Assurance Advisories

HITRUST Assurance Advisories are communications that notify HITRUST CSF Assurance Program stakeholders of enhancements, changes, and/or provide additional guidance regarding the HITRUST CSF Assurance Program Requirements and supporting methodologies and tools. All Assurance Advisories contain important information regarding adoption requirements, scope, and timing, which can impact HITRUST CSF Assurance Program stakeholders.

All HITRUST CSF Assurance Program stakeholders should review each Assurance Advisory to understand the potential impact on them.

 

Summary of HITRUST Assurance Advisories 2021 (click to expand)

HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
November 4, 2021

Advisory Type
Assurance Change

Overview

Several changes have been introduced to the contents and format of the CSF Validated Assessment Reports and Readiness Assessment Report in order to:

  • Streamline the presentation of information
  • More clearly present assessment scope
  • Accommodate changes to format of organization and scoping information introduced in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms

The changes to the HITRUST CSF Validated Assessment and Readiness Assessment Reports are being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:


HITRUST CSF Validated Assessment Report

The updates to the HITRUST CSF Validated Assessment Report are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Validated Assessment Report to view a sample report.

Legacy Report Section New Report Section Summary of Change(s)
1. HITRUST Background 1. HITRUST Background No changes
2. Letter of Certification or Validation 2. Letter of Certification or Validation No changes
3. Representation Letter from Management 3. Representation Letter from Management No changes
4. Assessment Context 4. Assessment Context This section has been streamlined with certain content being removed. See Assessment Context below for more details.
5. Scope of Systems in the Assessment 5. Scope of Systems in the Assessment The format of scope information has been updated for clarity. The Overview of the Security Organization from the legacy section “6. Security Program Analysis” is now included in section “5. Scope of the Assessment”. See Scope of the Assessment below for more details.
6. Security Program Analysis None Section removed. See Removal of Security Program Analysis below for more details.
None 6. Procedures Performed by the External Assessor This new section describes the procedures performed by the External Assessor and outlines any instances in which the External Assessor has relied upon the work of others through Inheritance or Reliance. See Procedures Performed by External Assessor below for more details.
7. Assessment Results 7. Assessment Results No changes
8. PRISMA Control Maturity Model Overview 8. PRISMA Control Maturity Model Overview No changes
8. PRISMA Control Maturity Model Overview 8. PRISMA Control Maturity Model Overview No changes
9. Controls by Assessment Domain 9. Controls by Assessment Domain No changes
Appendix A – Testing Summary None Section removed. See Removal of Appendix A – Testing Summary below for more details.
Appendix B – Corrective Action Plans Required for Certification Appendix A – Corrective Action Plans Required for Certification No changes have been made to the content or format of this section. The section name has been updated due to the removal of the legacy section, “Appendix A – Testing Summary”.
Appendix C – Additional Gaps Identified Appendix B – Additional Gaps Identified No changes have been made to the content or format of this section. The section name has been updated due to the removal of the legacy section, “Appendix A – Testing Summary”.
Appendix D – Assessment Results Appendix C – Assessment Results No changes have been made to the content or format of this section. The section name has been updated due to the removal of the legacy section, “Appendix A – Testing Summary”.

HITRUST CSF Validated Assessment Letter with Scope

The updates to the HITRUST CSF Validated Assessment Letter with Scope are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Validated Assessment Letter with Scope to view a sample report.

Legacy Report Section New Report Section Summary of Change(s)
Letter of Certification or Validation Letter of Certification or Validation No changes
Assessment Context Assessment Context This section has been streamlined with certain content being removed. See Assessment Context below for more details.
Scope of Systems in the Assessment Scope of the Assessment The format of scope information has been updated for clarity. See Scope of the Assessment below for more details.

HITRUST CSF Readiness Assessment Report

The updates to the HITRUST CSF Readiness Assessment Report are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Readiness Assessment Report to view a sample report.

Legacy Report Section New Report Section Summary of Change(s)
1. HITRUST Background 1. HITRUST Background No changes
2. Letter of Readiness Assessment 2. Letter of Readiness Assessment No changes
3. Representation Letter from Management 3. Representation Letter from Management No changes
4. Assessment Context 4. Assessment Context This section has been streamlined with certain content being removed. See Assessment Context below for more details.
5. PRISMA Control Maturity Model Overview 5. PRISMA Control Maturity Model Overview No changes
6. Controls by Assessment Domain 9. Controls by Assessment Domain No changes
Appendix A – Corrective Action Plans Required for Certification Appendix A – Corrective Action Plans Required for Certification No changes
Appendix B – Additional Gaps Identified Appendix B – Additional Gaps Identified No changes

Assessment Context

The Assessment Context section of the HITRUST CSF Validated Assessment Report, HITRUST CSF Validated Assessment Letter with Scope, and HITRUST CSF Readiness Assessment Report has been updated to remove the following content:

  • Organization Name and Mailing Address have been removed because this information is also included in the Letter of Certification or Validation section of the reports and letter.
  • Contact Name, Job Title, and Email Address have been removed as relying parties typically already have a point of contact at the Assessed Entity.
  • Company Background has been removed because this information is already included in the Scope of Systems in the Assessment section.
  • Number of Employees has been removed because it was not a tailoring question to derive the Assessed Entity’s customized set of HITRUST CSF requirements.

Scope of the Assessment

The Scope of Systems in the Assessment section of the HITRUST CSF Validated Assessment Report and HITRUST CSF Validated Assessment Letter with Scope has been redesigned to more clearly communicate the scope of the assessment. The updates to this section also reflect the introduction of Webforms, which replaced the legacy Organizational Overview and Scope document. For more information related to the Organization Information and Scope of the Assessment Webforms, see HAA 2021-009: HITRUST MyCSF Enhancements – Webforms.

The Scope of Systems in the Assessment section now contains the following subsections:

  • Company Background: The Company Background is populated with the contents of the Organization/Company Background field of the Organization Information Webform within MyCSF. This section may include information that would have previously been included within the legacy Organization and Industry Segment Overview and Services / Products Provided subsections.
  • In-scope Platforms and Facilities: The In-scope Platforms and Facilities is populated with the contents of the Platforms/Systems table and Facilities table of the Scope of the Assessment Webform within MyCSF. This section displays the in-scope platforms/systems that would have previously been included within the legacy Scope Overview subsection.
  • Services Outsourced: The Services Outsourced is populated with the contents of the Services Outsourced for In Scope Platforms and Facilities table of the Scope of the Assessment Webform within MyCSF. This section displays the same information as the legacy Services Outsourced subsection, but in a tabular format for clarity.
  • Overview of the Security Organization: The Overview of the Security Organization is populated with the contents of the field of the same name in Organization Information Webform within MyCSF. This section includes information that would have previously been included within the legacy HITRUST CSF Validated Assessment Report section Security Program Analysis.

The subsections of the legacy Scope of Systems in the Assessment section that have been removed from the HITRUST CSF Validated Assessment Report and HITRUST CSF Validated Assessment Letter with Scope are:

  • Primary Systems: The Primary Systems subsection has been removed because this information now appears in the In-scope Platforms and Facilities subsection.
  • Scope Diagram: The optional Scope Diagram has been removed because the information typically displayed in the diagram will now be included in the In-Scope Platforms and Facilities subsection.

Removal of Security Program Analysis

The legacy Security Program Analysis section of the HITRUST CSF Validated Assessment Report has been removed. The subsections of the legacy Security Program Analysis section have been moved to other sections of the report or removed as follows:

  • Overview of the Security Organization: The Overview of the Security Organization has been moved to the Scope of the Assessment section.
  • Types of Security Tools Deployed: The list of security tools deployed has been removed from the HITRUST CSF Validated Assessment Report as it is not necessary to readers of the report.
  • Third-Party Assessments: Any attestation reports issued by a third-party that are utilized during the External Assessor’s validation procedures through external inheritance or reliance are now captured in MyCSF within the Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms). The contents of that webform are included in the new Procedures Performed by the External Assessor section of the HITRUST CSF Validated Assessment Report.

Procedures Performed by the External Assessor

The Procedures Performed by the External Assessor section has been added to the HITRUST CSF Validated Assessment Report. This section contains a description of the procedures performed by the External Assessor to validate the Assessed Entity’s asserted control maturity scores. This section also includes a table outlining all attestation reports issued by third-parties that were utilized by the External Assessor in lieu of direct testing. The table is populated from the Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms).

Removal of Appendix A – Testing Summary

The legacy Appendix A – Testing Summary of the HITRUST CSF Validated Assessment Report has been removed. The External Assessor will no longer be required to provide the lists of documentation reviewed, interviews conducted, and technical testing performed. Instead, the Procedures Performed by the External Assessor section now includes a standard description of the types of procedures that the assessor may have performed, which include:

  • Inquiry with key personnel
  • Inspection of system-generated access listings, logs, configuration settings, sample items and/or evidence,
  • On-site observations
  • Reperformance of procedures performed by customer personnel

Implementation

HITRUST CSF Validated Assessment

These report updates will affect HITRUST CSF Validated Assessment Reports and HITRUST CSF Validated Assessment Letters with Scope for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all of the following criteria on February 15, 2022:

  • Assessment has not previously been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state
  • No Assessment Domains have been submitted to the External Assessor for review

The HITRUST CSF Letter (without scope) and HITRUST CSF NIST Reports are not affected by the changes described in this advisory.

HITRUST CSF Readiness Assessments

These report updates will affect HITRUST CSF Readiness Assessment Reports for all Readiness Assessments created on or after February 15, 2022 as well as all existing Readiness Assessments meeting all of the following criteria on February 15, 2022:

  • Assessment has never been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state

HITRUST CSF Interim and Bridge Assessments

Interim Letters and Bridge Certificates are not affected by the changes described in this advisory.

Additonal Resources

Sample – HITRUST CSF Validated Assessment Report
Sample – HITRUST CSF Validated Assessment Letter with Scope
Sample – HITRUST CSF Readiness Assessment Report

 Save as PDF

HAA 2021-010: HITRUST MyCSF Enhancements – Tasks and Notifications

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
November 4, 2021

Advisory Type
Assurance Change

Overview

Tasks in MyCSF give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to track and respond to questions and follow-up items from HITRUST during assessment check-in and QA. Each task contains an action item for the Assessed Entity or External Assessor resulting from the check-in or QA review of the assessment by HITRUST.

Some benefits of tasks in MyCSF include:

  • Eliminates email communication from QA Analyst to Assessed Entity or External Assessor
  • Automates notifications to Assessed Entity or External Assessor when tasks are created
  • Clearly outlines (through individualized action items) what is needed to complete QA, including which party is responsible for completion
  • Better tracking of open items that need to be addressed by either Assessed Entity or External Assessor to complete QA
  • Better visibility on how long QA items have been open and the state the assessment is in
  • Ability to categorize tasks for trending analysis and the ability for HITRUST to provide more meaningful feedback to assessor firms

Task functionality is being introduced into MyCSF as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

Tasks During Check-in

When HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments are submitted to HITRUST, they enter the Performing Check-In phase in which HITRUST performs automated QA checks and a high-level review of the assessment. Refer to HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows for more information related to the Check-In phase.

For Validated Assessments, when the check-in review identifies a small number of potential issues, typically related to the required documents and webforms (e.g. Organization Information, Scope of the Assessment, Factors, VRA, Management Representation Letter, Test Plans, External Assessor Time Sheet, QA Checklist, and Audits and Assessments Utilized), HITRUST will create Check-In Tasks within the assessment for the External Assessor and Assessed Entity to address prior to the assessment being accepted by HITRUST. After the necessary Check-In Tasks have been resolved by the External Assessor and Assessed Entity, the assessment will be accepted by HITRUST and the QA review will begin during the reserved QA Block.

For Validated Assessments, when the check-in review identifies a larger number of potential issues, rather than creating Check-In tasks, HITRUST reverts the assessment back to the Performing Validation phase and supplies the External Assessor and Assessed Entity with a set of pre-QA quality recommendations to address the potential issues identified. For more information, refer to the Performing Check-In section of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.

For Interim and Bridge Assessments, when questions arise during the check-in review, HITRUST will create Check-In Tasks within the assessment for the External Assessor and Assessed Entity to address prior to the assessment being accepted by HITRUST. After the necessary Check-In Tasks have been resolved by the External Assessor and Assessed Entity, the assessment will be accepted by HITRUST and enter a queue to await the QA review.

For Readiness Assessments, when the check-in review identifies an error with the Management Representation Letter, HITRUST will create a Check-In Task for the Management Representation Letter to be corrected. After the Check-In Task has been resolved by the Assessed Entity, the assessment will be accepted by HITRUST and HITRUST will prepare the draft report.

Tasks During QA

HITRUST CSF Validated, Interim, and Bridge Assessments undergo a Quality Assurance Review performed by a HITRUST QA Analyst.

As the QA Analyst performs their review of the assessment, they will create QA Tasks for the External Assessor and Assessed Entity to address. All Assessed Entity and External Assessor users with access to the assessment in MyCSF will have access to view all tasks created within an assessment and may edit the Tasks assigned to their group.

Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. However, if the QA review identifies more significant QA concerns than normal, rather than creating tasks, HITRUST will provide the External Assessor with a workbook outlining the QA concerns, communicate via email to the External Assessor and Assessed Entity, and will meet with the External Assessor to review those concerns to bring them to resolution.

Task Management View

image of Assessment Task Management

Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment will contain an Assessment Task Management page that can be accessed by clicking Tasks in the left navigation bar within an assessment. The Assessment Task Management page is where Check-In and QA Tasks for a particular assessment can be addressed and where the status of open and pending tasks can be tracked.

When the Assessment Task Management page is accessed by an Assessed Entity or External Assessor user, the My Task Queue displays all open tasks assigned to the user’s group. For a listing of all tasks within the assessment, the All Tasks tab may be viewed by any user.

The My Task Queue and All Tasks tabs contain the following task information:

  • Assessment Task Number: The unique identifier assigned to the task
  • Name: The name of the task
  • Organization Name: The Assessed Entity organization name
  • Assessment Name: The name of the Assessment that the task is for
  • Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST)
  • Type: The type of task (General or Proposed. See the Types of Tasks section below for the details of each task type)
  • Date Opened: The date that HITRUST initially opened the task
  • Date Assigned: The date the task was assigned to the group it is currently assigned
  • Days Assigned: The number of days the task has been assigned to the current group since it was last assigned
  • Date Completed: The date that HITRUST closed the task
  • Status: The status of the task (Open, Pending, or Closed)
    • Open: The task is assigned to the Assessed Entity or External Assessor awaiting a response.
    • Pending: The Assessed Entity or External Assessor has responded to the task and the task is awaiting review by the Check-in or QA Analyst.
    • Closed: the HITRUST Check-in or QA Analyst agrees that the task has been addressed and can be considered complete.

The Assessment Task Management page also contains a pie chart displaying the number of open and pending tasks assigned to each group, as well as a banner indicating whether there are any requirement statements or CAPs within the assessment that require attention due to a change made via a task.

In addition to the assessment-specific Task Management page, Assessed Entity and External Assessor users may access a global Task Management page from the top navigation bar of MyCSF to view tasks within all assessments to which the user has access. When accessing either the global Task Management page or an assessment-specific Task Management page, the user may sort and filter the tasks displayed based on the task type, current assigned group, status, and more. Additionally, users have the option to download a .CSV file containing task information.

Additional information related to the status of tasks and other open items may be accessed via the Assessment Details View (see HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards for details).

Types of Tasks

During Check-in and QA, two types of tasks may be created: General Tasks and Proposed Tasks.

General Tasks

A general task opens a screen or a field to be edited by the Assessed Entity or External Assessor.

For example, a general task could allow the:

  • Assessed Entity to edit the Organization Information or the Scope of the Assessment Webform.
  • External Assessor or Assessed Entity to edit the Audit and Assessments Utilized Webform.
  • Assessed Entity to edit the Representation Letter Webform.
  • Assessed Entity to edit the Validated Report Agreement Webform.
  • Assessed Entity to update a CAP (Corrective Action Plan) response.
  • Assessed Entity to edit a Not Applicable rationale.
  • External Assessor to edit document linkages for a requirement statement.

Within a general task, the Assessed Entity and External Assessor will see the following:

  • Assessment Task Number: The unique identifier assigned to the task
  • Description: A description of the task
  • Name: The name of the task
  • Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST)
  • Created: The date that HITRUST initially opened the task
  • Last Assigned: The date that the task was assigned to the group to which it is currently assigned
  • Status: The status of the task (Open, Pending, or Closed)
  • Assessment Location: A link to the area of the assessment to which the task pertains (example: Factors page, a specific requirement statement, etc.)
  • Field to be Updated: When the assessment field that the task pertains to can be updated within the task itself, the field name and its current value are present within the task. If an assessment field is not present within the task, an Assessment Location link can be used to access the area of the assessment to which the task pertains to make the requested update in that location.
  • HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to describe the question or request within the task
  • New Comments: A field to allow the Assessed Entity, External Assessor, and HITRUST Check-In or QA Analyst to comment to each other within the task.
  • History: A log of the creation and assignment changes of the task, as well as any changes to assessment fields made within the task

During Check-In and QA, HITRUST will initially assign all general tasks to the External Assessor. This allows the External Assessor to review each general task and take one of the following next steps:

  • Address the task: When the general task includes a request from HITRUST to update document linkages, Test Plans, the External Assessor Time Sheet, or the Audits and Assessments Utilized Webform, the External Assessor may address the task by making the requested update on the relevant assessment page. After making the requested update, the External Assessor should leave a comment within the task to state the update that was made and should send the task back to HITRUST.
  • Leave a comment within the task and send it back to HITRUST: If the External Assessor would like to respond to the task by leaving a comment or question for the Check-in or QA Analyst, the External Assessor may enter their comment within the task and send the task back to HITRUST. Some examples for when this option may be used are:
    • The task contains a question from HITRUST that does not require any assessment content to be updated. In this case, the External Assessor may answer the question by leaving a comment within the task and sending the task to HITRUST.
    • The task contains a request from HITRUST for assessment content to be updated, but the External Assessor does not understand the request or has a question related to the request. In this case, the External Assessor may leave their question as a comment within the task and send the task to HITRUST.
    • The task contains a request from HITRUST for assessment content to be updated, but the External Assessor does not agree with the request. In this case, the External Assessor may leave a comment within the task to explain their disagreement and send the task to HITRUST.
  • Send the task to the Assessed Entity to be addressed: When the general task is a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the general task should be sent to the Assessed Entity.

When the External Assessor has assigned a general task to the Assessed Entity, the Assessed Entity may take one of the following next steps:

  • Leave a comment within the task and send it back to the External Assessor: If the Assessed Entity would like to respond to the task by leaving a comment or question for the External Assessor or the HITRUST Check-in or QA Analyst, the Assessed Entity may enter their comment within the task and send the task back to the External Assessor.
    • The task contains a question from HITRUST that does not require any assessment content to be updated. In this case, the Assessed Entity may answer the question by leaving a comment within the task and sending the task to External Assessor.
    • The task contains a request from HITRUST for assessment content to be updated, but the Assessed Entity does not understand the request or has a question related to the request. In this case, the Assessed Entity may leave their question for the External Assessor or HITRUST as a comment within the task and send the task to the External Assessor.
    • The task contains a request from HITRUST for assessment content to be updated, but the Assessed Entity does not agree with the request. In this case, the Assessed Entity may leave a comment within the task to explain their disagreement and send the task to the External Assessor.
  • Address the task: When the general task includes a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the Assessed Entity may address the task by making the requested update. Depending on the instructions within the task, the requested update will either be made within the task itself or on the relevant page of the assessment. After addressing the task, the Assessed Entity should leave a comment within the task to state the update that was made and should send the task back to the External Assessor.

General tasks may be sent back and forth between the Assessed Entity and External Assessor as many times as needed for the task to be addressed. When the task has been addressed, the External Assessor should send the task to HITRUST. After the general task has been sent back to HITRUST by the External Assessor, HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to explain any additional action needed and send the task back to the External Assessor.

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a general task may generate additional requirement statements or CAPs that must be addressed before Check-in or QA is completed. (For more information refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.) When any requirement statements or CAPs within the assessment require attention during Check-in or QA, the Task Management page will display a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the Assessment Homepage where those requirement statements and CAPs will be identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during Check-In or QA:

  • When a requirement statement score is updated through a general task, the requirement statement will have a status of External Assessor Review Pending to allow the External Assessor to review and thumb up the updated score and link documents as needed.
  • When a requirement statement score is lowered through a general task, after the External Assessor has reviewed and thumbed up the score, new required CAPs may be generated. Any requirement statements requiring CAPs during QA will have a status of CAP Required to allow the Assessed Entity to enter a CAP and then the External Assessor to review the CAP.

Proposed Tasks:

A proposed task allows HITRUST to propose a specific value for a field. For this type of task, the Assessed Entity or External Assessor can only apply the value proposed by HITRUST and cannot change any other fields within MyCSF.

For example, a proposed task can be used to change a:

  • Technical Factor answer from ‘No’ to ‘Yes’ or vice versa.
  • Geographical Factor answer from drop-down menu options.
  • Requirement which has been scored to Not Applicable.
  • Maturity level score to a specific proposed value.

Within a proposed task, the Assessed Entity and External Assessor will see the following:

  • Assessment Task Number: The unique identifier assigned to the task
  • Description: A description of the task
  • Name: The name of the task
  • Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST)
  • Created: The date that HITRUST initially opened the task
  • Last Assigned: The date the task was assigned to the group it is currently assigned
  • Status: The status of the task (Open, Pending, or Closed)
  • Assessment Location: A link to the area of the assessment to which the task pertains (example: Factors page, a specific requirement statement, etc.).
  • Field to be Updated: The name of the assessment field that the proposed change is for, as well as its current value and proposed value
  • HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to describe the question or request within the task
  • New Comments: A field to allow the Assessed Entity, External Assessor, and HITRUST Check-In or QA Analyst to comment to each other within the task.
  • History: A log of the creation and assignment changes of the task as well as any changes to assessment fields made within the task.

During Check-In and QA, HITRUST will initially assign all proposed tasks to the External Assessor. This allows the External Assessor to review each proposed task and take one of the following next steps:

  • Apply the Proposed Change: The External Assessor may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. The External Assessor is expected to discuss any proposed changes with the Assessed Entity prior to applying them. After applying the change proposed within the task, the task will automatically be sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment will be notified of the change via email and MyCSF notifications. The notifications outline whether a factor response or requirement statement score was changed, the email address of the individual who applied the proposed change, and whether there is a new requirement statement or CAP to be addressed.
  • Reject the Proposed Change: If the External Assessor does not agree with the proposed change, the External Assessor may reject the proposed change. When rejecting the proposed change, the External Assessor is required to enter a comment within the task to explain why the change was rejected. The task will automatically be sent back to HITRUST.
  • Send the task to the Assessed Entity to be addressed: If the External Assessor would like the Assessed Entity to review the task and make the decision to either apply or reject the proposed change, the External Assessor may send the task to the Assessed Entity.

When the External Assessor has assigned a proposed task to the Assessed Entity, the Assessed Entity may take one of the following steps:

  • Apply the Proposed Change: The Assessed Entity may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. After applying the change proposed within the task, the task will automatically be sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment will be notified of the change via email and MyCSF notifications. The notifications outline: whether a factor response or requirement statement score was changed; the email address of the individual who applied the proposed change; and whether there is a new requirement statement or CAP to be addressed.
  • Reject the Proposed Change: If the Assessed Entity does not agree with the proposed change, the Assessed Entity may reject the proposed change. When rejecting the proposed change, the Assessed Entity will be required to enter a comment within the task to explain why the change was rejected. The task will automatically be sent back to HITRUST.

When the proposed task has been either applied or rejected by the Assessed Entity or the External Assessor, it will be automatically sent back to HITRUST. HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to provide additional explanation or answer a question and send the task back to the External Assessor. If a proposed task has been rejected and a different change needs to be proposed, HITRUST will create a new proposed task. Additionally, if any new issues are identified during check-in or QA, a new proposed task will be created.

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a proposed task may generate additional requirement statements or CAPs that must be addressed before QA is completed (for more information refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows). When any requirement statements or CAPs within the assessment require attention during Check-in or QA, the Task Management page will display a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the Assessment Homepage where those requirement statements and CAPs will be identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during Check-In or QA:

  • When a factor response updated through a proposed task, additional requirement statements may be added to the assessment in the status Response Needed for New Statement to allow the Assessed Entity to score the requirement statement and then the External Assessor to review and link documents.
  • When a requirement statement score is lowered through a proposed task, new required CAPs may be generated. Any requirement statements requiring CAPs during QA will have a status of CAP Required to allow the Assessed Entity to enter a CAP and then the External Assessor to review the CAP.

Notification of Check-in and QA Tasks

Throughout the Check-in and QA processes, the Assessed Entity and External Assessors assigned to the assessment will receive email and MyCSF notifications each time that the assessment changes phase. Those notifications include information related to tasks and other open items. For more information see HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.

Assessed Entities and External Assessors will also receive two summary emails for assessments that are undergoing Check-In and QA. The two additional email notifications are:

  • Open Item Summary: A summary of all open items (tasks, requirement statements, and PQIs) assigned to the Assessed Entity, External Assessor, and HITRUST for assessments that have been submitted to HITRUST and are undergoing check-in or QA. This email will be received weekly by default. However, users have the option to set their email preferences to receive it daily.
  • New Item Summary: A summary of all new items (tasks, requirement statements, and PQIs) assigned to you for assessments that have been submitted to HITRUST and are undergoing check-in or QA. This email will be received daily by default. However, users have the option to set their email preferences to receive it hourly, daily, weekly, or never.

For instructions on configuring the frequency of these summary emails please see Summary Email Preferences.

Implementation

HITRUST CSF Validated Assessments

Tasks will be utilized during the Check-In and QA Reviews for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all the following criteria on February 15, 2022:

  • Assessment has not previously been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state
  • No assessment domains have been submitted to the External Assessor for review

HITRUST CSF Interim and Bridge Assessments

Tasks will be utilized during the Check-In and QA Reviews for all Interim and Bridge Assessments created on or after February 15, 2022. Interim and Bridge assessments created prior to February 15, 2022, will not be affected.

HITRUST CSF Readiness Assessments

Tasks will be utilized during the Check-In Review for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all the following criteria on February 15, 2022:

  • Assessment has never been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state

Additional Resources

A video walk-through of the process for responding to tasks will be published no later than February 1, 2022.

 Save as PDF

HAA 2021-009: HITRUST  MyCSF Enhancements – Webforms

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
November 4, 2021

Advisory Type
Assurance Change

Overview

New webforms are being introduced into MyCSF assessments as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts build upon each other:

The new webforms give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to enter organization and scope information directly into MyCSF; electronically sign key documents; and easily request draft report revisions.

Benefits of these newly added webforms:

  • Streamlines MyCSF data entry to prevent redundancy and clarify assessment scope.
  • Eliminates risk of uploading incomplete offline documents and unreadable scanned images.
  • Introduces new quality check automation and tool tips that provide real time feedback to help avoid common scoping issues.
  • Streamlines presentation of scope in a tabular format inclusive of in-scope platforms and facilities.
  • Clarifies association between platforms and their residing facilities.
  • Simplifies identification of relevant third-party service providers.
  • Introduces ability for Assessed Entities to specify draft report revisions and clearly track HITRUST responses to revision requests.

Summary of Changes

The introduction of webforms eliminates the need for the Assessed Entity and External Assessor to populate and upload the following offline templates: Organizational Overview & Scope document, Management Representation Letter, Validated Report Agreement, and QA Checklist.

The Organizational Overview and Scope document will no longer be utilized. The organization and scoping information previously included within the Organizational Overview and Scope document will now be entered into MyCSF via webforms as follows:

Legacy Organizational Overview & Scope Document Sections Webform
Organization and Industry Segment Overview

Overview of the Security Organization
Organization Information
Primary Systems

Outsourced Services

Scope Overview

Scope Description
Scope of the Assessment
Third-Party Assessments Audits and Assessments Utilized

The Management Representation Letter, Validated Report Agreement, and QA Checklist are integrated into MyCSF, providing the Assessed Entity and External Assessor the ability to sign the documents electronically.

Additionally, the draft report revision request form has been updated to include new input fields that allow the Assessed Entity to clearly identify each revision request.

Organization Information Webform

The Organization Information section for HITRUST CSF Validated and Readiness assessments has been redesigned to serve as the primary location for entering background information about the Assessed Entity and their security organization, as well as their contact information and mailing address.

To prevent redundancy, the Organization/Company Background and Overview of the Security Organization (previously provided in both MyCSF and the offline Organizational Overview and Scope document) will now be provided only through completion of the Organizational Information webform in MyCSF. The Organization Information webform contains guidance and tips to aid the Assessed Entity in providing appropriate content for the Organization/Company Background and Overview of the Security Organization fields.

For more information, see the instructions for completing the Organization Information webform in Pre-Assessment Webforms. To view an example of the Organization Information webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.

Scope of the Assessment Webform

For HITRUST CSF Validated and Readiness assessments, the new Scope of the Assessment section of MyCSF streamlines the existing Systems and Facilities tables into a single webform that is now required to be completed by the Assessed Entity. The webform also includes a section for identifying outsourced service providers in tabular format, which replaces the free text field labeled “List any IT or security services outsourced and the third party(ies) involved” which was previously included on the Organization Information page.

Prior to the introduction of webforms, the Assessed Entity was required to identify the in-scope systems, facilities, and outsourced services within the offline Organizational Overview and Scope document, in addition to (optionally) identifying the in scope systems and facilities within the Systems and Facilities table in MyCSF. For Validated and Readiness Assessments with webforms enabled, the offline Organizational Overview and Scope document will be retired and the new Scope of the Assessment webform will become the primary location for defining the platforms/systems, facilities, and services outsourced for the in-scope environment.

For more information, see the instructions for completing the Scope of the Assessment webform in Pre-Assessment Webforms. To view an example of the Scope of the Assessment webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.

QA Checklist Webform

The QA Checklist for HITRUST CSF Validated Assessments (previously manually signed by the External Assessor’s Engagement Executive and QA Reviewer) has been digitally integrated into MyCSF.

Prior to signing the QA Checklist webform, the Engagement Executive and QA Reviewer must be assigned by an External Assessor via a drop-down menu on the assessment’s Name & Security page. Each drop-down will contain a list of all External Assessors with access to the assessment. The user making the assignments must select an individual holding a CCSFP certification for Engagement Executive and an individual holding a CHQP certification for QA Reviewer.

The QA Checklist webform introduces several business rules that eliminate incomplete submissions and errors, and reduces the risk of uploading unreadable scanned images.

  • To ensure that the correct individuals sign each QA Checklist webform item, only assigned Engagement Executives and QA Reviewers can sign the QA Checklist webform. Further, the Engagement Executive and QA Reviewer can only sign those items on the QA Checklist that apply to their role.
  • MyCSF restricts the ability to sign off on the QA Checklist webform until the Test Plan has been uploaded and the External Assessor Time Sheet has been completed.
  • MyCSF prevents completion of the assessment’s Performing Validation phase until each item on the QA Checklist webform has been verified by the appropriate individual. For visibility, all External Assessors with access to the assessment will have the ability to view the QA Checklist webform.

Audits and Assessments Utilized Webform

The Audits and Assessments Utilized webform is a new, required MyCSF webform for HITRUST CSF Validated Assessments. The Audits and Assessments Utilized webform is completed by the Assessed Entity and External Assessor to document reliance placed on the work of others through either the usage of the external inheritance feature within MyCSF or reliance on third-party attestation reports in support of the validation procedures performed by the External Assessor. This new webform replaces the Third-Party Assessment section of the offline Organizational Overview and Scope document.

The Audits and Assessments Utilized webform should be used to identify where the External Assessor relied upon a third-party attestation report or used external inheritance during the assessment. For example:

  • Scenario A: If an in-scope platform is hosted by a public cloud provider and the External Assessor used external inheritance on certain physical security requirements that were the responsibility of the cloud service provider. the cloud service provider’s inherited HITRUST CSF assessment automatically will be identified in this webform.
  • Scenario B: If a relevant managed IT services provider’s third-party attestation report (e.g., SOC 2 Type II) is relied upon by the external assessor to reflect the service provider’s performance of one or more HITRUST CSF requirements, the managed IT services provider’s third-party attestation report should be described in this webform.
  • Scenario C: If the External Assessor directly tests certain requirements owned by the assessed entity’s colocation provider instead of using external inheritance or reliance on a third-party-issued attestation report, that colocation provider would not need to be discussed in the Audit and Assessments Utilized webform (as no third-party audit or assessment report associated with the colocation provider was used). However, the colocation provider would need to be identified in the Organization Information webform described above.

The two possible utilization approaches that determine how the Audits and Assessments Utilized webform is populated are Inheritance and Reliance.

  • Inheritance: When external inheritance is applied to a requirement statement by the Assessed Entity, MyCSF automatically adds the associated HITRUST CSF assessment that was externally inherited and populates that HITRUST CSF assessment’s details into the Audits and Assessments Utilized webform (including the assessment name, type, report date, and assessment domains for which external inheritance was utilized). The External Assessor will be required to complete the assessed organization name field and map the inherited HITRUST CSF assessment to related in-scope platforms and facilities within the Audits and Assessments Utilized webform.
  • Reliance: For any third-party attestation reports being relied upon, the External Assessor or Assessed Entity (depending on who uploaded the document) must tag the report within the Documents repository or within the requirement statement (if uploading the document within a particular requirement statement) by checking the box labeled, “Is this an attestation report issued by a third party?” After tagging the document as an attestation report issued by a third party, the External Assessor or Assessed Entity populate the various report details, including assessed organization, report type, and report dates. The External Assessor or Assessed Entity must then map the utilized third-party attestation report to the related in-scope platforms and facilities within the Audits and Assessments Utilized webform.

If the offline assessment template is utilized, the External Assessor or Assessed Entity may tag documents as attestation reports issued by a third party by selecting “Yes” in the “Third Party Report?” column within the Documents tab of the offline assessment workbook. After uploading the offline assessment, the External Assessor or Assessed Entity must enter the assessed organization, report type, and report dates within the Audits and Assessments Utilized webform. Finally, the External Assessor or Assessed Entity must map the utilized third-party attestation report to the in-scope Platforms and Facilities that are supported by the relied-upon assessment within the Audits and Assessments Utilized webform.

For more detailed instructions, see Audits and Assessments Utilized Webform. To view an example of the Audits and Assessments Utilized webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.

Management Representation Letter Webform

The Management Representation Letter (Rep Letter) for HITRUST CSF Validated and Readiness Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow.

The Rep Letter webform in MyCSF is completed by the Assessed Entity after the External Assessor team’s fieldwork period has ended and the External Assessor Timesheet has been completed. The Assessed Entity completes the Rep Letter webform by:

  • Setting the Rep Letter date on or within two weeks following the end date of the External Assessor’s fieldwork period on the External Assessor Time Sheet.
  • Entering the name, job title, and email address of the individual who will sign the Rep Letter.
  • Uploading the organization’s logo.

Once the webform is complete, a request to electronically sign the Rep Letter is sent to the designated management representative for signature via electronic signature workflow. The signer of the Rep Letter may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. Once signed, the Rep Letter will automatically be loaded into MyCSF and emailed to the individual who signed it.

Validated Report Agreement Webform

The Validated Report Agreement (VRA) for HITRUST CSF Validated Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow.

The VRA webform can be completed by the Assessed Entity at any time, and in any phase, prior to submitting the assessment to HITRUST. The Assessed Entity completes the VRA webform by:

  • Entering the name, job title, and email address of the individual who will sign the VRA.
  • Entering the address of the organization.

Once the webform is populated with the required information, a request to electronically sign the VRA is sent to the designated individual. The signer of the VRA may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. After being signed by the Assessed Entity, the VRA is automatically routed to HITRUST for electronic signature. The Assessed Entity and External Assessor should allow up to one business day for the VRA to be signed by HITRUST. The Assessed Entity may contact their HITRUST Customer Success Manager or sales@hitrustalliance.net with any questions related to signing of the VRA.

Once signed by both parties, the VRA automatically will be loaded into MyCSF (within one hour) and emailed to the individuals who signed it. At that time, a green checkmark will appear next to the link to the Validated Report Agreement on the left navigation bar of MyCSF to indicate that the agreement has been fully signed.

MyCSF requires that the VRA is signed by both parties — the Assessed Entity and HITRUST — prior to the assessment being submitted to HITRUST. For that reason, ensure that the VRA is sent for signature with enough time for both parties to sign the agreement prior to the assessment’s planned submission date.

Draft Report Revision Request Webform

The process to submit and manage draft report revision requests for HITRUST CSF Validated and Readiness Assessments has been transformed into an interactive process using webforms. The updated Revision Request webform includes new input fields that allow the Assessed Entity to clearly identify each revision request. For each revision request, the Assessed Entity must indicate:

  • Location of the requested revision identified by the report, section, and page number
  • Current text present in the report to be revised
  • Proposed text for the revision

After adding all revision requests to the webform, the Assessed Entity submits the requests to HITRUST. As the HTRUST QA Analyst reviews each revision request, the status of each request will be identified as Not Started, Completed, or Not Accepted. For any requests Not Accepted by HITRUST, the QA Analyst will provide an explanation within the “Rationale” section of the webform.

Once HITRUST addresses all revision requests, the Assessed Entity is notified and may either request additional revisions or approve the draft report via the “Approve HITRUST CSF Draft Report” button. The approval process in MyCSF has not changed.

For more detailed instructions, see Draft Report Revision Requests.

Implementation

HITRUST CSF Validated Assessments

All updates discussed above will be automatically enabled for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all of the following criteria on February 15, 2022:

  • Assessment has not previously been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state
  • No Assessment Domains have been submitted to the External Assessor for review

HITRUST CSF Readiness Assessments

Updates to the Organization Information, Scope of the Assessment, Representation Letter, and Draft Report Revision Requests will be automatically enabled for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all of the following criteria on February 15, 2022:

  • Assessment has never been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state

HITRUST CSF Interim and Bridge Assessments

The new webforms do not impact Interim and Bridge assessments.

Additional Resources

FAQs: Webforms
Pre-Assessment Webforms
Audits and Assessments Utilized Webform
Draft Report Revision Requests

 Save as PDF

HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
November 4, 2021

Advisory Type
Assurance Change

Overview

This enhancement to MyCSF introduces several status dashboards to provide transparency regarding assessment statuses, open action items and their ownership, and next steps in the assessment workflow. These dashboards include:

  • Kanban View: A Kanban-style board that displays HITRUST CSF Validated Assessments as they move through each phase of the Validated Assessment Workflow. The board includes key details of each Validated Assessment, including:
    • Colored, circle badges depicting responsible parties for action items
    • Summary of open items per organization
    • Time elapsed in current phase
    • HITRUST-assigned point of contact
  • Matrix View A spreadsheet-style view that displays the date the HITRUST CSF Validated Assessment has entered each phase of the Validated Assessment Workflow, as well as the number of days the assessment has been in each phase.
  • Assessment Details View: A dashboard of assessment metadata and status information, including:
    • Key dates along the assessment timeline
    • Open items assigned to the Assessed Entity, External Assessor, and HITRUST
    • Assessment scope

Status dashboards are being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

 
Kanban View

image of Kanban view

The Kanban View, which can be accessed from the ‘Views’ page of MyCSF, visually depicts HITRUST CSF Validated Assessments as they move through the phases of the new Assessment Workflow outlined in HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows. The Kanban View contains a column for each phase of the Validated Assessment Workflow, and each accessible Validated Assessment is displayed as a card. As the assessment card moves through each phase of the workflow, the avatar at the top-right corner of the card corresponds to the color-coded group(s) who own the open action items required to be completed prior to moving to the next phase. Those icons are labeled as follows:

  • AE: Assessed Entity (blue avatar)
  • EA: External Assessor (purple avatar)
  • HT: HITRUST (red avatar)

Assessed Entities and External Assessors may customize the Kanban View by configuring the data points and icons shown on their assessment’s cards. The available data points and icons include:

  • Organization Name
  • Assessment Name
  • Type of Assessment
  • External Assessor
  • Days in Current Phase
  • HITRUST QA Analyst
  • Open Action Items
  • Reservation Status

After configuring the data points as desired, Assessed Entities and External Assessors may save their customized views for easy access.

By default, the Kanban View will display all Validated Assessments assigned to the user. The view can be filtered to display a single assessment by searching for the Assessment Name. The view can also be filtered by the following:

  • Organization Name
  • External Assessor
  • HITRUST QA Analyst

In addition to displaying Validated Assessments that are utilizing the new Validated Assessment Workflow outlined in HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows, the Kanban View may also be toggled to show the legacy workflow states and the Validated Assessments utilizing the legacy workflow.

Matrix View

image of Matrix view

The Matrix View, accessed from the ‘Views’ page of MyCSF, is a spreadsheet-style view of accessible HITRUST CSF Validated Assessments. The Matrix View is accessed within MyCSF or downloaded as a ‘.CSV’ file. The columns of the Matrix View show dates the Validated Assessment has entered each phase of the new Assessment Workflow and the number of days the assessment has been in each phase.

By default, the Matrix View will display all Validated Assessments accessible to the user. The view can be filtered to display a single assessment by searching for the Assessment Name. Similarly to the Kanban View, the Matrix View can be toggled to show Validated Assessments utilizing the Legacy Assessment Workflow.

Assessment Details Page

Assessment Details

Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment has an Assessment Details Page accessed by clicking the assessment name within any assessment, or by clicking the assessment name on the Kanban View for Validated Assessments. The Assessment Details page is a dedicated page that summarizes information about the assessment including:

  • Assessment Data: Organization Name, Assessment Name, Submission Date, etc.
  • Assessment Scope: In-Scope Systems, Facilities and Outsourced Services (Validated and Readiness Assessments only)
  • Open Items: Open Tasks, Requirement Statements, and PQIs broken down by owner (Assessed Entity, External Assessor, or HITRUST)
  • Assessment Timeline: Timeline displaying the completed phases, current phase, and upcoming phases in the Assessment Workflow
  • Days in QA: The number of days the assessment spent with each party (Assessed Entity, External Assessor, and HITRUST) during the QA phases

Implementation

Assessed Entities and External Assessors will have access to view all HITRUST CSF Validated Assessments on the Kanban View and Matrix View starting on February 15, 2022.

Effective immediately, all HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments have an Assessment Details Page.

Additional Resources

A video walk-through of each dashboard will be published no later than February 1, 2022.

 Save as PDF

HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
November 4, 2021

Advisory Type
Assurance Change

Overview

A new Assessment Workflow is being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

The new Assessment Workflows for HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments replace the legacy assessment “states” with new “phases” that are designed to:

  • Clarify the steps required to complete assessments and obtain final reports, interim letters, and bridge certificates.
  • Clearly define ownership of each phase of an assessment.
  • Provide improved transparency into the status of an assessment.
  • Reduce reversions of the assessment during the workflow through the resequencing of phases.
  • Standardize the phase names across HITRUST CSF Validated, Readiness, Interim, and Bridge assessment workflows.

New HITRUST CSF Validated Assessment Workflow

The new Assessment Workflow for HITRUST CSF Validated Assessments is comprised of 16 workflow phases. The diagram below displays the 16 workflow phases, including the primary owner(s) of each phase, as well as a comparison to the legacy workflow states. As shown in the diagram below, each phase maps to a legacy workflow state. However, the phases are more granularly defined to increase the transparency regarding assessment status and the remaining items needed to reach the next phase. The phases do not add steps to the process, but rather clarify the steps that should be performed by each party as part of the assessment process.

Throughout the process of completing a Validated Assessment, the Assessed Entity and External Assessor may view the status of the assessment at any time on a Kanban-style dashboard which tracks the Validated Assessment as it moves through each phase of the workflow. HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards describes several status dashboards being introduced as part of this suite of enhancements.

image of workflow diagrams

The table below summarizes each phase of the workflow. The Summary of Key Changes column highlights certain changes but is not a comprehensive list of changes. For a detailed description of each phase and the comprehensive list of changes see New Validated Assessment Workflow and Notifications or click on the phase name within the table.

# Phase Name Description Summary of Key Changes
1 Answering Pre-Assessment The Assessed Entity is responsible for completing each pre-assessment section: Name & Security, Organization Information, Assessment Options, Scope of the Assessment, and Factors.
  • The offline Organizational Overview and Scope document will be retired. (HAA 2021-009)
  • The redesigned Organization Information webform and new Scope of the Assessment webform will serve as the primary location for capturing background information about the Assessed Entity and their security organization and for defining the platforms/systems, facilities, and services outsourced for the in-scope environment. (Pre-Assessment Webforms)
2 Answering Assessment The Assessed Entity scores their assessment and addresses any triggered potential quality issues (PQIs). The Assessed Entity should also make a QA Reservation and complete the Validated Report Agreement webform. The Validated Report Agreement will now be completed through MyCSF using an electronic signature workflow. (HAA 2021-009)
3 Performing Validation The External Assessor reviews and approves each pre-assessment section, reviews requirement statement scoring, links relevant documentation, and addresses any triggered potential quality issues (PQIs). The External Assessor also completes the Test Plan, Audits and Assessments Utilized Webform, External Assessor Time Sheet and the QA Checklist.
  • The External Assessor will now be required to review and approve each pre-assessment section prior to performing validation of the Assessed Entity’s scoring of the assessment. (Pre-Assessment Webforms)
  • The External Assessor will now assign their Engagement Executive and QA Reviewer on the assessment’s Name & Security page. (HAA 2021-009)
  • The QA Checklist that was previously manually signed by the External Assessor’s Engagement Executive and QA Reviewer has been digitally integrated into MyCSF. (HAA 2021-009)
  • The Audits and Assessments Utilized webform will be used to document reliance placed on the work of others, through either the usage of the external inheritance feature within MyCSF or reliance on third-party attestation reports in support of the validation procedures performed by the External Assessor. (Audits & Assessments Utilized Webform)
4 Inputting CAPs and Signing Rep Letter The Assessed Entity enters all required CAPs and signs the Management Representation Letter.
5 Reviewing CAPs The External Assessor reviews the required CAP(s) for specificity, clarity, spelling, grammar and the ability of the Assessed Entity to demonstrate progress against the CAP. The External Assessor will now be required to review and approve all required CAPs prior to the submission of the assessment to HITRUST. (CAP Review)
6 Performing Check-In HITRUST performs automated QA checks and a high-level review of the assessment and accompanying required documents and webforms. The new workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced to provide transparency into the check-in process that previously occurred within the legacy Assessment Submitted to HITRUST state.
7 Addressing Check-In Tasks The Assessed Entity and External Assessor address the tasks opened by HITRUST during check-in. If HITRUST’s check-in review identifies a small number of potential issues, rather than reverting the assessment back to the External Assessor, HITRUST will open tasks and the assessment will enter the Addressing Check-In Tasks phase. (HAA 2021-010)
8 Reviewing Pending Check-In Tasks HITRUST reviews the tasks addressed by the Assessed Entity and External Assessor. HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010)
9 Pending Quality Assurance The assessment is awaiting the HITRUST QA review to begin during the reserved QA block. The Pending Quality Assurance phase is introduced to provide transparency into the period between the assessment being accepted by HITRUST and the QA review starting during the reserved QA block.
10 Peforming QA The QA Analyst reviews the Pre-Assessment, Required Documents and Webforms, Core QA, Not Applicable Rationales, Measured and Managed Scores, CAPs, and Overridden PQIs. Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. (HAA 2021-010)
11 Addressing QA Tasks The Assessed Entity and External Assessor address the tasks opened by HITRUST during QA.
  • The Assessed Entity and External Assessor address HITRUST’s QA questions through tasks. (HAA 2021-010)
  • If the action taken to address a task adds additional requirement statements or required CAPs to the assessment, the requirement statements must be scored or the CAPs entered by the Assessed Entity and validated by the External Assessor during QA. (HAA 2021-010)
12 Reviewing Pending QA Tasks The QA Analyst reviews the tasks addressed by the Assessed Entity and External Assessor. HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010)
13 Preparing and Reviewing Deliverables HITRUST prepares and reviews the draft reports. The HITRUST CSF Validated Report format has been updated to streamline the presentation of information, more clearly present assessment scope, and accommodate changes to format of organization and scoping information webforms. (HAA 2021-011)
14 Reviewing Draft Deliverables The Assessed Entity reviews the draft reports. An updated Revision Request webform includes new input fields which allow the Assessed Entity to clearly identify each revision request. (Draft Report Revision Requests)
15 Revising Draft HITRUST either processes the Assessed Entity’s revision requests or prepares the final reports As the QA Analyst reviews each revision request, the status of each request is identified as Not Started, Completed, or Not Accepted by HITRUST. For any requests Not Accepted by HITRUST, the QA Analyst provides an explanation within the “Rationale” section of the webform. (HAA 2021-009)
16 Complete The Assessed Entity and External Assessor may access the final reports. No changes; the Complete phase is equivalent to the legacy Final Report Posted state.

New HITRUST CSF Interim and Bridge Assessment Workflow

The new assessment workflow for HITRUST CSF Interim and Bridge Assessments features a subset of the phases present in the workflow observed on HITRUST CSF Validated Assessments. The diagram below displays the new workflow for Interim and Bridge assessments, including the primary owner(s) of each phase, as well as a comparison to the legacy workflow states.

Workflow Diagram image

The table below summarizes each phase of the workflow. For a detailed description of each phase, see New Interim and Bridge Assessment Workflow and Notifications or click the phase name within the table.

# Phase Name Description Summary of Key Changes
1 Performing Validation The External Assessor reviews requirement statement scoring, links relevant documentation, and addresses any triggered potential quality issues (PQIs). No changes; the Performing Validation phase is equivalent to the legacy Undergoing Interim and Undergoing Bridge Assessment phases.
2 Performing Check-in HITRUST performs automated QA checks and a high-level review of the assessment. The new workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced to provide transparency into the check-in process that previously occurred within the legacy Interim Submitted and Bridge Assessment Submitted states. (HAA 2021-010)
3 Addressing Check-In Tasks The Assessed Entity and External Assessor address the tasks opened by HITRUST during check-in. If questions arise during the check-in review, HITRUST will open Check-In Tasks within the assessment for the External Assessor and/or Assessed Entity to address prior to the assessment being accepted by HITRUST. (HAA 2021-010)
4 Reviewing Pending Check-In Tasks HITRUST reviews the tasks addressed by the Assessed Entity and External Assessor. HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010)
5 Pending Quality Assurance The assessment is awaiting the HITRUST QA review to begin. The Pending Quality Assurance phase is introduced to provide transparency into the period between the assessment being accepted by HITRUST and the QA review being completed.
6 Performing QA The QA Analyst performs the QA review of the assessment. Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. (HAA 2021-010)
7 Addressing QA Tasks The Assessed Entity and External Assessor address the tasks opened by HITRUST during QA. The Assessed Entity and External Assessor address HITRUST’s QA questions through tasks. (HAA 2021-010)
8 Reviewing Pending QA Tasks The QA Analyst reviews the tasks addressed by the Assessed Entity and External Assessor. HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010)
9 Preparing and Reviewing Deliverables HITRUST prepares and reviews the Interim Letter or Bridge Certificate. No changes; the Preparing and Reviewing Deliverables phase is equivalent to the legacy Interim Review Complete and Bridge Review Complete phases.
10 Complete The Assessed Entity and External Assessor may access the Interim Letter or Bridge Certificate. No changes; the Complete phase is equivalent to the legacy Interim Report Posted and Bridge Certificate Posted states.

New Readiness Assessment Workflow

The new assessment workflow for HITRUST CSF Readiness Assessments submitted for reporting features a subset of the phases present in the workflow observed on HITRUST CSF Validated Assessments. The diagram below displays the new workflow for Readiness assessments, including the primary owner of each phase, as well as a comparison to the legacy workflow states.

workflow diagram 3

The table below summarizes each phase of the workflow. For a detailed description of each phase see New Readiness Assessment Workflow and Notifications or click the phase name within the table.

# Phase Name Description Summary of Key Changes
1 Answering Pre-Assessment The Assessed Entity is responsible for completing each pre-assessment section: Name & Security, Organization Information, Assessment Options, Scope of the Assessment, and Factors. The redesigned Organization Information webform and new Scope of the Assessment webform will serve as the primary location for capturing background information about the Assessed Entity and their security organization and for defining the platforms/systems, facilities, and services outsourced for the in-scope environment. (Pre-Assessment Webforms)
2 Answering Assessment The Assessed Entity scores their assessment and addresses any triggered potential quality issues (PQIs). The Assessed Entity should also make a QA Reservation and complete the Validated Report Agreement webform. The Management Representation Letter will now be completed through MyCSF using an electronic signature workflow (HAA 2021-009)
3 Performing Check-In HITRUST reviews the Management Representation Letter. The new workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced to provide transparency into the check-in process that previously occurred within the legacy Assessment Submitted to HITRUST state.
4 Addressing Check-In Tasks The Assessed Entity addresses the task opened by HITRUST during check-in. If HITRUST’s check-in review identifies an issue with the Management Representation Letter, HITRUST will open a task and the assessment will enter the Addressing Check-In Tasks phase. (HAA 2021-010)
5 Reviewing Pending Check-In Tasks HITRUST reviews the task addressed by the Assessed Entity. HITRUST closes the task if it has been resolved. If the task requires additional attention, HITRUST sends the task back to the Assessed Entity with comments or instructions, and the assessment returns to the Addressing Pending Check-In Tasks phase. (HAA 2021-010)
6 Preparing and Reviewing Deliverables HITRUST prepares and reviews the draft report. The HITRUST CSF Validated Report format has been updated to streamline the presentation of information. (HAA 2021-011)
7 Reviewing Draft Deliverables The Assessed Entity reviews the draft report. An updated Revision Request webform includes new input fields which allow the Assessed Entity to clearly identify each revision request. (Draft Report Revision Requests)
8 Revising Draft HITRUST either processes the Assessed Entity’s revision requests or prepares the final report. As the QA Analyst reviews each revision request, the status of each request is identified as Not Started, Completed, or Not Accepted by HITRUST. For any requests Not Accepted by HITRUST, the QA Analyst provides an explanation within the “Rationale” section of the webform. (HAA 2021-009)
9 Complete The Assessed Entity may access the final report. No changes; the Complete phase is equivalent to the legacy Final Report Posted state.

Implementation

HITRUST CSF Validated Assessments

This suite of enhancements to MyCSF will be implemented automatically for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments that meet all of the following criteria on February 15, 2022:

  • The assessment has not previously been submitted to HITRUST
  • The assessment is in the Not Started or Answering Assessment state
  • No assessment domains have been submitted to the External Assessor for review

HITRUST CSF Interim and Bridge Assessments

This suite of enhancements to MyCSF will be implemented automatically for all Interim and Bridge Assessments created on or after February 15, 2022. Interim and Bridge Assessments created prior to February 15, 2022, will not be affected.

HITRUST CSF Readiness Assessments

This suite of enhancements to MyCSF will be implemented automatically for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments that meet all of the following criteria on February 15, 2022:

  • Assessment has never been submitted to HITRUST
  • Assessment is in the Not Started or Answering Assessment state

Additonal Resources

FAQs: New Assessment Workflows
New Validated Assessment Workflow and Notifications
New Interim and Bridge Assessment Workflows and Notifications
New Readiness Assessment Workflow and Notifications

 Save as PDF

HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes including CSF Version Upgrades

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
October 19, 2021

Advisory Type
Assurance Change

Overview

On or before December 4, 2021, HITRUST will introduce a new feature in MyCSF to allow Assessed Entities to preview the effects of upgrading the CSF version or making any other changes which impact the composition of a HITRUST CSF Validated or Readiness Assessment before the change is made.

CSF Version Upgrade for a HITRUST CSF Validated or Readiness Assessment

Consistent with the CSF Versioning Policy announced in HAA 2021-005, all new versions of the HITRUST CSF will be displayed in MyCSF using the versioning syntax of v[Major].[Minor].[Errata]. In order to provide further transparency into the updates introduced in each new major, minor, and errata version of the CSF, MyCSF will allow Assessed Entities to preview the effects of upgrading their assessment to a new CSF version. The MyCSF preview functionality provides a high-level summary and a detailed report of all modifications that would result from upgrading the CSF version utilized for a particular assessment.

The Assessed Entity may preview and upgrade the CSF version at any time while the assessment is in the Answering Assessment state prior to any assessment domains being submitted to the External Assessor for validation.

If any new major, minor, or errata versions of the CSF are available, MyCSF displays the upgrade options to the Assessed Entity upon accessing any of the following pages:

  • Organization Information
  • Assessment Options
  • Systems
  • Facilities
  • Default Scoring Profile
  • Factors

The upgrade options could include the following based upon the version of the CSF that the assessment currently utilizes:

  • The most recently released errata version for the same minor CSF version that the assessment is currently utilizing (Example: v9.5.0 to v9.5.1)
  • The most recently released minor version for the same major CSF version that the assessment is currently utilizing (Example: v9.4 to v9.5.1)
  • The most recently released major version of the CSF (Example: v8 to v9.5.1)

The Assessed Entity is presented with the option to preview the differences between their current assessment and the assessment that would be created upon upgrading to the version of the library selected by the Assessed Entity. MyCSF displays a high-level summary of the differences and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:

  • Addition, Removal, or Modification of a Requirement Statement
  • Modification of a Requirement Statement’s Illustrative Procedure
  • Factor Added or Removed from a Requirement Statement
  • Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
  • Modification of the Control Level Implementation of a Requirement Statement
  • Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
  • Modification of a Requirement Statement’s Assessment Domain

After previewing the changes, the Assessed Entity has the option to either proceed with updating the CSF Version or to not apply the update.

Previewing a change to the composition of a HITRUST CSF Validated or Readiness Assessment

The preview functionality described above is also available at any time that the Assessed Entity attempts to make a change within MyCSF which will result in a modification to the composition of their HITRUST CSF Validated or Readiness Assessment. Examples of these changes include:

  • Changing a Factor response
  • Changing the following options on the Assessment Options page
    • Would you like only the controls required for certification or ALL CSF security controls?
    • Include privacy controls?

When making such a change to the assessment, MyCSF displays a high-level summary of the differences and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:

  • Addition, Removal, or Modification of a Requirement Statement
  • Modification of a Requirement Statement’s Illustrative Procedure
  • Factor Added or Removed from a Requirement Statement
  • Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
  • Modification of the Control Level Implementation of a Requirement Statement
  • Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
  • Modification of a Requirement Statement’s Assessment Domain

After previewing the changes, the Assessed Entity has the option to either proceed with making the previewed changes or to not apply them.

Implementation

The CSF version upgrade and preview functionality described above will be implemented for all HITRUST CSF Validated and Readiness Assessments on or before December 4, 2021.

 Save as PDF

HAA 2021-005: CSF Versioning Policy

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
October 19, 2021

Advisory Type
Assurance Change

Summary

To provide further transparency to the HITRUST Community a versioning policy for the HITRUST CSF is being introduced. The policy defines the criteria for updates to the HITRUST CSF and corresponding communications that can be expected from HITRUST.

Versioning Policy

All CSF versions will now observe the following syntax: v[Major].[Minor].[Errata]

In support of the syntax HITRUST will observe the following definitions:

Major Release (Example: v8.0.0, v9.0.0, v10.0.0):

  • Changes to CSF structure including:
    • Adding, removing, or material changes to the Categories, Objectives, or Control References and corresponding descriptions
    • Updates to the taxonomy of the CSF
  • An Assurance Advisory will be published to announce the change

Minor Release (Example: v9.1.0, v9.2.0, v10.1.0):

  • Material changes to the CSF and related information in the platform including:
    • Changing the Control References required for certification or inclusion of Requirement Statements in an assessment
    • Adding, removing, or material changes to a Requirement Statement and/or Implementation Requirements
    • Adding, removing, or changes to Authoritative Sources, related Regulatory/Compliance Factors or mappings
    • Updates which result in a Requirement Statement moving to a different Control Reference, Domain, or Level
    • Material changes to Illustrative Procedures
    • Adding or removing General, Geographic, Organizational, or Technical Factors and/or related operational functionality
  • An Assurance Advisory will be published to announce the change

Errata Release (Example: v9.1.2, v9.1.3, v10.0.1):

  • Immaterial changes to the CSF and related information in the platform including:
    • Minor updates to CSF categorization vernacular (no material impact)
    • Changes to the Factor Type designation or Topics
    • Immaterial changes to a Requirement Statement and/or Implementation Requirements
    • Updates which do not result in a Requirement Statement moving to a different Control Reference, Domain, or Level
    • Immaterial changes to the Illustrative Procedures
    • Spelling, punctuation, grammatical, typos or stylistic corrections
  • Adding, removing, or changes to Community Supplemental Requirements and related information in the platform, related Regulatory/Compliance Factors or mappings*
  • An Assurance Advisory will not be published to announce the change. The new release will be available within MyCSF as an optional update to certain existing assessments and used as the default version for any newly created assessments after the release.

* Due to the nature of Community Supplemental Requirements, modifications do not rise to the level of a minor release, which necessitates an advisory/announcement to all HITRUST users.

Implementation and Timeline

Versioning of the HITRUST CSF

Effective as of the release of v9.5.0 all versions of the HITRUST CSF will observe the versioning syntax of v[Major].[Minor].[Errata] and CSF Versioning Policy.

MyCSF

Starting with v9.5.0, all CSF Library versions within MyCSF are displayed using the versioning syntax of v[Major].[Minor].[Errata]. Previous CSF Library versions will only display the major and minor release.

Additional Information

See HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes including CSF Version Upgrades for related MyCSF enhancements. For additional questions please contact our Support team.

 Save as PDF

HAA 2021-004: MyCSF Enhancements for v9.x and later CSF versions

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
June 7, 2021

Advisory Type
Assurance Change

Overview

HITRUST continually evaluates necessary changes in MyCSF based on community feedback and internal review. Through this review, HITRUST has identified enhancements to improve the overall assessment process. HITRUST is making the corresponding enhancements to the MyCSF platform which will apply to assessments utilizing HITRUST CSF versions 9.x and later.

Measured and Managed Maturity Level Options

Description

Within HITRUST CSF Validated assessments, scoring of the Measured and Managed maturity levels is not required. If included in the assessment, scoring of the Measured and Managed levels also subjects the assessment to additional QA checks resulting in additional processing time. As a result, HITRUST will update MyCSF to provide Assessed Entities with the ability to optionally remove these levels from their assessments if they do not plan on scoring them. The optional removal of these maturity levels from the assessment should help prevent accidental scoring and streamline data entry into MyCSF.

Implementation

Effective immediately, any newly created HITRUST CSF Validated assessment will require the Assessed Entity to select whether Measured and Managed maturity levels will be evaluated when configuring the assessment. The configuration option will appear within the “Assessment Options” menu and will ask “Will you be scoring Measured and Managed?”.

If “Yes” is selected then the Measured and Managed maturity levels will be included within each requirement statement for scoring.

If “No” is selected the Measured and Managed maturity levels will not be available for scoring. When downloading an offline assessment, the Measured and Managed maturity levels will remain in the downloaded Excel file. However, upon uploading the offline assessment, no Measured or Managed scores will be reflected in MyCSF if the option to score these levels was not selected in the “Assessment Options” menu.

Measured Level Independent and Operational Selections

Description

When evidence is attached to a requirement statement supporting a score in the Measured maturity level, the Subscriber must select whether the evidence is related to an “Operational” or “Independent” measure. To simplify the evidence attachment process, this selection will no longer be needed within MyCSF. The Subscriber will only need to select that the evidence applies to the Measured maturity level. It is still expected that the External Assessor will document within the testing results whether the measure was scored as “Operational” or “Independent”.

Implementation

Effective June 24, 2021, any newly created HITRUST CSF assessment will no longer display an option to select whether the evaluated measurement is “Independent” or “Operational”.

For offline assessments, the column in the “Requirement-Document Mapping” tab labeled “Measured: Operational or Independent?” will be renamed to “Maturity Measured Related?” with the only valid responses as “True” or “False”.

For existing assessments that have not previously been submitted to HITRUST for processing, this can be enabled upon request. To do so please email Support requesting the disablement of the Operational and Independent checkboxes for the Measured maturity level and include the following information:

  • Organization Name as it appears in MyCSF
  • Assessment Name as it appears in MyCSF

Scoping Factor Edit Checks

Description

HITRUST CSF assessments will include additional edit checks on the CSF version 9.x scoping factors listed below to avoid inconsistent responses.

  • Is the system(s) accessible from the Internet?
  • Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
  • Is any aspect of the scoped environment hosted on the cloud?

The inconsistent answers were required to be changed during HITRUST’s QA which added additional processing time to certain assessments. This change is being made to avoid the possibility of inconsistent responses to these factors.

Implementation

HITRUST CSF assessments created on or after June 24, 2021 will include additional edit checks for the scoping factors listed below to avoid inconsistent responses. The rules will be applied to the following scoping factor questions:

Number Scoping Factor Question Responses
1 Is the system(s) accessible from the Internet? If “Yes”, then #2 will automatically be answered as “Yes”
2 Does the system allow users to access the scoped environment from an external network that is not controlled by the organization? If “Yes”, then #1 will automatically be answered as “Yes”
3 Is any aspect of the scoped environment hosted on the cloud? If “Yes”, then #1 and #2 will automatically be answered as “Yes”

 

When the system enforces the rule, the correct answer will be automatically populated and a message in MyCSF will inform the user that this rule was applied.

For any existing assessments where the three identified scoping factors were previously answered the new rules will not be applied; unless one or more of the three identified scoping factor responses were updated at which point the new rules would be applied.

Additional Resources

Click here for a list of anticipated questions and answers.

 Save as PDF

HAA 2021-003: CAP Identification Changes

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
June 7, 2021

Advisory Type
Assurance Change

Overview

HITRUST assessments for CSF versions 9.x and later will no longer create CAPs for gaps that only exist at the Policy and/or Procedure maturity levels. This change is being made to continue HITRUST’s emphasis towards the Implemented maturity level, as described in HITRUST Assurance Advisory 2021-002, without compromising the integrity or Rely-Ability of the HITRUST CSF Certification.

Implementation and Timeline

HITRUST will not create a required CAP for a gap identified in the Policy and/or Procedure maturity level if there is not a gap at the Implemented maturity level. This change will be applied to start on June 24, 2021, as follows:

HITRUST CSF Validated Assessments

For any existing HITRUST CSF Validated Assessment, Table 1 summarizes how the change will be applied by HITRUST MyCSF state. For any HITRUST CSF Validated Assessments participating in the Assurance Enhancements Beta Program, you will receive an alternate communication to describe how the change will be applied to your participating assessments.

Table 1

MyCSF State Application of the Change and Notification
Not Started
Answering Assessment
Assessment Submitted to HITRUST
Undergoing QA
Awaiting External Assessor Response to QA
External Assessor Response Received
Undergoing Compliance Review
Compliance Review Complete
MyCSF will automatically apply the change to the assessment. When the draft reports are posted, CAPs will be generated such that a required CAP will not be created if gaps only exist at the Policy and/or Procedure maturity levels.
Draft Report Posted – Awaiting CAP Responses
Draft Report Posted – CAPs Complete
  • The assigned QA Analyst will manually apply the change to the assessment.
  • A notification of any CAPs that were moved to gaps will be sent to the Assessed Entity, External Assessor, and assigned QA Analyst.
  • The assessment will be returned to the Compliance Review Complete state and the assigned QA Analyst will post a revised draft report to MyCSF.
Final Report Posted No changes will be applied to MyCSF by default.
Please see the Reissuing Reports section of this Advisory for more information.

 

HITRUST CSF Readiness Reports

All HITRUST CSF Readiness Assessments created on or after June 24, 2021 will automatically be configured to not create a required CAP if gaps only exist at the Policy and/or Procedure maturity levels.

For any existing HITRUST CSF Readiness Assessment, Table 2 summarizes how the change will be applied by MyCSF state.

Table 2

MyCSF State Application of the Change and Notification
Not Started
Answering Assessment
Assessment Submitted to HITRUST
  • MyCSF will automatically apply the change to the assessment.
Draft Report Posted
  • MyCSF will automatically apply the change to the assessment.
  • The assessment will be returned to the Assessment Submitted to HITRUST state and the assigned HITRUST Analyst will post a revised Draft Report to MyCSF.
Final Report Posted No changes will be applied to MyCSF by default.

Please see the Reissuing Reports section of this Advisory for more information.

 

Reissuing Reports

Assessed Entities who are interested in optionally having a Final Report reissued to reflect this change must meet both of the following criteria in order to qualify:

  • Have a recently issued Final Report (that used the prior CAP logic), which is defined as follows:
    • For HITRUST CSF Validated Assessment reports: An active certification in the ‘Final Report Posted’ state within MyCSF
    • For HITRUST CSF Readiness reports: A report dated no earlier than June 24, 2020
  • Currently be an active MyCSF subscriber with access to the completed assessment (assessment cannot be archived).

Assessed Entities who purchased only the HITRUST CSF Readiness or Validated Assessment report without subscribing to MyCSF are ineligible to have their report reissued.

Qualified and interested Assessed Entities should contact their Customer Success Manager to obtain pricing information and initiate the reissuance process.

For Assessed Entities who do have their final report reissued, the following actions will be taken:

  • Upon initiation of the reissuance process:
    • For HITRUST CSF Validated Assessments, the existing certified assessment within MyCSF will be decertified and the existing HITRUST CSF Validated Assessment report will be considered invalid.
    • For HITRUST CSF Readiness Assessments, no action will be taken.
  • For both HITRUST CSF Validated and Readiness Assessments, a clone of the original assessment will automatically be made and put into a state of ‘Draft Report Posted – CAPs Complete’ for HITRUST CSF Validated Assessments or a state of ‘Assessment Submitted to HITRUST’ for HITRUST CSF Readiness Assessments. Upon creation of the clone, the original assessment will be automatically archived.
  • A QA analyst will post the revised final report to MyCSF to the cloned assessment.
  • For HITRUST CSF Validated Assessments:
    • The cloned assessment will be marked as certified using the date from the original assessment, so this change does not alter or extend the date of certification.
    • If applicable, the previously completed Interim Assessment will be linked to the cloned assessment.
  •  

    Impact on Interim Assessments for Reissued HITRUST CSF Validated Assessments

    For Assessed Entities who choose to optionally reissue a HITRUST CSF Validated Assessment report, there could potentially be an impact on their Interim Assessment. To understand the potential impact on their Interim Assessment, Assessed Entities and their External Assessors should review the following scenarios.

    Scenario 1 – The Interim Assessment has not been generated by MyCSF
    The Interim Assessment will be automatically generated based upon the new cloned Validated Assessment.

    Scenario 2 – The Interim Assessment has been generated by MyCSF but has not been submitted to HITRUST
    Upon initiating the reissuance process, the existing Interim Assessment will be refreshed to remove any requirements that were CAPs but have been moved to gaps based upon the change in CSF Validated Assessment and maintain at least one requirement per domain within the Interim Assessment.

    Scenario 3 – The Interim Assessment has been submitted to HITRUST, but the Interim Letter has not been posted
    No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.

    Scenario 4 – The Interim Assessment has already been completed
    No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.

    Additional Resources

    Click here for a list of anticipated questions and answers.

     Save as PDF

HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

Impacted Policy/Program Name

CSF Assurance Program

Date

June 7, 2021

Advisory Type

Assurance Quality

Overview

HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period

Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

  • For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
  • For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
  • For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring

Description

In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation

Effective immediately, enforcement of the following requirements are being modified:

Maturity Level Current Strength Criteria Revised Strength Criteria Scoring Considerations
Policy i. Demonstrably approved by management,
 
ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and
 
iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements).
A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.
  • A policy at the Assessed Entity that meets the Revised Strength Criteria for Policy will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A policy at the Assessed Entity that does not meet the Revised Strength Criteria for Policy will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented policy has been met.
     
    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.
Procedure i. Demonstrably approved by management,
 
ii. Demonstrably communicated to stakeholders,
 
iii. Outlines stakeholder responsibilities, and
 
iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed.
A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.
  • A procedure at the Assessed Entity that meets the Revised Strength Criteria for Procedure will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A procedure at the Assessed Entity that does not meet the Revised Strength Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented procedure has been met.
     
    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

 

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance

Description

HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation

Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

Content CSF Certification Letter with Scope Stand-alone Certification Letter
Signed Certification Letter from HITRUST ✓*
Assessment Context
Scope of Systems in the Assessment

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.

 Save as PDF

HAA 2021-001: Reservation System for Scheduling HITRUST Quality Assurance for HITRUST CSF Validated Assessments

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
April 15, 2021

Advisory Type
Assurance Change

Policy/Program Change Details

Summary

On July 1, 2021, HITRUST will enable a Reservation System within the HITRUST MyCSF platform, requiring Assessed Entities to schedule the start of quality assurance (QA) procedures for HITRUST CSF Validated Assessments. The Reservation System is designed to:

  • Eliminate the uncertainty around when HITRUST’s QA procedures will begin,
  • Allow Assessed Entities and their HITRUST Authorized External Assessor Organizations to schedule resources to respond to HITRUST’s QA feedback, and
  • Provide the opportunity for QA to occur closer to the submission date.

Key Considerations

Making a Reservation

  • All Assessed Entities will be required to make a reservation prior to submission of their HITRUST CSF Validated Assessment. The reservation can be made any time prior to submission; however, HITRUST encourages Assessed Entities to make their reservations as early as possible. The Reservation System will allow reservations up to one year in advance.
  • A Validated Assessment Report Credit is required to make a reservation. If you do not have a Validated Assessment Report Credit, you will receive a prompt to contact your Customer Success Manager in order to purchase a Validated Assessment Report Credit.
  • The submission date of the assessment to HITRUST must be entered into MyCSF as part of the reservation process. Assessed Entities should work carefully with their HITRUST Authorized External Assessor Organizations to plan their submission date as this is the deadline to submit the assessment to HITRUST. Failure to submit the assessment by the submission date will result in cancellation of the reservation, and a new reservation will need to be made.
  • Reservation slots occur within QA Blocks. QA Blocks are one-week periods where HITRUST will begin QA procedures. Each QA Block contains a set number of reservations that are possible, with MyCSF displaying the QA Blocks that are available to reserve.
  • By the end of the QA Block, HITRUST will have begun QA procedures on the assessment. For assessments in the normal QA workflow, organizations should typically expect to hear from HITRUST within seven to ten business after the end of the QA Block. Failure to hear from HITRUST during the week of your scheduled QA Block does not indicate that QA has not started.
  • Prior to booking a reservation, Assessed Entities will need to acknowledge the Cancellation Policy. The Cancellation Policy outlines the date by which the Assessed Entity can make a modification or cancel the reservation without incurring a fee.

Expedited Reservations

HITRUST also offers expedited reservations. Expedited reservations offer access to QA Blocks that may otherwise be at capacity and also includes priority processing of the assessment. Available expedited reservations will be shown within certain QA Blocks. To purchase an expedited reservation, the Assessed Entity will need to contact their Customer Success Manager.

Starting your Reservation

After submitting a Validated Assessment to HITRUST, the Assessed Entity will typically receive confirmation that your assessment was accepted by HITRUST. If the assessment was returned by HITRUST, the Assessed Entity and HITRUST Authorized External Assessor Organization should work together to remediate the assessment and resubmit. If the assessment is not resubmitted and accepted by HITRUST prior to the start of the QA Block, the reservation will be canceled. In order to ensure acceptance of an assessment prior to the start of the QA Block, HITRUST reminds Assessed Entities and External Assessors that they can submit in advance of the ‘Submission Date’ defined in their reservation.

Implementation and Timeline

For any Validated Assessments submitted to HITRUST for processing on or before June 30, 2021, HITRUST will continue to process assessments on a first-come, first-served basis with a priority for Assessed Entities that purchased expedited processing.

On July 1, 2021, the reservation system will be enabled for all HITRUST CSF Validated Assessments that have not previously been submitted to HITRUST. A reservation will be required to be made prior to submission to HITRUST.

Additional Information

A walk-through of the process within MyCSF can be found here, along with anticipated questions and responses.

 Save as PDF

Summary of HITRUST Assurance Advisories 2020 (click to expand)

HAA 2020-005: Enhancing Assurance Advisories

Impacted Policy/Program Name: CSF Assurance Program

Date: July 14, 2020

Advisory Type: Assurance Program Communications

Policy/Program Change Details

HITRUST “CSF Implementation & Assurance Implementation Bulletins” will now be referred to simply as “Assurance Advisories” and will classified into two distinct categories: “Assurance Change Advisories” and “Assurance Quality Advisories.”

“Assurance Change Advisories” will be used to communicate:

  • Enhancements to the MyCSF platform which significantly impact the Assurance program.
  • Significant modifications to the assessment methodology and assurance program requirements, such as modified assessment documentation requirements.
  • Introduction of a new component of the assessment methodology or a program requirement.

“Assurance Quality Advisories” will be used for:

  • Clarifying existing assessment methodology components, assurance program requirements, and expectations of assessors and assessed entities based on HITRUST’s experience in performing quality assurance reviews of assessment submissions.
  • Highlighting new, emerging, or otherwise noteworthy circumstances that may affect how assessments are conducted under the existing assessment methodology and assurance program requirements.

All advisories will continue to provide a timeline for implementation by both assessed entities and External Assessors.

Rationale

Categorizing advisories by type will provide additional clarity around changes to the Assurance program which impact assessed entities and External Assessors. Furthermore, the creation of “Assurance Quality Advisories” provides a new vehicle to share guidance and clarification regarding existing assessment methodologies and program requirements to the HITRUST community.

Timetable for implementation

Effective for all subsequent Advisories.

HAA 2020-004: HITRUST CSF Bridge Assessments

Impacted Policy/Program Name

HITRUST CSF Assurance Program

Date

April 15, 2020

Summary

HITRUST recognizes the challenges that assessed entities may be facing in completing their HITRUST CSF Validated Assessments and the subsequent possible impact of not maintaining HITRUST CSF Certification. The HITRUST CSF® Assurance Program, upon which certification is based, incorporates a number of mechanisms to ensure the assurances provided by a HITRUST CSF Validated Report are ‘rely-able’ when the report is issued, and remain ‘rely-able’ up until the time a report expires. Therefore, given the extent of degradation in the level of assurance over time, HITRUST is unable to extend the validity of a HITRUST CSF Certification past its two-year anniversary date.

HITRUST also recognizes that any solution addressing these challenges must maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal additional costs and duplication of effort, and provide a reasonable level of assurance for anyone seeking to rely upon it.

The HITRUST CSF Bridge Assessment provides an interim solution to assist organizations in addressing these challenges, allowing assessed entities to demonstrate a continued level of control effectiveness and assert continued progress towards the next HITRUST CSF Validated Assessment.

Limitations of Forward-Looking Certifications

HITRUST’s forward-looking HITRUST CSF Certification provides value by providing appropriate assurance that an assessed entity’s scoped control environment will operate as intended over a specific period of time. As control environments and threats inevitably change over time, the assurances gained by an assessment will also lessen over time. This degradation of assurance is anticipated and factored into the HITRUST CSF Assurance Program’s assessment and quality assurance methodologies and underlying risk analysis model. The interim assessment, performed at the one-year anniversary of HITRUST CSF Certification, is designed to help ensure the assurances provided by certification can be reasonably relied upon through its second year up until the point of expiration. A new HITRUST CSF Validated Assessment must then be performed in order to provide reasonable assurances for another two years.

As a result, HITRUST cannot reasonably extend HITRUST CSF Certification past its two-year anniversary date and still provide the ‘rely-ability’ fundamental to the HITRUST CSF Assurance Program. HITRUST CSF Certifications aren’t alone in this regard; few—if any—other forward-looking information assurance mechanisms can be extended for periods greater than two years while still offering the meaningful assurances that stakeholders now expect.

HITRUST CSF Bridge Assessment

HITRUST has subsequently developed an approach that may be useful to some stakeholders under extraordinary circumstances in which a HITRUST CSF Certification holder is unable to complete their next HITRUST CSF Validated Assessment prior to the expiration of their existing HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows HITRUST CSF Certification holders to demonstrate a continued level of control effectiveness while making progress towards their next HITRUST CSF Validated Assessment.

To mitigate the excessive degradation in assurance that occurs at the end of a HITRUST CSF Certification period, 19 requirement statements will be randomly selected by the HITRUST MyCSF® platform from the entity’s previous validated assessment to serve as a HITRUST CSF Bridge Assessment. A HITRUST Authorized External Assessor will then test these requirement statements to confirm their maturity did not degrade since the previous assessment. This testing will be reviewed in an expedited manner by HITRUST and—barring indications of control degradation, significant changes in the environment, or significant QA issues—HITRUST will issue a HITRUST CSF Bridge Certificate. Once awarded this certificate, the assessed entity will have 90 days from the expiration date of the previous HITRUST CSF Certification to submit a completed validated assessment to HITRUST.

Important considerations related to HITRUST CSF Bridge Assessments:

  • A HITRUST CSF Bridge Assessment object can be created MyCSF at any time in the 60 days prior to the existing HITRUST CSF Certification’s expiration through 30 days after the expiration date of the HITRUST CSF Certification.
  • A HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
  • The testing performed in the HITRUST CSF Bridge Assessment does not need to be performed again in the delayed validated assessment. In other words, HITRUST will not require re-testing of these 19 requirement statements.
  • HITRUST CSF Bridge Assessment submissions from HIEs, HINs, and healthcare providers will be prioritized for QA until further notice.
  • HITRUST’s anticipated processing time for a HITRUST CSF Bridge Assessment submission is two-three weeks.

HITRUST CSF Bridge Certificate

A HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST that is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification. A HITRUST CSF Bridge Certificate adds value in providing a minimal but reasonable level of assurance that the entity’s scoped control environment is unlikely to have degraded materially since the last validated assessment and by indicating that the entity has committed to obtaining a HITRUST CSF Validated Report in the next 90 days.

Other important considerations related to HITRUST CSF Bridge Certificates:

  • A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF Validated Report with Certification as it does not provide an equivalent level of assurance.
  • A HITRUST CSF Bridge Certificate is also not an extension to an existing HITRUST CSF Certification (which still expires on the two-year certification anniversary).
  • The 90 days covered by the HITRUST CSF Bridge Certificate are deducted from the new HITRUST CSF Certification’s two-year validity period.

Qualification Requirements

To qualify for this, assessed entities:

  • Must have an active HITRUST CSF Validated Report with Certification,
  • Are likely to miss their validated assessment submission due-date, and
  • Haven’t missed that due date by greater than 30 days.

Not all entities holding an active HITRUST CSF Certification will need to perform a HITRUST CSF Bridge Assessment, as a HITRUST CSF Bridge Certificate is designed for missed due date scenarios due to an extant emergency or crisis, such as the current COVID-19 pandemic. For entities facing such a scenario, a HITRUST CSF Bridge Certificate may afford necessary additional time. However, entities should not assume that HITRUST CSF Bridge Certificates will be universally accepted by business partners and regulators demanding continuous HITRUST CSF Certification status. Entities should consult with their stakeholders and relying parties to determine if a HITRUST CSF Bridge Certificate will be accepted while they await receipt of a new HITRUST CSF Validated Report with Certification.

Timeline

HITRUST CSF Bridge Assessments will be available starting April 15, 2020. While HITRUST reserves the right to terminate this option without notice, we intend to make these assessments available through the calendar year 2020.

Organizations interested in undergoing a HITRUST CSF Bridge Assessment should contact their HITRUST Customer Success Manager and a HITRUST Authorized External Assessor.

More Information

Please see the HITRUST CSF Bridge Assessment Overview Deck for more information.

11/18/2020 Update: HITRUST has determined that the bridge assessment option will remain available until further notice. If this option is terminated, an advisory on the removal of this option will be communicated.

HAA 2020-003: Assessment Scoping Factor Enhancements Designed to Reduce the Effort Associated with and Increase the Accuracy of CSF Assessments

Impacted Policy/Program Name

CSF Assurance Program

Date

March 30, 2020

Advisory Type

MyCSF Functionality

Policy/Program Change Details

HITRUST is making the following changes to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments:

  • Adding more than ten additional technical scoping factor questions to better capture inherent risk factors present in the assessed environments and tailor the HITRUST CSF requirements included in assessments accordingly.
  • Re-wording the existing technical scoping factor “Is the system(s) accessible by a Third Party?” to further clarify the definition of a third party.
  • Removing the “Are Mobile devices used in the environment?” technical scoping factor.
  • Adding additional HITRUST CSF requirements to existing technical scoping factors.
  • Adding additional information around certain factors as part of the help page.

Additionally, MyCSF will now require an assessed entity to provide a documented rationale for each technical scoping factor answered “No.” This rationale should contain sufficient detail to allow the External Assessor and HITRUST QA to evaluate the “No” answer. These rationales will also appear in the HITRUST CSF Validated Assessment Report.

Rationale

The changes related to MyCSF’s assessment scoping factors will:

  • Reduce the number of requirement statements that appear in the assessment when a factor is marked as “No.”
  • Reduce the amount of repetitive “This is not applicable because…” responses that are currently documented during assessments and reflected in HITRUST CSF assessment reports. Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.
  • Add clarity around the terminology used in assessment scoping factors.

Timetable for implementation
Effective for all new objects created on or after June 1, 2020.

6/1/20 Update:

  • The changes described in this advisory are now live in MyCSF’s production environment. Twelve newly added technical scoping factor questions (e.g., “Are hardware tokens used as an authentication method within the scoped environment?”) have been introduced.
  • These newly added scoping factor questions only serve to remove / filter requirements from being included in an assessment and do not add any requirements to the assessment. When determining which requirements to include in an assessment object, MyCSF first uses all other scoping information to identify the necessary requirements and THEN removes any requirements associated with the twelve newly added scoping factor questions when these questions are answered as “No”.
  • All HITRUST CSF assessments benefit from these newly added questions. Instead of having to explain why similar requirements aren’t applicable to the assessment multiple times (at the requirement level), assessed entities now need to explain that the associated risk factor doesn’t apply once (at the scoping level). Because of this change, HITRUST anticipates the number of requirements marked as Not Applicable on assessments to drop considerably. As an added benefit, the speed by which HITRUST’s QA takes place will improve as a result of us needing to review fewer requirements marked as Not Applicable.
  • HITRUST has made these new scoping factor questions available on all assessment objects, including those created before 6/1/20 so that they may optionally benefit from these newly added scoping factor questions. By default, the newly added questions default to a visible option of “Please choose an option” which is treated by MyCSF as “Yes”. The net effect of defaulting to a “Yes” value is the same as not having the scoping factors present at all: Because these questions are only reductive (never additive), no requirements are added or removed from any previously created assessment object without action from the assessed entity.
  • Organizations with previously created assessment objects who wish to take advantage of these newly added scoping factors, and have not yet submitted their assessment to HITRUST, are encouraged to visit the “Admin & Scoping > Factors” page, answer the newly added scoping factor questions (providing the required “No” explanations where necessary), and then press the “Refresh Assessment” button. Requirements linked to any questions answered “No” will then be removed from the assessment object.
  • No action is required for Organizations with previously created assessment objects who do not wish to take advantage of these newly added scoping factor questions.

HAA 2020-002: Impact Of COVID-19 On Assessment Timelines

Date

March 16, 2020

Advisory

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

  • External assessor’s validated assessment fieldwork window (maximum):
    • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
  • Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
    • 90 calendar days past the control’s implementation or remediation.
  • Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
    • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
  • Window during which HITRUST will accept grammatical changes to a draft report:
    • 30 calendar days from issuance of draft report.
  • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
    • 30 calendar days from issuance of draft report.
  • Interim assessment object submission due date:
    • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
  • Validated assessment object submission due date for re-certification efforts:
    • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
  • Duration of MyCSF access for report-only customers:
    • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
  • Validity window for the CCSFP certification:
    • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
  • Validity window for the CHQP certification:
    • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

HAA 2020-001: Waiver Of On-Site Requirement For Validated Assessments

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 5, 2020

Advisory Type

Assurance Program Methodology

In light of the recent spread of COVID-19, HITRUST encourages assessors to exercise judgement when planning assessment-related travel. Given that HITRUST assessments take place across the US as well as internationally, we acknowledge that some HITRUST assessments will be affected more than others. Assessors should work closely with their clients to adjust travel plans as deemed necessary. To provide assessors added travel flexibility, HITRUST is waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. This temporary waiver is effective immediately.

In situations where assessors choose to leverage alternative approaches such as video conferencing to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used.

We will continue to work closely with assessors to monitor the effectiveness of alternative walkthrough and observation approaches and the ongoing necessity of this waiver. An additional advisory will be posted at a later date to reinstate the on-site fieldwork requirement.

Summary of HITRUST Assurance Advisories 2019 (click to expand)

HAA 2019-011: Relying On The Work Of Internal Assessors

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updates to the CSF Assurance Program which allows “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to place reliance on the work of “Internal Assessors”. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

The new role of “Internal Assessor” aids in the CSF Assessment process by performing in-house testing in advance of an External Assessors’ validated assessment fieldwork. Internal Assessors are in-house, contracted, or outsourced CCSFPs who are typically positioned within or engaged by an assessed entity’s Internal Audit Department but could be positioned within or engaged by any department meeting specific objectivity requirements, resource qualification requirements, and approval by HITRUST (through a defined application process).

Rationale

This methodology update creates opportunities for greater assessment efficiency and customer cost savings. This change is expected to bring several benefits to External Assessors and assessed entities. For example:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their External Assessors can be reduced.
  • Internal personnel with deep knowledge of the organization’s internal controls (in groups such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.
  • Assessed entities and their External Assessors now have more flexibility in fitting the HITRUST CSF assessment procedures into the assessed entity’s broader compliance activities.

Timetable for Implementation

Effective upon recognition as Internal Assessor assigned to an organization.

HAA 2019-010: Updated Documentation Requirements For Relying On Third-Party Reports

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

HITRUST has historically afforded the following two approaches for “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to rely on the results of previously performed control testing:

  1. Inheritance of the results of other HITRUST CSF Assessments, and
  2. Reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program.

These updates clarify these two options by specifying associated timing, scope, and documentation requirements. External Assessors are encouraged to take particular note of the following new requirements that must be observed when placing reliance on a third-party audit report:

  • Both the External Assessor and HITRUST Services Corp. must both be authorized recipients of the third-party audit report. Reliance cannot be placed on third-party audit reports for which neither HITRUST or the External Assessor are authorized to receive.
  • When designing a reliance strategy, the External Assessor must map the applicable / scoped HITRUST CSF requirement statements to the controls / requirements tested in the third-party audit. In the absence of this mapping, the External Assessor cannot form a meaningful reliance strategy and lacks an adequate, demonstrable basis for reliance on the third-party audit report. To support HITRUST’s QA efforts, this mapping as well as the third-party audit report must be made available to HITRUST.

Rationale

These methodology updates are expected to:

  • Help highlight any over-reliance or unwarranted reliance on the work of other auditors and External Assessors.
  • Provide needed clarity and transparency around HITRUST’s expectations around timing, scope, and documentation when reliance is placed on the work of others.

Timetable for Implementation

Observance of these new reliance documentation requirements will be mandatory for assessment objects submitted and accepted on or after December 31, 2019.

The term “Accepted” means that HITRUST has confirmed to the assessor that all required documents were included in the submission. If documents are missing, the submission is reverted back to the assessor for correction. Upon acceptance of a submission, the assessment object is added to the Assurance team’s queue to await full QA procedures. Average acceptance time of the submission process is one to three business days.

HAA 2019-009: Updated Scoring Rubric

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST’s scoring rubric, which assists organizations and their assessors in assessment scoring level determinations, has been overhauled. Key changes include:

  • Definitions for assessment terminology, assessment examples and guidance on important concepts have been added.
  • Scoring lookup tables have been created for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • Replacement of qualitative terms such as none, some, and all with quantitative ranges.
  • Removal of ambiguous terms such as “management action” and “ad hoc”.

Rationale

The rubric’s has been enhanced to bring improved usability, added clarity, and better harmonization with the assessment guidance provided in HITRUST’s Risk Analysis Guide.

Timetable for Implementation

The updated scoring rubric will be made available for download at https://hitrustalliance.net/csf-assurance-related-programs/ on or before September 20, 2019.

Observance of the new rubric will be mandatory for assessment objects submitted and accepted on or after December 31, 2019. All validated assessments that are in progress and intend to observe the old scoring rubric must be accepted by HITRUST prior to December 31, 2019. Interim assessments performed after December 31, 2019 will observe the rubric in effect at time of performance of the validated assessment.

The term “Accepted” means successful check-in of an object. Submission of a validated assessment within MyCSF is the first step towards acceptance. After submission, the Assurance team performs certain quality checks; should any of these checks fail, the submission is reverted to the Assessor for remediation. Average acceptance time of a submission to HITRUST is one to three business days.

Since only validated assessments accepted prior to December 31, 2019 will be QA’d by HITRUST in observance of the previous scoring rubric, it is strongly recommended that Assessors work with their customers to ensure submissions in MyCSF are made with enough time to allow for HITRUST acceptance.

HAA 2019-008: Automated Quality Checking Of HITRUST CSF Assessment Objects

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Quality

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.

Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

  • Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
  • Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
  • Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

HAA 2019-007: Updated PRISMA Attribute Weights

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

The point values, or “weightings”, of the five levels of HITRUST’s PRISMA maturity model are changing. The below graphic shows that the Policy weight is being reduced to 15 points, the Procedure weight is being reduced to 20 points, the Implemented weight is being increased to 40 points, the Measured weight is being reduced to 10 points, and the Managed weight is being increased to 15 points.

Advisory-007.png

Rationale

These updated weights better reflect the value that each maturity level brings to an organization’s risk management stance. For example, the increased weighting of the Implemented level (which is now worth double any other single level) aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.

Timetable for Implementation

The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.

HAA 2019-006: Extension To The Qualification Requirement For Assessor Quality Assurance (QA) Personnel

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 29, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform External Assessor organizations about an extension to the qualification requirement for Assessor quality assurance (QA) personnel.

Assessor firm personnel who will perform the assessment QA review prior to submission to HITRUST will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). Only those individuals holding an active Certified CSF Practitioner (CCSFP) certification are eligible to become a CHQP. This course and test will be available online starting in May 2019.

Assessor firms have until July 31, 2019 to have a minimum of two (2) resources certified as CHQPs. All Validated Assessment submissions on or after August 1, 2019 will be required to have a QA review performed by a CHQP as evidenced by sign-offs on the Assessor Quality Checklist. Submissions after August 1, 2019 without proper CHQP involvement will be rejected by HITRUST.

This advisory only applies to the timeline for compliance with the Assessor firm QA reviewer qualification requirement. All other advisories will be enforced according to the dates listed in the advisories.

Rationale

This change is to ensure that Assessor firm personnel performing QA in support of HITRUST validated assessments understand the expectations of the role and can demonstrate this understanding by passing the exam. In addition, it ensures that all Engagement Executives have the required knowledge of the HITRUST CSF and HITRUST Assurance Program requirements.

The extension is being granted to allow Assessor firms enough time to get their resources trained after the course is made generally available by HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

HAA 2019-005: Changes Related To Interim Reviews

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST CSF Certified Organizations and HITRUST Assessor Organizations about changes to the interim review.

The Interim Review has been replaced with an Interim Assessment. The Interim Assessment differs from what has been known as the Interim Review by requiring:

  • Full testing of selected control requirements (INCREASED TESTING REQUIREMENT);
  • Rescoring of the tested control requirements (NEW);
  • Full QA of testing by HITRUST (INCREASED LEVEL OF EFFORT); and
  • For assess-only reports, full verification that recreated assessment matches assessment used for issuing of the previous full report (NEW).

As a reminder and consistent with HITRUST Assurance Advisory 2017-01 issued in August of 2017, Interim Assessments will be performed with the HITRUST MyCSF. There will be an Interim Assessment processing fee of $2,900. The processing fee will be waived for organizations that have an active subscription to the HITRUST MyCSF.

Rationale

This change is to ensure the consistency and quality of work performed during an Interim Assessment and increase the rigor and oversight by HITRUST; resulting in an increase in assurance level provided by the Interim Assessment and support for maintaining the HITRUST CSF Certification for the additional year.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

HAA 2019-004: Changed To Further Ensure HITRUST Approved Assessor Quality And Consistency

 

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about changes to the qualification requirement for Engagement Executives and Assessor Quality Assurance (QA) personnel. It also reiterates the role of the Engagement Lead.

The first change is a requirement for both the Engagement Executive and the Assessor QA reviewer to be CCSFPs. Prior to this change, the Engagement Lead and either the Engagement Executive or the Quality Assurance Reviewer were required to be CCSFPs.

The second change focuses on the Assessor personnel who perform QA reviews prior to the submission of assessments to HITRUST. People in this role will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). This is in addition to the CCSFP requirement. Communication will go out once the online course and exam are available.

Attached to this advisory are additional details on the responsibilities of the Engagement Executive, QA Reviewer and Engagement Lead.

Rationale

This change is to ensure that Engagement Executives understand the HITRUST CSF Assurance Program and are able to perform an effective executive-level review. The requirement for Assessor QA reviewers to complete an online course is to ensure that reviewers understand the expectations of their role and can demonstrate their understanding by passing the exam.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Responsibilities of Engagement Executives, Quality Assurance Reviewers and Engagement Leads

HAA 2019-003: Ensuring Clarity Of Scope Of An Assessment

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance

HAA 2019-002: Change Regarding The Number Of Qualified HITRUST Certified CSF Practitioner (CCSFP) Hours For HITRUST CSF Validated Assessments

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Assessor Organizations about a change to the assurance process regarding the number of qualified (CCSFP) hours required for validated assessments.

HITRUST Certified CSF Practitioner (CCSFP) resources must comprise 50% of assessment hours. This requirement is inclusive of QA hours.

Rationale

This change is to ensure the competency and quality of resources performing validation work.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

HAA 2019-001: Providing Direction For HITRUST Approved Assessor Organizations

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the HITRUST CSF Assurance Program regarding the performance and documentation of the testing of control requirements for assessments.

HITRUST Authorized External Assessors are required to submit the following documentation with all validated assessments:

  • Test Plan that covers testing of all required controls. It must meet the minimum test plan requirements documented in the HITRUST CSF Assurance Program Requirements.
  • 100% of working papers. They must meet the minimum working paper requirements documented in the HITRUST CSF Assurance Program Requirements. We have attached a copy of the Assurance Program Documentation Requirements to this advisory.
  • HITRUST Authorized External Assessor Quality Checklist signed by the Engagement Executive and Assessor QA Resource. The Quality Checklist can be found in the HITRUST MyCSF and should always be downloaded from the HITRUST MyCSF to ensure use of the latest version. We have also attached a copy to this advisory.

Rationale

This change is to ensure the consistency and quality of assessment documentation, ensure compliance with the HITRUST Assurance Program requirements, and make the HITRUST QA process more efficient. The HITRUST Authorized External Assessor’s QA process should identify and address most issues prior to submission to HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

HITRUST CSF Assurance Program Documentation Requirements

HITRUST Authorized External Assessor Quality Checklist

Archives 2017/2016

For more information, contact: support@hitrustalliance.net.

Assurance Advisories

HITRUST Assurance Advisories are communications that notify HITRUST CSF Assurance Program stakeholders of enhancements, changes, and/or provide additional guidance regarding the HITRUST CSF Assurance Program Requirements and supporting methodologies and tools. All Assurance Advisories contain important information regarding adoption requirements, scope, and timing, which can impact HITRUST CSF Assurance Program stakeholders.

All HITRUST CSF Assurance Program stakeholders should review each Assurance Advisory to understand the potential impact on them.

 

Summary of HITRUST Assurance Advisories 2021 (click to expand)

HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

Impacted Policy/Program Name

CSF Assurance Program

Date

June 7, 2021

Advisory Type

Assurance Quality

Overview

HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period

Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

  • For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
  • For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
  • For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring

Description

In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation

Effective immediately, enforcement of the following requirements are being modified:

Maturity Level Current Strength Criteria Revised Strength Criteria Scoring Considerations
Policy i. Demonstrably approved by management,
 
ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and
 
iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements).
A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.
  • A policy at the Assessed Entity that meets the Revised Strength Criteria for Policy will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A policy at the Assessed Entity that does not meet the Revised Strength Criteria for Policy will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented policy has been met.
     
    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.
Procedure i. Demonstrably approved by management,
 
ii. Demonstrably communicated to stakeholders,
 
iii. Outlines stakeholder responsibilities, and
 
iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed.
A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.
  • A procedure at the Assessed Entity that meets the Revised Strength Criteria for Procedure will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A procedure at the Assessed Entity that does not meet the Revised Strength Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented procedure has been met.
     
    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

 

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance

Description

HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation

Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

Content CSF Certification Letter with Scope Stand-alone Certification Letter
Signed Certification Letter from HITRUST ✓*
Assessment Context
Scope of Systems in the Assessment

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.
[/block_save_as_pdf_pdfcrowd]

Summary of HITRUST Assurance Advisories 2020 (click to expand)

HAA 2020-002: Impact Of COVID-19 On Assessment Timelines

Date

March 16, 2020

Advisory

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

  • External assessor’s validated assessment fieldwork window (maximum):
    • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
  • Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
    • 90 calendar days past the control’s implementation or remediation.
  • Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
    • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
  • Window during which HITRUST will accept grammatical changes to a draft report:
    • 30 calendar days from issuance of draft report.
  • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
    • 30 calendar days from issuance of draft report.
  • Interim assessment object submission due date:
    • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
  • Validated assessment object submission due date for re-certification efforts:
    • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
  • Duration of MyCSF access for report-only customers:
    • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
  • Validity window for the CCSFP certification:
    • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
  • Validity window for the CHQP certification:
    • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

Summary of HITRUST Assurance Advisories 2019 (click to expand)

HAA 2019-008: Automated Quality Checking Of HITRUST CSF Assessment Objects

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Quality

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.

Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

  • Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
  • Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
  • Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

HAA 2019-003: Ensuring Clarity Of Scope Of An Assessment

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance

For more information, contact: support@hitrustalliance.net.

Archive

Chat Now

This is where you can start a live chat with a member of our team