Overview
HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.
Policy and Procedure Incubation Period
Description
The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.
Implementation
The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:
- For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
- For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
- For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.
Policy and Procedure Level Scoring
Description
In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.
Implementation
Effective immediately, enforcement of the following requirements are being modified:
Maturity Level |
Current Strength Criteria |
Revised Strength Criteria |
Scoring Considerations |
Policy |
i. Demonstrably approved by management, ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements). |
A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc. |
|
Procedure |
i. Demonstrably approved by management, ii. Demonstrably communicated to stakeholders, iii. Outlines stakeholder responsibilities, and iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed. |
A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement. |
|
To further clarify this change, please see the examples outlined here.
For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.
HITRUST CSF Certification Letter Issuance
Description
HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.
Implementation
Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:
Content |
CSF Certification Letter with Scope |
Stand-alone Certification Letter |
Signed Certification Letter from HITRUST |
✓ |
✓* |
Assessment Context |
✓ |
|
Scope of Systems in the Assessment |
✓ |
|
*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.
Additional Resources
Click here for a list of anticipated questions and answers.