HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

June 2, 2021

Overview
HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period
Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring
Description
In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation
Effective immediately, enforcement of the following requirements are being modified:

Maturity Level

Current Strength Criteria

Revised Strength Criteria

Scoring Considerations

Policy

i. Demonstrably approved by management,

ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and

iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements).

A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.

A policy at the Assessed Entity that meets the Revised Strength Criteria for Policy will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
A policy at the Assessed Entity that does not meet the Revised Strength Criteria for Policy will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented policy has been met.Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

Procedure

i. Demonstrably approved by management,

ii. Demonstrably communicated to stakeholders,

iii. Outlines stakeholder responsibilities, and

iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed.

A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.

A procedure at the Assessed Entity that meets the Revised Strength Criteria for Procedure will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
A procedure at the Assessed Entity that does not meet the Revised Strength Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented procedure has been met.Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance
Description
HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation
Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

Content	CSF Certification Letter with Scope	Stand-alone Certification Letter
Signed Certification Letter from HITRUST	✓	✓*
Assessment Context	✓
Scope of Systems in the Assessment	✓

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.

Subscribe to get updates,
news, and industry information.

Subscribe

HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

You may also be interested in:

HAA 2024-002: CSF Version 11.3 Release HAA 2024-002: CSF Version 11.3 Release

HAA 2024-003: CSF v11.2 Creation Deadline for e1 and i1 Assessments HAA 2024-003: CSF v11.2 Creation Deadline for e1 and i1 Assessments

HAA 2016-004: HITRUST CSF Assurance Program Change Related to the Addition of a Required Control for Certification in HITRUST CSF V8 HAA 2016-004: HITRUST CSF Assurance Program Change Related to the Addition of a Required Control for Certification in HITRUST CSF V8

Subscribe to get updates,news, and industry information.

Chat Now

HAA 2024-003: CSF v11.2 Creation Deadline for e1 and i1 Assessments

HAA 2016-004: HITRUST CSF Assurance Program Change Related to the Addition of a Required Control for Certification in HITRUST CSF V8

Subscribe to get updates,
news, and industry information.