF restricts the ability to sign off on the QA Checklist webform until the Test Plan has been uploaded and the External Assessor Time Sheet has been completed.
• MyCSF prevents completion of the assessment’s Performing Validation phase until each item on the QA Checklist webform has been verified by the appropriate individual. For visibility, all External Assessors with access to the assessment will have the ability to view the QA Checklist webform.

Audits and Assessments Utilized Webform

The Audits and Assessments Utilized webform is a new, required MyCSF webform for HITRUST CSF Validated Assessments. The Audits and Assessments Utilized webform is completed by the Assessed Entity and External Assessor to document reliance placed on the work of others through either the usage of the external inheritance feature within MyCSF or reliance on third-party attestation reports in support of the validation procedures performed by the External Assessor. This new webform replaces the Third-Party Assessment section of the offline Organizational Overview and Scope document.

The Audits and Assessments Utilized webform should be used to identify where the External Assessor relied upon a third-party attestation report or used external inheritance during the assessment. For example:

• Scenario A: If an in-scope platform is hosted by a public cloud provider and the External Assessor used external inheritance on certain physical security requirements that were the responsibility of the cloud service provider. the cloud service provider’s inherited HITRUST CSF assessment automatically will be identified in this webform.
• Scenario B: If a relevant managed IT services provider’s third-party attestation report (e.g., SOC 2 Type II) is relied upon by the external assessor to reflect the service provider’s performance of one or more HITRUST CSF requirements, the managed IT services provider’s third-party attestation report should be described in this webform.
• Scenario C: If the External Assessor directly tests certain requirements owned by the assessed entity’s colocation provider instead of using external inheritance or reliance on a third-party-issued attestation report, that colocation provider would not need to be discussed in the Audit and Assessments Utilized webform (as no third-party audit or assessment report associated with the colocation provider was used). However, the colocation provider would need to be identified in the Organization Information webform described above.

The two possible utilization approaches that determine how the Audits and Assessments Utilized webform is populated are Inheritance and Reliance.

• Inheritance: When external inheritance is applied to a requirement statement by the Assessed Entity, MyCSF automatically adds the associated HITRUST CSF assessment that was externally inherited and populates that HITRUST CSF assessment’s details into the Audits and Assessments Utilized webform (including the assessment name, type, report date, and assessment domains for which external inheritance was utilized). The External Assessor will be required to complete the assessed organization name field and map the inherited HITRUST CSF assessment to related in-scope platforms and facilities within the Audits and Assessments Utilized webform.
• Reliance: For any third-party attestation reports being relied upon, the External Assessor or Assessed Entity (depending on who uploaded the document) must tag the report within the Documents repository or within the requirement statement (if uploading the document within a particular requirement statement) by checking the box labeled, “Is this an attestation report issued by a third party?” After tagging the document as an attestation report issued by a third party, the External Assessor or Assessed Entity populate the various report details, including assessed organization, report type, and report dates. The External Assessor or Assessed Entity must then map the utilized third-party attestation report to the related in-scope platforms and facilities within the Audits and Assessments Utilized webform.

If the offline assessment template is utilized, the External Assessor or Assessed Entity may tag documents as attestation reports issued by a third party by selecting “Yes” in the “Third Party Report?” column within the Documents tab of the offline assessment workbook. After uploading the offline assessment, the External Assessor or Assessed Entity must enter the assessed organization, report type, and report dates within the Audits and Assessments Utilized webform. Finally, the External Assessor or Assessed Entity must map the utilized third-party attestation report to the in-scope Platforms and Facilities that are supported by the relied-upon assessment within the Audits and Assessments Utilized webform.

For more detailed instructions, see Audits and Assessments Utilized Webform. To view an example of the Audits and Assessments Utilized webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.

Management Representation Letter Webform

The Management Representation Letter (Rep Letter) for HITRUST CSF Validated and Readiness Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow.

The Rep Letter webform in MyCSF is completed by the Assessed Entity after the External Assessor team’s fieldwork period has ended and the External Assessor Timesheet has been completed. The Assessed Entity completes the Rep Letter webform by:

• Setting the Rep Letter date on or within two weeks following the end date of the External Assessor’s fieldwork period on the External Assessor Time Sheet.
• Entering the name, job title, and email address of the individual who will sign the Rep Letter.
• Uploading the organization’s logo.

Once the webform is complete, a request to electronically sign the Rep Letter is sent to the designated management representative for signature via electronic signature workflow. The signer of the Rep Letter may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. Once signed, the Rep Letter will automatically be loaded into MyCSF and emailed to the individual who signed it.

Validated Report Agreement Webform

The Validated Report Agreement (VRA) for HITRUST CSF Validated Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow.

The VRA webform can be completed by the Assessed Entity at any time, and in any phase, prior to submitting the assessment to HITRUST. The Assessed Entity completes the VRA webform by:

• Entering the name, job title, and email address of the individual who will sign the VRA.
• Entering the address of the organization.

Once the webform is populated with the required information, a request to electronically sign the VRA is sent to the designated individual. The signer of the VRA may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. After being signed by the Assessed Entity, the VRA is automatically routed to HITRUST for electronic signature. The Assessed Entity and External Assessor should allow up to one business day for the VRA to be signed by HITRUST. The Assessed Entity may contact their HITRUST Customer Success Manager or sales@hitrustalliance.net with any questions related to signing of the VRA.

Once signed by both parties, the VRA automatically will be loaded into MyCSF (within one hour) and emailed to the individuals who signed it. At that time, a green checkmark will appear next to the link to the Validated Report Agreement on the left navigation bar of MyCSF to indicate that the agreement has been fully signed.

MyCSF requires that the VRA is signed by both parties — the Assessed Entity and HITRUST — prior to the assessment being submitted to HITRUST. For that reason, ensure that the VRA is sent for signature with enough time for both parties to sign the agreement prior to the assessment’s planned submission date.

Draft Report Revision Request Webform

The process to submit and manage draft report revision requests for HITRUST CSF Validated and Readiness Assessments has been transformed into an interactive process using webforms. The updated Revision Request webform includes new input fields that allow the Assessed Entity to clearly identify each revision request. For each revision request, the Assessed Entity must indicate:

• Location of the requested revision identified by the report, section, and page number
• Current text present in the report to be revised
• Proposed text for the revision

After adding all revision requests to the webform, the Assessed Entity submits the requests to HITRUST. As the HTRUST QA Analyst reviews each revision request, the status of each request will be identified as Not Started, Completed, or Not Accepted. For any requests Not Accepted by HITRUST, the QA Analyst will provide an explanation within the “Rationale” section of the webform.

Once HITRUST addresses all revision requests, the Assessed Entity is notified and may either request additional revisions or approve the draft report via the “Approve HITRUST CSF Draft Report” button. The approval process in MyCSF has not changed.

For more detailed instructions, see Draft Report Revision Requests.

Implementation

HITRUST CSF Validated Assessments

All updates discussed above will be automatically enabled for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all of the following criteria on February 15, 2022:

• Assessment has not previously been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state
• No Assessment Domains have been submitted to the External Assessor for review

HITRUST CSF Readiness Assessments

Updates to the Organization Information, Scope of the Assessment, Representation Letter, and Draft Report Revision Requests will be automatically enabled for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all of the following criteria on February 15, 2022:

• Assessment has never been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state

HITRUST CSF Interim and Bridge Assessments

The new webforms do not impact Interim and Bridge assessments.

Additional Resources

FAQs: Webforms
Pre-Assessment Webforms
Audits and Assessments Utilized Webform
Draft Report Revision Requests

 Save as PDF

Overview

This enhancement to MyCSF introduces several status dashboards to provide transparency regarding assessment statuses, open action items and their ownership, and next steps in the assessment workflow. These dashboards include:

• Kanban View: A Kanban-style board that displays HITRUST CSF Validated Assessments as they move through each phase of the Validated Assessment Workflow. The board includes key details of each Validated Assessment, including:
  • Colored, circle badges depicting responsible parties for action items
  • Summary of open items per organization
  • Time elapsed in current phase
  • HITRUST-assigned point of contact
• Matrix View A spreadsheet-style view that displays the date the HITRUST CSF Validated Assessment has entered each phase of the Validated Assessment Workflow, as well as the number of days the assessment has been in each phase.
• Assessment Details View: A dashboard of assessment metadata and status information, including:
  • Key dates along the assessment timeline
  • Open items assigned to the Assessed Entity, External Assessor, and HITRUST
  • Assessment scope

Status dashboards are being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

• HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
• HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
• HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
• HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
• HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

 
Kanban View

The Kanban View, which can be accessed from the ‘Views’ page of MyCSF, visually depicts HITRUST CSF Validated Assessments as they move through the phases of the new Assessment Workflow outlined in HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows. The Kanban View contains a column for each phase of the Validated Assessment Workflow, and each accessible Validated Assessment is displayed as a card. As the assessment card moves through each phase of the workflow, the avatar at the top-right corner of the card corresponds to the color-coded group(s) who own the open action items required to be completed prior to moving to the next phase. Those icons are labeled as follows:

• AE: Assessed Entity (blue avatar)
• EA: External Assessor (purple avatar)
• HT: HITRUST (red avatar)

Assessed Entities and External Assessors may customize the Kanban View by configuring the data points and icons shown on their assessment’s cards. The available data points and icons include:

• Organization Name
• Assessment Name
• Type of Assessment
• External Assessor
• Days in Current Phase
• HITRUST QA Analyst
• Open Action Items
• Reservation Status

After configuring the data points as desired, Assessed Entities and External Assessors may save their customized views for easy access.

By default, the Kanban View will display all Validated Assessments assigned to the user. The view can be filtered to display a single assessment by searching for the Assessment Name. The view can also be filtered by the following:

• Organization Name
• External Assessor
• HITRUST QA Analyst

In addition to displaying Validated Assessments that are utilizing the new Validated Assessment Workflow outlined in HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows, the Kanban View may also be toggled to show the legacy workflow states and the Validated Assessments utilizing the legacy workflow.

Matrix View

The Matrix View, accessed from the ‘Views’ page of MyCSF, is a spreadsheet-style view of accessible HITRUST CSF Validated Assessments. The Matrix View is accessed within MyCSF or downloaded as a ‘.CSV’ file. The columns of the Matrix View show dates the Validated Assessment has entered each phase of the new Assessment Workflow and the number of days the assessment has been in each phase.

By default, the Matrix View will display all Validated Assessments accessible to the user. The view can be filtered to display a single assessment by searching for the Assessment Name. Similarly to the Kanban View, the Matrix View can be toggled to show Validated Assessments utilizing the Legacy Assessment Workflow.

Assessment Details Page

Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment has an Assessment Details Page accessed by clicking the assessment name within any assessment, or by clicking the assessment name on the Kanban View for Validated Assessments. The Assessment Details page is a dedicated page that summarizes information about the assessment including:

• Assessment Data: Organization Name, Assessment Name, Submission Date, etc.
• Assessment Scope: In-Scope Systems, Facilities and Outsourced Services (Validated and Readiness Assessments only)
• Open Items: Open Tasks, Requirement Statements, and PQIs broken down by owner (Assessed Entity, External Assessor, or HITRUST)
• Assessment Timeline: Timeline displaying the completed phases, current phase, and upcoming phases in the Assessment Workflow
• Days in QA: The number of days the assessment spent with each party (Assessed Entity, External Assessor, and HITRUST) during the QA phases

Implementation

Assessed Entities and External Assessors will have access to view all HITRUST CSF Validated Assessments on the Kanban View and Matrix View starting on February 15, 2022.

Effective immediately, all HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments have an Assessment Details Page.

Additional Resources

A video walk-through of each dashboard is available here.

 Save as PDF

Overview

A new Assessment Workflow is being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

• HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
• HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
• HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
• HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
• HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

The new Assessment Workflows for HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments replace the legacy assessment “states” with new “phases” that are designed to:

• Clarify the steps required to complete assessments and obtain final reports, interim letters, and bridge certificates.
• Clearly define ownership of each phase of an assessment.
• Provide improved transparency into the status of an assessment.
• Reduce reversions of the assessment during the workflow through the resequencing of phases.
• Standardize the phase names across HITRUST CSF Validated, Readiness, Interim, and Bridge assessment workflows.

New HITRUST CSF Validated Assessment Workflow

The new Assessment Workflow for HITRUST CSF Validated Assessments is comprised of 16 workflow phases. The diagram below displays the 16 workflow phases, including the primary owner(s) of each phase, as well as a comparison to the legacy workflow states. As shown in the diagram below, each phase maps to a legacy workflow state. However, the phases are more granularly defined to increase the transparency regarding assessment status and the remaining items needed to reach the next phase. The phases do not add steps to the process, but rather clarify the steps that should be performed by each party as part of the assessment process.

Throughout the process of completing a Validated Assessment, the Assessed Entity and External Assessor may view the status of the assessment at any time on a Kanban-style dashboard which tracks the Validated Assessment as it moves through each phase of the workflow. HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards describes several status dashboards being introduced as part of this suite of enhancements.

The table below summarizes each phase of the workflow. The Summary of Key Changes column highlights certain changes but is not a comprehensive list of changes. For a detailed description of each phase and the comprehensive list of changes see New Validated Assessment Workflow and Notifications or click on the phase name within the table.

New HITRUST CSF Interim and Bridge Assessment Workflow

The new assessment workflow for HITRUST CSF Interim and Bridge Assessments features a subset of the phases present in the workflow observed on HITRUST CSF Validated Assessments. The diagram below displays the new workflow for Interim and Bridge assessments, including the primary owner(s) of each phase, as well as a comparison to the legacy workflow states.

The table below summarizes each phase of the workflow. For a detailed description of each phase, see New Interim and Bridge Assessment Workflow and Notifications or click the phase name within the table.

New Readiness Assessment Workflow

The new assessment workflow for HITRUST CSF Readiness Assessments submitted for reporting features a subset of the phases present in the workflow observed on HITRUST CSF Validated Assessments. The diagram below displays the new workflow for Readiness assessments, including the primary owner of each phase, as well as a comparison to the legacy workflow states.

The table below summarizes each phase of the workflow. For a detailed description of each phase see New Readiness Assessment Workflow and Notifications or click the phase name within the table.

Implementation

HITRUST CSF Validated Assessments

This suite of enhancements to MyCSF will be implemented automatically for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments that meet all of the following criteria on February 15, 2022:

• The assessment has not previously been submitted to HITRUST
• The assessment is in the Not Started or Answering Assessment state
• No assessment domains have been submitted to the External Assessor for review

HITRUST CSF Interim and Bridge Assessments

This suite of enhancements to MyCSF will be implemented automatically for all Interim and Bridge Assessments created on or after February 15, 2022. Interim and Bridge Assessments created prior to February 15, 2022, will not be affected.

HITRUST CSF Readiness Assessments

This suite of enhancements to MyCSF will be implemented automatically for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments that meet all of the following criteria on February 15, 2022:

• Assessment has never been submitted to HITRUST
• Assessment is in the Not Started or Answering Assessment state

Additonal Resources

FAQs: New Assessment Workflows
New Validated Assessment Workflow and Notifications
New Interim and Bridge Assessment Workflows and Notifications
New Readiness Assessment Workflow and Notifications

 Save as PDF

Overview

On or before December 4, 2021, HITRUST will introduce a new feature in MyCSF to allow Assessed Entities to preview the effects of upgrading the CSF version or making any other changes which impact the composition of a HITRUST CSF Validated or Readiness Assessment before the change is made.

Update: This feature is now available.

CSF Version Upgrade for a HITRUST CSF Validated or Readiness Assessment

Consistent with the CSF Versioning Policy announced in HAA 2021-005, all new versions of the HITRUST CSF will be displayed in MyCSF using the versioning syntax of v[Major].[Minor].[Errata]. In order to provide further transparency into the updates introduced in each new major, minor, and errata version of the CSF, MyCSF will allow Assessed Entities to preview the effects of upgrading their assessment to a new CSF version. The MyCSF preview functionality provides a high-level summary and a detailed report of all modifications that would result from upgrading the CSF version utilized for a particular assessment.

The Assessed Entity may preview and upgrade the CSF version at any time while the assessment is in the Answering Assessment state prior to any assessment domains being submitted to the External Assessor for validation.

If any new major, minor, or errata versions of the CSF are available, MyCSF displays the upgrade options to the Assessed Entity upon accessing any of the following pages:

• Organization Information
• Assessment Options
• Systems
• Facilities
• Default Scoring Profile
• Factors

The upgrade options could include the following based upon the version of the CSF that the assessment currently utilizes:

• The most recently released errata version for the same minor CSF version that the assessment is currently utilizing (Example: v9.5.0 to v9.5.1)
• The most recently released minor version for the same major CSF version that the assessment is currently utilizing (Example: v9.4 to v9.5.1)
• The most recently released major version of the CSF (Example: v8 to v9.5.1)

The Assessed Entity is presented with the option to preview the differences between their current assessment and the assessment that would be created upon upgrading to the version of the library selected by the Assessed Entity. MyCSF displays a high-level summary of the differences and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:

• Addition, Removal, or Modification of a Requirement Statement
• Modification of a Requirement Statement’s Illustrative Procedure
• Factor Added or Removed from a Requirement Statement
• Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
• Modification of the Control Level Implementation of a Requirement Statement
• Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
• Modification of a Requirement Statement’s Assessment Domain

After previewing the changes, the Assessed Entity has the option to either proceed with updating the CSF Version or to not apply the update.

Previewing a change to the composition of a HITRUST CSF Validated or Readiness Assessment

The preview functionality described above is also available at any time that the Assessed Entity attempts to make a change within MyCSF which will result in a modification to the composition of their HITRUST CSF Validated or Readiness Assessment. Examples of these changes include:

• Changing a Factor response
• Changing the following options on the Assessment Options page
  • Would you like only the controls required for certification or ALL CSF security controls?
  • Include privacy controls?

When making such a change to the assessment, MyCSF displays a high-level summary of the differences and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:

• Addition, Removal, or Modification of a Requirement Statement
• Modification of a Requirement Statement’s Illustrative Procedure
• Factor Added or Removed from a Requirement Statement
• Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
• Modification of the Control Level Implementation of a Requirement Statement
• Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
• Modification of a Requirement Statement’s Assessment Domain

After previewing the changes, the Assessed Entity has the option to either proceed with making the previewed changes or to not apply them.

Implementation

The CSF version upgrade and preview functionality described above will be implemented for all HITRUST CSF Validated and Readiness Assessments on or before December 4, 2021.
Update: This feature is now available.

 Save as PDF

Summary

To provide further transparency to the HITRUST Community a versioning policy for the HITRUST CSF is being introduced. The policy defines the criteria for updates to the HITRUST CSF and corresponding communications that can be expected from HITRUST.

Versioning Policy

All CSF versions will now observe the following syntax: v[Major].[Minor].[Errata]

In support of the syntax HITRUST will observe the following definitions:

Major Release (Example: v8.0.0, v9.0.0, v10.0.0):

• Changes to CSF structure including:
  • Adding, removing, or material changes to the Categories, Objectives, or Control References and corresponding descriptions
  • Updates to the taxonomy of the CSF
• An Assurance Advisory will be published to announce the change

Minor Release (Example: v9.1.0, v9.2.0, v10.1.0):

• Material changes to the CSF and related information in the platform including:
  • Changing the Control References required for certification or inclusion of Requirement Statements in an assessment
  • Adding, removing, or material changes to a Requirement Statement and/or Implementation Requirements
  • Adding, removing, or changes to Authoritative Sources, related Regulatory/Compliance Factors or mappings
  • Updates which result in a Requirement Statement moving to a different Control Reference, Domain, or Level
  • Material changes to Illustrative Procedures
  • Adding or removing General, Geographic, Organizational, or Technical Factors and/or related operational functionality
• An Assurance Advisory will be published to announce the change

Errata Release (Example: v9.1.2, v9.1.3, v10.0.1):

• Immaterial changes to the CSF and related information in the platform including:
  • Minor updates to CSF categorization vernacular (no material impact)
  • Changes to the Factor Type designation or Topics
  • Immaterial changes to a Requirement Statement and/or Implementation Requirements
  • Updates which do not result in a Requirement Statement moving to a different Control Reference, Domain, or Level
  • Immaterial changes to the Illustrative Procedures
  • Spelling, punctuation, grammatical, typos or stylistic corrections
• Adding, removing, or changes to Community Supplemental Requirements and related information in the platform, related Regulatory/Compliance Factors or mappings*
• An Assurance Advisory will not be published to announce the change. The new release will be available within MyCSF as an optional update to certain existing assessments and used as the default version for any newly created assessments after the release.

* Due to the nature of Community Supplemental Requirements, modifications do not rise to the level of a minor release, which necessitates an advisory/announcement to all HITRUST users.

Implementation and Timeline

Versioning of the HITRUST CSF

Effective as of the release of v9.5.0 all versions of the HITRUST CSF will observe the versioning syntax of v[Major].[Minor].[Errata] and CSF Versioning Policy.

MyCSF

Starting with v9.5.0, all CSF Library versions within MyCSF are displayed using the versioning syntax of v[Major].[Minor].[Errata]. Previous CSF Library versions will only display the major and minor release.

Additional Information

See HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes including CSF Version Upgrades for related MyCSF enhancements. For additional questions please contact our Support team.

 Save as PDF

Overview

HITRUST continually evaluates necessary changes in MyCSF based on community feedback and internal review. Through this review, HITRUST has identified enhancements to improve the overall assessment process. HITRUST is making the corresponding enhancements to the MyCSF platform which will apply to assessments utilizing HITRUST CSF versions 9.x and later.

Measured and Managed Maturity Level Options

Description

Within HITRUST CSF Validated assessments, scoring of the Measured and Managed maturity levels is not required. If included in the assessment, scoring of the Measured and Managed levels also subjects the assessment to additional QA checks resulting in additional processing time. As a result, HITRUST will update MyCSF to provide Assessed Entities with the ability to optionally remove these levels from their assessments if they do not plan on scoring them. The optional removal of these maturity levels from the assessment should help prevent accidental scoring and streamline data entry into MyCSF.

Implementation

Effective immediately, any newly created HITRUST CSF Validated assessment will require the Assessed Entity to select whether Measured and Managed maturity levels will be evaluated when configuring the assessment. The configuration option will appear within the “Assessment Options” menu and will ask “Will you be scoring Measured and Managed?”.

If “Yes” is selected then the Measured and Managed maturity levels will be included within each requirement statement for scoring.

If “No” is selected the Measured and Managed maturity levels will not be available for scoring. When downloading an offline assessment, the Measured and Managed maturity levels will remain in the downloaded Excel file. However, upon uploading the offline assessment, no Measured or Managed scores will be reflected in MyCSF if the option to score these levels was not selected in the “Assessment Options” menu.

Measured Level Independent and Operational Selections

Description

When evidence is attached to a requirement statement supporting a score in the Measured maturity level, the Subscriber must select whether the evidence is related to an “Operational” or “Independent” measure. To simplify the evidence attachment process, this selection will no longer be needed within MyCSF. The Subscriber will only need to select that the evidence applies to the Measured maturity level. It is still expected that the External Assessor will document within the testing results whether the measure was scored as “Operational” or “Independent”.

Implementation

Effective June 24, 2021, any newly created HITRUST CSF assessment will no longer display an option to select whether the evaluated measurement is “Independent” or “Operational”.

For offline assessments, the column in the “Requirement-Document Mapping” tab labeled “Measured: Operational or Independent?” will be renamed to “Maturity Measured Related?” with the only valid responses as “True” or “False”.

For existing assessments that have not previously been submitted to HITRUST for processing, this can be enabled upon request. To do so please email Support requesting the disablement of the Operational and Independent checkboxes for the Measured maturity level and include the following information:

• Organization Name as it appears in MyCSF
• Assessment Name as it appears in MyCSF

Scoping Factor Edit Checks

Description

HITRUST CSF assessments will include additional edit checks on the CSF version 9.x scoping factors listed below to avoid inconsistent responses.

• Is the system(s) accessible from the Internet?
• Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
• Is any aspect of the scoped environment hosted on the cloud?

The inconsistent answers were required to be changed during HITRUST’s QA which added additional processing time to certain assessments. This change is being made to avoid the possibility of inconsistent responses to these factors.

Implementation

HITRUST CSF assessments created on or after June 24, 2021 will include additional edit checks for the scoping factors listed below to avoid inconsistent responses. The rules will be applied to the following scoping factor questions:

When the system enforces the rule, the correct answer will be automatically populated and a message in MyCSF will inform the user that this rule was applied.

For any existing assessments where the three identified scoping factors were previously answered the new rules will not be applied; unless one or more of the three identified scoping factor responses were updated at which point the new rules would be applied.

Additional Resources

Click here for a list of anticipated questions and answers.

 Save as PDF

Overview

HITRUST assessments for CSF versions 9.x and later will no longer create CAPs for gaps that only exist at the Policy and/or Procedure maturity levels. This change is being made to continue HITRUST’s emphasis towards the Implemented maturity level, as described in HITRUST Assurance Advisory 2021-002, without compromising the integrity or Rely-Ability of the HITRUST CSF Certification.

Implementation and Timeline

HITRUST will not create a required CAP for a gap identified in the Policy and/or Procedure maturity level if there is not a gap at the Implemented maturity level. This change will be applied to start on June 24, 2021, as follows:

HITRUST CSF Validated Assessments

For any existing HITRUST CSF Validated Assessment, Table 1 summarizes how the change will be applied by HITRUST MyCSF state. For any HITRUST CSF Validated Assessments participating in the Assurance Enhancements Beta Program, you will receive an alternate communication to describe how the change will be applied to your participating assessments.

Table 1

HITRUST CSF Readiness Reports

All HITRUST CSF Readiness Assessments created on or after June 24, 2021 will automatically be configured to not create a required CAP if gaps only exist at the Policy and/or Procedure maturity levels.

For any existing HITRUST CSF Readiness Assessment, Table 2 summarizes how the change will be applied by MyCSF state.

Table 2

Reissuing Reports

Assessed Entities who are interested in optionally having a Final Report reissued to reflect this change must meet both of the following criteria in order to qualify:

• Have a recently issued Final Report (that used the prior CAP logic), which is defined as follows:
  • For HITRUST CSF Validated Assessment reports: An active certification in the ‘Final Report Posted’ state within MyCSF
  • For HITRUST CSF Readiness reports: A report dated no earlier than June 24, 2020
• Currently be an active MyCSF subscriber with access to the completed assessment (assessment cannot be archived).

Assessed Entities who purchased only the HITRUST CSF Readiness or Validated Assessment report without subscribing to MyCSF are ineligible to have their report reissued.

Qualified and interested Assessed Entities should contact their Customer Success Manager to obtain pricing information and initiate the reissuance process.

For Assessed Entities who do have their final report reissued, the following actions will be taken:

• Upon initiation of the reissuance process:
  • For HITRUST CSF Validated Assessments, the existing certified assessment within MyCSF will be decertified and the existing HITRUST CSF Validated Assessment report will be considered invalid.
  • For HITRUST CSF Readiness Assessments, no action will be taken.
• For both HITRUST CSF Validated and Readiness Assessments, a clone of the original assessment will automatically be made and put into a state of ‘Draft Report Posted – CAPs Complete’ for HITRUST CSF Validated Assessments or a state of ‘Assessment Submitted to HITRUST’ for HITRUST CSF Readiness Assessments. Upon creation of the clone, the original assessment will be automatically archived.
• A QA analyst will post the revised final report to MyCSF to the cloned assessment.
• For HITRUST CSF Validated Assessments:
  • The cloned assessment will be marked as certified using the date from the original assessment, so this change does not alter or extend the date of certification.
  • If applicable, the previously completed Interim Assessment will be linked to the cloned assessment.

 

Impact on Interim Assessments for Reissued HITRUST CSF Validated Assessments

For Assessed Entities who choose to optionally reissue a HITRUST CSF Validated Assessment report, there could potentially be an impact on their Interim Assessment. To understand the potential impact on their Interim Assessment, Assessed Entities and their External Assessors should review the following scenarios.

Scenario 1 – The Interim Assessment has not been generated by MyCSF
The Interim Assessment will be automatically generated based upon the new cloned Validated Assessment.

Scenario 2 – The Interim Assessment has been generated by MyCSF but has not been submitted to HITRUST
Upon initiating the reissuance process, the existing Interim Assessment will be refreshed to remove any requirements that were CAPs but have been moved to gaps based upon the change in CSF Validated Assessment and maintain at least one requirement per domain within the Interim Assessment.

Scenario 3 – The Interim Assessment has been submitted to HITRUST, but the Interim Letter has not been posted
No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.

Scenario 4 – The Interim Assessment has already been completed
No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.

Additional Resources

Click here for a list of anticipated questions and answers.


 Save as PDF

Overview

HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period

Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

• For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
• For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
• For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring

Description

In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation

Effective immediately, enforcement of the following requirements are being modified:

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance

Description

HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation

Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.

 Save as PDF

Policy/Program Change Details

Summary

On July 1, 2021, HITRUST will enable a Reservation System within the HITRUST MyCSF platform, requiring Assessed Entities to schedule the start of quality assurance (QA) procedures for HITRUST CSF Validated Assessments. The Reservation System is designed to:

• Eliminate the uncertainty around when HITRUST’s QA procedures will begin,
• Allow Assessed Entities and their HITRUST Authorized External Assessor Organizations to schedule resources to respond to HITRUST’s QA feedback, and
• Provide the opportunity for QA to occur closer to the submission date.

Key Considerations

Making a Reservation

• All Assessed Entities will be required to make a reservation prior to submission of their HITRUST CSF Validated Assessment. The reservation can be made any time prior to submission; however, HITRUST encourages Assessed Entities to make their reservations as early as possible. The Reservation System will allow reservations up to one year in advance.
• A Validated Assessment Report Credit is required to make a reservation. If you do not have a Validated Assessment Report Credit, you will receive a prompt to contact your Customer Success Manager in order to purchase a Validated Assessment Report Credit.
• The submission date of the assessment to HITRUST must be entered into MyCSF as part of the reservation process. Assessed Entities should work carefully with their HITRUST Authorized External Assessor Organizations to plan their submission date as this is the deadline to submit the assessment to HITRUST. Failure to submit the assessment by the submission date will result in cancellation of the reservation, and a new reservation will need to be made.
• Reservation slots occur within QA Blocks. QA Blocks are one-week periods where HITRUST will begin QA procedures. Each QA Block contains a set number of reservations that are possible, with MyCSF displaying the QA Blocks that are available to reserve.
• By the end of the QA Block, HITRUST will have begun QA procedures on the assessment. For assessments in the normal QA workflow, organizations should typically expect to hear from HITRUST within seven to ten business after the end of the QA Block. Failure to hear from HITRUST during the week of your scheduled QA Block does not indicate that QA has not started.
• Prior to booking a reservation, Assessed Entities will need to acknowledge the Cancellation Policy. The Cancellation Policy outlines the date by which the Assessed Entity can make a modification or cancel the reservation without incurring a fee.

Expedited Reservations

HITRUST also offers expedited reservations. Expedited reservations offer access to QA Blocks that may otherwise be at capacity and also includes priority processing of the assessment. Available expedited reservations will be shown within certain QA Blocks. To purchase an expedited reservation, the Assessed Entity will need to contact their Customer Success Manager.

Starting your Reservation

After submitting a Validated Assessment to HITRUST, the Assessed Entity will typically receive confirmation that your assessment was accepted by HITRUST. If the assessment was returned by HITRUST, the Assessed Entity and HITRUST Authorized External Assessor Organization should work together to remediate the assessment and resubmit. If the assessment is not resubmitted and accepted by HITRUST prior to the start of the QA Block, the reservation will be canceled. In order to ensure acceptance of an assessment prior to the start of the QA Block, HITRUST reminds Assessed Entities and External Assessors that they can submit in advance of the ‘Submission Date’ defined in their reservation.

Implementation and Timeline

For any Validated Assessments submitted to HITRUST for processing on or before June 30, 2021, HITRUST will continue to process assessments on a first-come, first-served basis with a priority for Assessed Entities that purchased expedited processing.

On July 1, 2021, the reservation system will be enabled for all HITRUST CSF Validated Assessments that have not previously been submitted to HITRUST. A reservation will be required to be made prior to submission to HITRUST.

Additional Information

A walk-through of the process within MyCSF can be found here, along with anticipated questions and responses.

 Save as PDF

Impacted Policy/Program Name: CSF Assurance Program

Date: July 14, 2020

Advisory Type: Assurance Program Communications

Policy/Program Change Details

HITRUST “CSF Implementation & Assurance Implementation Bulletins” will now be referred to simply as “Assurance Advisories” and will classified into two distinct categories: “Assurance Change Advisories” and “Assurance Quality Advisories.”

“Assurance Change Advisories” will be used to communicate:

• Enhancements to the MyCSF platform which significantly impact the Assurance program.
• Significant modifications to the assessment methodology and assurance program requirements, such as modified assessment documentation requirements.
• Introduction of a new component of the assessment methodology or a program requirement.

“Assurance Quality Advisories” will be used for:

• Clarifying existing assessment methodology components, assurance program requirements, and expectations of assessors and assessed entities based on HITRUST’s experience in performing quality assurance reviews of assessment submissions.
• Highlighting new, emerging, or otherwise noteworthy circumstances that may affect how assessments are conducted under the existing assessment methodology and assurance program requirements.

All advisories will continue to provide a timeline for implementation by both assessed entities and External Assessors.

Rationale

Categorizing advisories by type will provide additional clarity around changes to the Assurance program which impact assessed entities and External Assessors. Furthermore, the creation of “Assurance Quality Advisories” provides a new vehicle to share guidance and clarification regarding existing assessment methodologies and program requirements to the HITRUST community.

Timetable for implementation

Effective for all subsequent Advisories.

Impacted Policy/Program Name

HITRUST CSF Assurance Program

Date

April 15, 2020

Summary

HITRUST recognizes the challenges that assessed entities may be facing in completing their HITRUST CSF Validated Assessments and the subsequent possible impact of not maintaining HITRUST CSF Certification. The HITRUST CSF® Assurance Program, upon which certification is based, incorporates a number of mechanisms to ensure the assurances provided by a HITRUST CSF Validated Report are ‘rely-able’ when the report is issued, and remain ‘rely-able’ up until the time a report expires. Therefore, given the extent of degradation in the level of assurance over time, HITRUST is unable to extend the validity of a HITRUST CSF Certification past its two-year anniversary date.

HITRUST also recognizes that any solution addressing these challenges must maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal additional costs and duplication of effort, and provide a reasonable level of assurance for anyone seeking to rely upon it.

The HITRUST CSF Bridge Assessment provides an interim solution to assist organizations in addressing these challenges, allowing assessed entities to demonstrate a continued level of control effectiveness and assert continued progress towards the next HITRUST CSF Validated Assessment.

Limitations of Forward-Looking Certifications

HITRUST’s forward-looking HITRUST CSF Certification provides value by providing appropriate assurance that an assessed entity’s scoped control environment will operate as intended over a specific period of time. As control environments and threats inevitably change over time, the assurances gained by an assessment will also lessen over time. This degradation of assurance is anticipated and factored into the HITRUST CSF Assurance Program’s assessment and quality assurance methodologies and underlying risk analysis model. The interim assessment, performed at the one-year anniversary of HITRUST CSF Certification, is designed to help ensure the assurances provided by certification can be reasonably relied upon through its second year up until the point of expiration. A new HITRUST CSF Validated Assessment must then be performed in order to provide reasonable assurances for another two years.

As a result, HITRUST cannot reasonably extend HITRUST CSF Certification past its two-year anniversary date and still provide the ‘rely-ability’ fundamental to the HITRUST CSF Assurance Program. HITRUST CSF Certifications aren’t alone in this regard; few—if any—other forward-looking information assurance mechanisms can be extended for periods greater than two years while still offering the meaningful assurances that stakeholders now expect.

HITRUST CSF Bridge Assessment

HITRUST has subsequently developed an approach that may be useful to some stakeholders under extraordinary circumstances in which a HITRUST CSF Certification holder is unable to complete their next HITRUST CSF Validated Assessment prior to the expiration of their existing HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows HITRUST CSF Certification holders to demonstrate a continued level of control effectiveness while making progress towards their next HITRUST CSF Validated Assessment.

To mitigate the excessive degradation in assurance that occurs at the end of a HITRUST CSF Certification period, 19 requirement statements will be randomly selected by the HITRUST MyCSF® platform from the entity’s previous validated assessment to serve as a HITRUST CSF Bridge Assessment. A HITRUST Authorized External Assessor will then test these requirement statements to confirm their maturity did not degrade since the previous assessment. This testing will be reviewed in an expedited manner by HITRUST and—barring indications of control degradation, significant changes in the environment, or significant QA issues—HITRUST will issue a HITRUST CSF Bridge Certificate. Once awarded this certificate, the assessed entity will have 90 days from the expiration date of the previous HITRUST CSF Certification to submit a completed validated assessment to HITRUST.

Important considerations related to HITRUST CSF Bridge Assessments:

• A HITRUST CSF Bridge Assessment object can be created MyCSF at any time in the 60 days prior to the existing HITRUST CSF Certification’s expiration through 30 days after the expiration date of the HITRUST CSF Certification.
• A HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
• The testing performed in the HITRUST CSF Bridge Assessment does not need to be performed again in the delayed validated assessment. In other words, HITRUST will not require re-testing of these 19 requirement statements.
• HITRUST CSF Bridge Assessment submissions from HIEs, HINs, and healthcare providers will be prioritized for QA until further notice.
• HITRUST’s anticipated processing time for a HITRUST CSF Bridge Assessment submission is two-three weeks.

HITRUST CSF Bridge Certificate

A HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST that is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification. A HITRUST CSF Bridge Certificate adds value in providing a minimal but reasonable level of assurance that the entity’s scoped control environment is unlikely to have degraded materially since the last validated assessment and by indicating that the entity has committed to obtaining a HITRUST CSF Validated Report in the next 90 days.

Other important considerations related to HITRUST CSF Bridge Certificates:

• A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF Validated Report with Certification as it does not provide an equivalent level of assurance.
• A HITRUST CSF Bridge Certificate is also not an extension to an existing HITRUST CSF Certification (which still expires on the two-year certification anniversary).
• The 90 days covered by the HITRUST CSF Bridge Certificate are deducted from the new HITRUST CSF Certification’s two-year validity period.

Qualification Requirements

To qualify for this, assessed entities:

• Must have an active HITRUST CSF Validated Report with Certification,
• Are likely to miss their validated assessment submission due-date, and
• Haven’t missed that due date by greater than 30 days.

Not all entities holding an active HITRUST CSF Certification will need to perform a HITRUST CSF Bridge Assessment, as a HITRUST CSF Bridge Certificate is designed for missed due date scenarios due to an extant emergency or crisis, such as the current COVID-19 pandemic. For entities facing such a scenario, a HITRUST CSF Bridge Certificate may afford necessary additional time. However, entities should not assume that HITRUST CSF Bridge Certificates will be universally accepted by business partners and regulators demanding continuous HITRUST CSF Certification status. Entities should consult with their stakeholders and relying parties to determine if a HITRUST CSF Bridge Certificate will be accepted while they await receipt of a new HITRUST CSF Validated Report with Certification.

Timeline

HITRUST CSF Bridge Assessments will be available starting April 15, 2020. While HITRUST reserves the right to terminate this option without notice, we intend to make these assessments available through the calendar year 2020.

Organizations interested in undergoing a HITRUST CSF Bridge Assessment should contact their HITRUST Customer Success Manager and a HITRUST Authorized External Assessor.

More Information

Please see the HITRUST CSF Bridge Assessment Overview Deck for more information.

11/18/2020 Update: HITRUST has determined that the bridge assessment option will remain available until further notice. If this option is terminated, an advisory on the removal of this option will be communicated.

Policy/Program Change Details

HITRUST is making the following changes to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments:

• Adding more than ten additional technical scoping factor questions to better capture inherent risk factors present in the assessed environments and tailor the HITRUST CSF requirements included in assessments accordingly.
• Re-wording the existing technical scoping factor “Is the system(s) accessible by a Third Party?” to further clarify the definition of a third party.
• Removing the “Are Mobile devices used in the environment?” technical scoping factor.
• Adding additional HITRUST CSF requirements to existing technical scoping factors.
• Adding additional information around certain factors as part of the help page.

Additionally, MyCSF will now require an assessed entity to provide a documented rationale for each technical scoping factor answered “No.” This rationale should contain sufficient detail to allow the External Assessor and HITRUST QA to evaluate the “No” answer. These rationales will also appear in the HITRUST CSF Validated Assessment Report.

Rationale

The changes related to MyCSF’s assessment scoping factors will:

• Reduce the number of requirement statements that appear in the assessment when a factor is marked as “No.”
• Reduce the amount of repetitive “This is not applicable because…” responses that are currently documented during assessments and reflected in HITRUST CSF assessment reports. Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.
• Add clarity around the terminology used in assessment scoping factors.

Timetable for implementation
Effective for all new objects created on or after June 1, 2020.

6/1/20 Update:

• The changes described in this advisory are now live in MyCSF’s production environment. Twelve newly added technical scoping factor questions (e.g., “Are hardware tokens used as an authentication method within the scoped environment?”) have been introduced.
• These newly added scoping factor questions only serve to remove / filter requirements from being included in an assessment and do not add any requirements to the assessment. When determining which requirements to include in an assessment object, MyCSF first uses all other scoping information to identify the necessary requirements and THEN removes any requirements associated with the twelve newly added scoping factor questions when these questions are answered as “No”.
• All HITRUST CSF assessments benefit from these newly added questions. Instead of having to explain why similar requirements aren’t applicable to the assessment multiple times (at the requirement level), assessed entities now need to explain that the associated risk factor doesn’t apply once (at the scoping level). Because of this change, HITRUST anticipates the number of requirements marked as Not Applicable on assessments to drop considerably. As an added benefit, the speed by which HITRUST’s QA takes place will improve as a result of us needing to review fewer requirements marked as Not Applicable.
• HITRUST has made these new scoping factor questions available on all assessment objects, including those created before 6/1/20 so that they may optionally benefit from these newly added scoping factor questions. By default, the newly added questions default to a visible option of “Please choose an option” which is treated by MyCSF as “Yes”. The net effect of defaulting to a “Yes” value is the same as not having the scoping factors present at all: Because these questions are only reductive (never additive), no requirements are added or removed from any previously created assessment object without action from the assessed entity.
• Organizations with previously created assessment objects who wish to take advantage of these newly added scoping factors, and have not yet submitted their assessment to HITRUST, are encouraged to visit the “Admin & Scoping > Factors” page, answer the newly added scoping factor questions (providing the required “No” explanations where necessary), and then press the “Refresh Assessment” button. Requirements linked to any questions answered “No” will then be removed from the assessment object.
• No action is required for Organizations with previously created assessment objects who do not wish to take advantage of these newly added scoping factor questions.

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

• External assessor’s validated assessment fieldwork window (maximum):
  • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
• Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
  • 90 calendar days past the control’s implementation or remediation.
• Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
  • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
• Window during which HITRUST will accept grammatical changes to a draft report:
  • 30 calendar days from issuance of draft report.
• Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
  • 30 calendar days from issuance of draft report.
• Interim assessment object submission due date:
  • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
• Validated assessment object submission due date for re-certification efforts:
  • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
• Duration of MyCSF access for report-only customers:
  • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
• Validity window for the CCSFP certification:
  • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
• Validity window for the CHQP certification:
  • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

In light of the recent spread of COVID-19, HITRUST encourages assessors to exercise judgement when planning assessment-related travel. Given that HITRUST assessments take place across the US as well as internationally, we acknowledge that some HITRUST assessments will be affected more than others. Assessors should work closely with their clients to adjust travel plans as deemed necessary. To provide assessors added travel flexibility, HITRUST is waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. This temporary waiver is effective immediately.

In situations where assessors choose to leverage alternative approaches such as video conferencing to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used.

We will continue to work closely with assessors to monitor the effectiveness of alternative walkthrough and observation approaches and the ongoing necessity of this waiver. An additional advisory will be posted at a later date to reinstate the on-site fieldwork requirement.

Policy/Program Change Details

HITRUST will soon release updates to the CSF Assurance Program which allows “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to place reliance on the work of “Internal Assessors”. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

The new role of “Internal Assessor” aids in the CSF Assessment process by performing in-house testing in advance of an External Assessors’ validated assessment fieldwork. Internal Assessors are in-house, contracted, or outsourced CCSFPs who are typically positioned within or engaged by an assessed entity’s Internal Audit Department but could be positioned within or engaged by any department meeting specific objectivity requirements, resource qualification requirements, and approval by HITRUST (through a defined application process).

Rationale

This methodology update creates opportunities for greater assessment efficiency and customer cost savings. This change is expected to bring several benefits to External Assessors and assessed entities. For example:

• Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their External Assessors can be reduced.
• Internal personnel with deep knowledge of the organization’s internal controls (in groups such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.
• Assessed entities and their External Assessors now have more flexibility in fitting the HITRUST CSF assessment procedures into the assessed entity’s broader compliance activities.

Timetable for Implementation

Effective upon recognition as Internal Assessor assigned to an organization.

Policy/Program Change Details

HITRUST will soon release updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

HITRUST has historically afforded the following two approaches for “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to rely on the results of previously performed control testing:

1. Inheritance of the results of other HITRUST CSF Assessments, and
2. Reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program.

These updates clarify these two options by specifying associated timing, scope, and documentation requirements. External Assessors are encouraged to take particular note of the following new requirements that must be observed when placing reliance on a third-party audit report:

• Both the External Assessor and HITRUST Services Corp. must both be authorized recipients of the third-party audit report. Reliance cannot be placed on third-party audit reports for which neither HITRUST or the External Assessor are authorized to receive.
• When designing a reliance strategy, the External Assessor must map the applicable / scoped HITRUST CSF requirement statements to the controls / requirements tested in the third-party audit. In the absence of this mapping, the External Assessor cannot form a meaningful reliance strategy and lacks an adequate, demonstrable basis for reliance on the third-party audit report. To support HITRUST’s QA efforts, this mapping as well as the third-party audit report must be made available to HITRUST.

Rationale

These methodology updates are expected to:

• Help highlight any over-reliance or unwarranted reliance on the work of other auditors and External Assessors.
• Provide needed clarity and transparency around HITRUST’s expectations around timing, scope, and documentation when reliance is placed on the work of others.

Timetable for Implementation

Observance of these new reliance documentation requirements will be mandatory for assessment objects submitted and accepted on or after December 31, 2019.

The term “Accepted” means that HITRUST has confirmed to the assessor that all required documents were included in the submission. If documents are missing, the submission is reverted back to the assessor for correction. Upon acceptance of a submission, the assessment object is added to the Assurance team’s queue to await full QA procedures. Average acceptance time of the submission process is one to three business days.

Policy/Program Change Details

HITRUST’s scoring rubric, which assists organizations and their assessors in assessment scoring level determinations, has been overhauled. Key changes include:

• Definitions for assessment terminology, assessment examples and guidance on important concepts have been added.
• Scoring lookup tables have been created for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
• Replacement of qualitative terms such as none, some, and all with quantitative ranges.
• Removal of ambiguous terms such as “management action” and “ad hoc”.

Rationale

The rubric’s has been enhanced to bring improved usability, added clarity, and better harmonization with the assessment guidance provided in HITRUST’s Risk Analysis Guide.

Timetable for Implementation

The updated scoring rubric will be made available for download at https://hitrustalliance.net/csf-assurance-related-programs/ on or before September 20, 2019.

Observance of the new rubric will be mandatory for assessment objects submitted and accepted on or after December 31, 2019. All validated assessments that are in progress and intend to observe the old scoring rubric must be accepted by HITRUST prior to December 31, 2019. Interim assessments performed after December 31, 2019 will observe the rubric in effect at time of performance of the validated assessment.

The term “Accepted” means successful check-in of an object. Submission of a validated assessment within MyCSF is the first step towards acceptance. After submission, the Assurance team performs certain quality checks; should any of these checks fail, the submission is reverted to the Assessor for remediation. Average acceptance time of a submission to HITRUST is one to three business days.

Since only validated assessments accepted prior to December 31, 2019 will be QA’d by HITRUST in observance of the previous scoring rubric, it is strongly recommended that Assessors work with their customers to ensure submissions in MyCSF are made with enough time to allow for HITRUST acceptance.

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.

Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

• Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
• Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
• Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

Policy/Program Change Details

The point values, or “weightings”, of the five levels of HITRUST’s PRISMA maturity model are changing. The below graphic shows that the Policy weight is being reduced to 15 points, the Procedure weight is being reduced to 20 points, the Implemented weight is being increased to 40 points, the Measured weight is being reduced to 10 points, and the Managed weight is being increased to 15 points.

Rationale

These updated weights better reflect the value that each maturity level brings to an organization’s risk management stance. For example, the increased weighting of the Implemented level (which is now worth double any other single level) aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.

Timetable for Implementation

The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.

Policy/Program Change Details

This bulletin is to inform External Assessor organizations about an extension to the qualification requirement for Assessor quality assurance (QA) personnel.

Assessor firm personnel who will perform the assessment QA review prior to submission to HITRUST will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). Only those individuals holding an active Certified CSF Practitioner (CCSFP) certification are eligible to become a CHQP. This course and test will be available online starting in May 2019.

Assessor firms have until July 31, 2019 to have a minimum of two (2) resources certified as CHQPs. All Validated Assessment submissions on or after August 1, 2019 will be required to have a QA review performed by a CHQP as evidenced by sign-offs on the Assessor Quality Checklist. Submissions after August 1, 2019 without proper CHQP involvement will be rejected by HITRUST.

This advisory only applies to the timeline for compliance with the Assessor firm QA reviewer qualification requirement. All other advisories will be enforced according to the dates listed in the advisories.

Rationale

This change is to ensure that Assessor firm personnel performing QA in support of HITRUST validated assessments understand the expectations of the role and can demonstrate this understanding by passing the exam. In addition, it ensures that all Engagement Executives have the required knowledge of the HITRUST CSF and HITRUST Assurance Program requirements.

The extension is being granted to allow Assessor firms enough time to get their resources trained after the course is made generally available by HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

Policy/Program Change Details

This bulletin is to inform HITRUST CSF Certified Organizations and HITRUST Assessor Organizations about changes to the interim review.

The Interim Review has been replaced with an Interim Assessment. The Interim Assessment differs from what has been known as the Interim Review by requiring:

• Full testing of selected control requirements (INCREASED TESTING REQUIREMENT);
• Rescoring of the tested control requirements (NEW);
• Full QA of testing by HITRUST (INCREASED LEVEL OF EFFORT); and
• For assess-only reports, full verification that recreated assessment matches assessment used for issuing of the previous full report (NEW).

As a reminder and consistent with HITRUST Assurance Advisory 2017-01 issued in August of 2017, Interim Assessments will be performed with the HITRUST MyCSF. There will be an Interim Assessment processing fee of $2,900. The processing fee will be waived for organizations that have an active subscription to the HITRUST MyCSF.

Rationale

This change is to ensure the consistency and quality of work performed during an Interim Assessment and increase the rigor and oversight by HITRUST; resulting in an increase in assurance level provided by the Interim Assessment and support for maintaining the HITRUST CSF Certification for the additional year.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about changes to the qualification requirement for Engagement Executives and Assessor Quality Assurance (QA) personnel. It also reiterates the role of the Engagement Lead.

The first change is a requirement for both the Engagement Executive and the Assessor QA reviewer to be CCSFPs. Prior to this change, the Engagement Lead and either the Engagement Executive or the Quality Assurance Reviewer were required to be CCSFPs.

The second change focuses on the Assessor personnel who perform QA reviews prior to the submission of assessments to HITRUST. People in this role will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). This is in addition to the CCSFP requirement. Communication will go out once the online course and exam are available.

Attached to this advisory are additional details on the responsibilities of the Engagement Executive, QA Reviewer and Engagement Lead.

Rationale

This change is to ensure that Engagement Executives understand the HITRUST CSF Assurance Program and are able to perform an effective executive-level review. The requirement for Assessor QA reviewers to complete an online course is to ensure that reviewers understand the expectations of their role and can demonstrate their understanding by passing the exam.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Responsibilities of Engagement Executives, Quality Assurance Reviewers and Engagement Leads

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance

Policy/Program Change Details

This bulletin is to inform HITRUST Assessor Organizations about a change to the assurance process regarding the number of qualified (CCSFP) hours required for validated assessments.

HITRUST Certified CSF Practitioner (CCSFP) resources must comprise 50% of assessment hours. This requirement is inclusive of QA hours.

Rationale

This change is to ensure the competency and quality of resources performing validation work.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the HITRUST CSF Assurance Program regarding the performance and documentation of the testing of control requirements for assessments.

HITRUST Authorized External Assessors are required to submit the following documentation with all validated assessments:

• Test Plan that covers testing of all required controls. It must meet the minimum test plan requirements documented in the HITRUST CSF Assurance Program Requirements.
• 100% of working papers. They must meet the minimum working paper requirements documented in the HITRUST CSF Assurance Program Requirements. We have attached a copy of the Assurance Program Documentation Requirements to this advisory.
• HITRUST Authorized External Assessor Quality Checklist signed by the Engagement Executive and Assessor QA Resource. The Quality Checklist can be found in the HITRUST MyCSF and should always be downloaded from the HITRUST MyCSF to ensure use of the latest version. We have also attached a copy to this advisory.

Rationale

This change is to ensure the consistency and quality of assessment documentation, ensure compliance with the HITRUST Assurance Program requirements, and make the HITRUST QA process more efficient. The HITRUST Authorized External Assessor’s QA process should identify and address most issues prior to submission to HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

HITRUST CSF Assurance Program Documentation Requirements

HITRUST Authorized External Assessor Quality Checklist

Overview

HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period

Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

• For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
• For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
• For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring

Description

In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation

Effective immediately, enforcement of the following requirements are being modified:

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance

Description

HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation

Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.
[/block_save_as_pdf_pdfcrowd]

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

• External assessor’s validated assessment fieldwork window (maximum):
  • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
• Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
  • 90 calendar days past the control’s implementation or remediation.
• Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
  • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
• Window during which HITRUST will accept grammatical changes to a draft report:
  • 30 calendar days from issuance of draft report.
• Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
  • 30 calendar days from issuance of draft report.
• Interim assessment object submission due date:
  • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
• Validated assessment object submission due date for re-certification efforts:
  • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
• Duration of MyCSF access for report-only customers:
  • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
• Validity window for the CCSFP certification:
  • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
• Validity window for the CHQP certification:
  • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.

Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

• Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
• Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
• Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance