Advisories

HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

Written by HITRUST | Mar 15, 2024 5:00:42 AM

Overview 
HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level. 

Policy and Procedure Incubation Period 
Description 

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days. 

Implementation 

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows: 

  • For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements. 
  • For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period. 
  • For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period. 

Policy and Procedure Level Scoring 
Description 
In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level. 

Implementation 
Effective immediately, enforcement of the following requirements are being modified: 

Maturity Level 

Current Strength Criteria 

Revised Strength Criteria 

Scoring Considerations 

Policy 

i. Demonstrably approved by management, 

ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and 

iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements). 

A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc. 

  • A policy at the Assessed Entity that meets the Revised Strength Criteria for Policy will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score. 
  • A policy at the Assessed Entity that does not meet the Revised Strength Criteria for Policy will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented policy has been met.Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged. 

Procedure 

i. Demonstrably approved by management, 

ii. Demonstrably communicated to stakeholders, 

iii. Outlines stakeholder responsibilities, and 

iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed. 

A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement. 

  • A procedure at the Assessed Entity that meets the Revised Strength Criteria for Procedure will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score. 
  • A procedure at the Assessed Entity that does not meet the Revised Strength Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented procedure has been met.Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged. 

To further clarify this change, please see the examples outlined here. 

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures. 

HITRUST CSF Certification Letter Issuance 
Description 
HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment. 

Implementation 
Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter: 

Content 

CSF Certification Letter with Scope 

Stand-alone Certification Letter 

Signed Certification Letter from HITRUST 

 

* 

Assessment Context 

 

 

Scope of Systems in the Assessment 

 

 

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available. 

Additional Resources 

Click here for a list of anticipated questions and answers.