Overview
A new Assessment Workflow is being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:
- HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
- HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
- HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
- HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
- HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
The new Assessment Workflows for HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments replace the legacy assessment “states” with new “phases” that are designed to:
- Clarify the steps required to complete assessments and obtain final reports, interim letters, and bridge certificates.
- Clearly define ownership of each phase of an assessment.
- Provide improved transparency into the status of an assessment.
- Reduce reversions of the assessment during the workflow through the resequencing of phases.
- Standardize the phase names across HITRUST CSF Validated, Readiness, Interim, and Bridge assessment workflows.
New HITRUST CSF Validated Assessment Workflow
The new Assessment Workflow for HITRUST CSF Validated Assessments is comprised of 16 workflow phases. The diagram below displays the 16 workflow phases, including the primary owner(s) of each phase, as well as a comparison to the legacy workflow states. As shown in the diagram below, each phase maps to a legacy workflow state. However, the phases are more granularly defined to increase the transparency regarding assessment status and the remaining items needed to reach the next phase. The phases do not add steps to the process, but rather clarify the steps that should be performed by each party as part of the assessment process.
Throughout the process of completing a Validated Assessment, the Assessed Entity and External Assessor may view the status of the assessment at any time on a Kanban-style dashboard which tracks the Validated Assessment as it moves through each phase of the workflow. HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards describes several status dashboards being introduced as part of this suite of enhancements.
The table below summarizes each phase of the workflow. The Summary of Key Changes column highlights certain changes but is not a comprehensive list of changes. For a detailed description of each phase and the comprehensive list of changes see New Validated Assessment Workflow and Notifications or click on the phase name within the table.
|
# |
Phase Name |
Description |
Summary of Key Changes |
|
1 |
The Assessed Entity is responsible for completing each pre-assessment section: Name & Security, Organization Information, Assessment Options, Scope of the Assessment, and Factors. |
|
|
|
2 |
The Assessed Entity scores their assessment and addresses any triggered potential quality issues (PQIs). The Assessed Entity should also make a QA Reservation and complete the Validated Report Agreement webform. |
The Validated Report Agreement will now be completed through MyCSF using an electronic signature workflow. (HAA 2021-009) |
|
|
3 |
The External Assessor reviews and approves each pre-assessment section, reviews requirement statement scoring, links relevant documentation, and addresses any triggered potential quality issues (PQIs). The External Assessor also completes the Test Plan, Audits and Assessments Utilized Webform, External Assessor Time Sheet and the QA Checklist. |
|
|
|
4 |
The Assessed Entity enters all required CAPs and signs the Management Representation Letter. |
|
|
|
5 |
The External Assessor reviews the required CAP(s) for specificity, clarity, spelling, grammar and the ability of the Assessed Entity to demonstrate progress against the CAP. |
The External Assessor will now be required to review and approve all required CAPs prior to the submission of the assessment to HITRUST. (CAP Review) |
|
|
6 |
HITRUST performs automated QA checks and a high-level review of the assessment and accompanying required documents and webforms. |
The new workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced to provide transparency into the check-in process that previously occurred within the legacy Assessment Submitted to HITRUST state. |
|
|
7 |
The Assessed Entity and External Assessor address the tasks opened by HITRUST during check-in. |
If HITRUST’s check-in review identifies a small number of potential issues, rather than reverting the assessment back to the External Assessor, HITRUST will open tasks and the assessment will enter the Addressing Check-In Tasks phase. (HAA 2021-010) |
|
|
8 |
HITRUST reviews the tasks addressed by the Assessed Entity and External Assessor. |
HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010) |
|
|
9 |
The assessment is awaiting the HITRUST QA review to begin during the reserved QA block. |
The Pending Quality Assurance phase is introduced to provide transparency into the period between the assessment being accepted by HITRUST and the QA review starting during the reserved QA block. |
|
|
10 |
The QA Analyst reviews the Pre-Assessment, Required Documents and Webforms, Core QA, Not Applicable Rationales, Measured and Managed Scores, CAPs, and Overridden PQIs. |
Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. (HAA 2021-010) |
|
|
11 |
The Assessed Entity and External Assessor address the tasks opened by HITRUST during QA. |
|
|
|
12 |
The QA Analyst reviews the tasks addressed by the Assessed Entity and External Assessor. |
HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010) |
|
|
13 |
HITRUST prepares and reviews the draft reports. |
The HITRUST CSF Validated Report format has been updated to streamline the presentation of information, more clearly present assessment scope, and accommodate changes to format of organization and scoping information webforms. (HAA 2021-011) |
|
|
14 |
The Assessed Entity reviews the draft reports. |
An updated Revision Request webform includes new input fields which allow the Assessed Entity to clearly identify each revision request. (Draft Report Revision Requests) |
|
|
15 |
HITRUST either processes the Assessed Entity’s revision requests or prepares the final reports |
As the QA Analyst reviews each revision request, the status of each request is identified as Not Started, Completed, or Not Accepted by HITRUST. For any requests Not Accepted by HITRUST, the QA Analyst provides an explanation within the “Rationale” section of the webform. (HAA 2021-009) |
|
|
16 |
The Assessed Entity and External Assessor may access the final reports. |
No changes; the Complete phase is equivalent to the legacy Final Report Posted state. |
New HITRUST CSF Interim and Bridge Assessment Workflow
The new assessment workflow for HITRUST CSF Interim and Bridge Assessments features a subset of the phases present in the workflow observed on HITRUST CSF Validated Assessments. The diagram below displays the new workflow for Interim and Bridge assessments, including the primary owner(s) of each phase, as well as a comparison to the legacy workflow states.
The table below summarizes each phase of the workflow. For a detailed description of each phase, see New Interim and Bridge Assessment Workflow and Noti fications or click the phase name within the table.
|
# |
Phase Name |
Description |
Summary of Key Changes |
|
1 |
The External Assessor reviews requirement statement scoring, links relevant documentation, and addresses any triggered potential quality issues (PQIs). |
No changes; the Performing Validation phase is equivalent to the legacy Undergoing Interim and Undergoing Bridge Assessment phases. |
|
|
2 |
HITRUST performs automated QA checks and a high-level review of the assessment. |
The new workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced to provide transparency into the check-in process that previously occurred within the legacy Interim Submitted and Bridge Assessment Submitted states. (HAA 2021-010) |
|
|
3 |
The Assessed Entity and External Assessor address the tasks opened by HITRUST during check-in. |
If questions arise during the check-in review, HITRUST will open Check-In Tasks within the assessment for the External Assessor and/or Assessed Entity to address prior to the assessment being accepted by HITRUST. (HAA 2021-010) |
|
|
4 |
HITRUST reviews the tasks addressed by the Assessed Entity and External Assessor. |
HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010) |
|
|
5 |
The assessment is awaiting the HITRUST QA review to begin. |
The Pending Quality Assurance phase is introduced to provide transparency into the period between the assessment being accepted by HITRUST and the QA review being completed. |
|
|
6 |
The QA Analyst performs the QA review of the assessment. |
Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. (HAA 2021-010) |
|
|
7 |
The Assessed Entity and External Assessor address the tasks opened by HITRUST during QA. |
The Assessed Entity and External Assessor address HITRUST’s QA questions through tasks. (HAA 2021-010) |
|
|
8 |
The QA Analyst reviews the tasks addressed by the Assessed Entity and External Assessor. |
HITRUST closes all tasks that have been resolved by the Assessed Entity and External Assessor and sends any tasks requiring additional attention back to the External Assessor with additional comments or instructions. (HAA 2021-010) |
|
|
9 |
HITRUST prepares and reviews the Interim Letter or Bridge Certificate. |
No changes; the Preparing and Reviewing Deliverables phase is equivalent to the legacy Interim Review Complete and Bridge Review Complete phases. |
|
|
10 |
The Assessed Entity and External Assessor may access the Interim Letter or Bridge Certificate. |
No changes; the Complete phase is equivalent to the legacy Interim Report Posted and Bridge Certificate Posted states. |
New Readiness Assessment Workflow
The new assessment workflow for HITRUST CSF Readiness Assessments submitted for reporting features a subset of the phases present in the workflow observed on HITRUST CSF Validated Assessments. The diagram below displays the new workflow for Readiness assessments, including the primary owner of each phase, as well as a comparison to the legacy workflow states.
The table below summarizes each phase of the workflow. For a detailed description of each phase see New Readiness Assessment Workflow and Notifications or click the phase name within the table.
|
# |
Phase Name |
Description |
Summary of Key Changes |
|
1 |
The Assessed Entity is responsible for completing each pre-assessment section: Name & Security, Organization Information, Assessment Options, Scope of the Assessment, and Factors. |
The redesigned Organization Information webform and new Scope of the Assessment webform will serve as the primary location for capturing background information about the Assessed Entity and their security organization and for defining the platforms/systems, facilities, and services outsourced for the in-scope environment. (Pre-Assessment Webforms) |
|
|
2 |
The Assessed Entity scores their assessment and addresses any triggered potential quality issues (PQIs). The Assessed Entity should also make a QA Reservation and complete the Validated Report Agreement webform. |
The Management Representation Letter will now be completed through MyCSF using an electronic signature workflow (HAA 2021-009) |
|
|
3 |
HITRUST reviews the Management Representation Letter. |
The new workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced to provide transparency into the check-in process that previously occurred within the legacy Assessment Submitted to HITRUST state. |
|
|
4 |
The Assessed Entity addresses the task opened by HITRUST during check-in. |
If HITRUST’s check-in review identifies an issue with the Management Representation Letter, HITRUST will open a task and the assessment will enter the Addressing Check-In Tasks phase. (HAA 2021-010) |
|
|
5 |
HITRUST reviews the task addressed by the Assessed Entity. |
HITRUST closes the task if it has been resolved. If the task requires additional attention, HITRUST sends the task back to the Assessed Entity with comments or instructions, and the assessment returns to the Addressing Pending Check-In Tasks phase. (HAA 2021-010) |
|
|
6 |
HITRUST prepares and reviews the draft report. |
The HITRUST CSF Validated Report format has been updated to streamline the presentation of information. (HAA 2021-011) |
|
|
7 |
The Assessed Entity reviews the draft report. |
An updated Revision Request webform includes new input fields which allow the Assessed Entity to clearly identify each revision request. (Draft Report Revision Requests) |
|
|
8 |
HITRUST either processes the Assessed Entity’s revision requests or prepares the final report. |
As the QA Analyst reviews each revision request, the status of each request is identified as Not Started, Completed, or Not Accepted by HITRUST. For any requests Not Accepted by HITRUST, the QA Analyst provides an explanation within the “Rationale” section of the webform. (HAA 2021-009) |
|
|
9 |
The Assessed Entity may access the final report. |
No changes; the Complete phase is equivalent to the legacy Final Report Posted state. |
Implementation
HITRUST CSF Validated Assessments
This suite of enhancements to MyCSF will be implemented automatically for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments that meet all of the following criteria on February 15, 2022:
- The assessment has not previously been submitted to HITRUST.
- The assessment is in the Not Started or Answering Assessment state.
- No assessment domains have been submitted to the External Assessor for review.
HITRUST CSF Interim and Bridge Assessments
This suite of enhancements to MyCSF will be implemented automatically for all Interim and Bridge Assessments created on or after February 15, 2022. Interim and Bridge Assessments created prior to February 15, 2022, will not be affected.
HITRUST CSF Readiness Assessments
This suite of enhancements to MyCSF will be implemented automatically for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments that meet all the following criteria on February 15, 2022:
- Assessment has never been submitted to HITRUST.
- Assessment is in the Not Started or Answering Assessment state.
Additional Resources
FAQs: New Assessment Workflows
New Validated Assessment Workflow and Notifications
New Interim and Bridge Assessment Workflows and Notifications
New Readiness Assessment Workflow and Notifications