Overview
HITRUST continually evaluates necessary changes in MyCSF based on community feedback and internal review. Through this review, HITRUST has identified enhancements to improve the overall assessment process. HITRUST is making the corresponding enhancements to the MyCSF platform which will apply to assessments utilizing HITRUST CSF versions 9.x and later.
Measured and Managed Maturity Level Options
Description
Within HITRUST CSF Validated assessments, scoring of the Measured and Managed maturity levels is not required. If included in the assessment, scoring of the Measured and Managed levels also subjects the assessment to additional QA checks resulting in additional processing time. As a result, HITRUST will update MyCSF to provide Assessed Entities with the ability to optionally remove these levels from their assessments if they do not plan on scoring them. The optional removal of these maturity levels from the assessment should help prevent accidental scoring and streamline data entry into MyCSF.
Implementation
Effective immediately, any newly created HITRUST CSF Validated assessment will require the Assessed Entity to select whether Measured and Managed maturity levels will be evaluated when configuring the assessment. The configuration option will appear within the “Assessment Options” menu and will ask “Will you be scoring Measured and Managed?”.
If “Yes” is selected, then the Measured and Managed maturity levels will be included within each requirement statement for scoring.
If “No” is selected, the Measured and Managed maturity levels will not be available for scoring. When downloading an offline assessment, the Measured and Managed maturity levels will remain in the downloaded Excel file. However, upon uploading the offline assessment, no Measured or Managed scores will be reflected in MyCSF if the option to score these levels was not selected in the “Assessment Options” menu.
Measured Level Independent and Operational Selections
Description
When evidence is attached to a requirement statement supporting a score in the Measured maturity level, the Subscriber must select whether the evidence is related to an “Operational” or “Independent” measure. To simplify the evidence attachment process, this selection will no longer be needed within MyCSF. The Subscriber will only need to select that the evidence applies to the Measured maturity level. It is still expected that the External Assessor will document within the testing results whether the measure was scored as “Operational” or “Independent”.
Implementation
Effective June 24, 2021, any newly created HITRUST CSF assessment will no longer display an option to select whether the evaluated measurement is “Independent” or “Operational”.
For offline assessments, the column in the “Requirement-Document Mapping” tab labeled “Measured: Operational or Independent?” will be renamed to “Maturity Measured Related?” with the only valid responses as “True” or “False”.
For existing assessments that have not previously been submitted to HITRUST for processing, this can be enabled upon request. To do so please email Support requesting the disablement of the Operational and Independent checkboxes for the Measured maturity level and include the following information:
- Organization Name as it appears in MyCSF.
- Assessment Name as it appears in MyCSF.
Scoping Factor Edit Checks
Description
HITRUST CSF assessments will include additional edit checks on the CSF version 9.x scoping factors listed below to avoid inconsistent responses.
- Is the system(s) accessible from the Internet?
- Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
- Is any aspect of the scoped environment hosted on the cloud?
The inconsistent answers were required to be changed during HITRUST’s QA which added additional processing time to certain assessments. This change is being made to avoid the possibility of inconsistent responses to these factors.
Implementation
HITRUST CSF assessments created on or after June 24, 2021, will include additional edit checks for the scoping factors listed below to avoid inconsistent responses. The rules will be applied to the following scoping factor questions:
Number |
Scoping Factor Question |
Responses |
1 |
Is the system(s) accessible from the Internet? |
If “Yes”, then #2 will automatically be answered as “Yes” |
2 |
Does the system allow users to access the scoped environment from an external network that is not controlled by the organization? |
If “Yes”, then #1 will automatically be answered as “Yes” |
3 |
Is any aspect of the scoped environment hosted on the cloud? |
If “Yes”, then #1 and #2 will automatically be answered as “Yes” |
When the system enforces the rule, the correct answer will be automatically populated and a message in MyCSF will inform the user that this rule was applied.
For any existing assessments where the three identified scoping factors were previously answered the new rules will not be applied; unless one or more of the three identified scoping factor responses were updated at which point the new rules would be applied.
Additional Resources
Click here for a list of anticipated questions and answers.