Overview
New webforms are being introduced into MyCSF assessments as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts build upon each other:
The new webforms give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to enter organization and scope information directly into MyCSF; electronically sign key documents; and easily request draft report revisions.
Benefits of these newly added webforms:
Summary of Changes
The introduction of webforms eliminates the need for the Assessed Entity and External Assessor to populate and upload the following offline templates: Organizational Overview & Scope document, Management Representation Letter, Validated Report Agreement, and QA Checklist.
The Organizational Overview and Scope document will no longer be utilized. The organization and scoping information previously included within the Organizational Overview and Scope document will now be entered into MyCSF via webforms as follows:
Legacy Organizational Overview & Scope Document Sections |
Webform |
Organization and Industry Segment Overview Overview of the Security Organization |
Organization Information |
Primary Systems Outsourced Services Scope Overview Scope Description |
Scope of the Assessment |
Third-Party Assessments |
Audits and Assessments Utilized |
The Management Representation Letter, Validated Report Agreement, and QA Checklist are integrated into MyCSF, providing the Assessed Entity and External Assessor the ability to sign the documents electronically.
Additionally, the draft report revision request form has been updated to include new input fields that allow the Assessed Entity to clearly identify each revision request.
Organization Information Webform
The Organization Information section for HITRUST CSF Validated and Readiness assessments has been redesigned to serve as the primary location for entering background information about the Assessed Entity and their security organization, as well as their contact information and mailing address.
To prevent redundancy, the Organization/Company Background and Overview of the Security Organization (previously provided in both MyCSF and the offline Organizational Overview and Scope document) will now be provided only through completion of the Organizational Information webform in MyCSF. The Organization Information webform contains guidance and tips to aid the Assessed Entity in providing appropriate content for the Organization/Company Background and Overview of the Security Organization fields.
For more information, see the instructions for completing the Organization Information webform in Pre-Assessment Webforms. To view an example of the Organization Information webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.
Scope of the Assessment Webform
For HITRUST CSF Validated and Readiness assessments, the new Scope of the Assessment section of MyCSF streamlines the existing Systems and Facilities tables into a single webform that is now required to be completed by the Assessed Entity. The webform also includes a section for identifying outsourced service providers in tabular format, which replaces the free text field labeled “List any IT or security services outsourced, and the third party(ies) involved” which was previously included on the Organization Information page.
Prior to the introduction of webforms, the Assessed Entity was required to identify the in-scope systems, facilities, and outsourced services within the offline Organizational Overview and Scope document, in addition to (optionally) identifying the in-scope systems and facilities within the Systems and Facilities table in MyCSF. For Validated and Readiness Assessments with webforms enabled, the offline Organizational Overview and Scope document will be retired and the new Scope of the Assessment webform will become the primary location for defining the platforms/systems, facilities, and services outsourced for the in-scope environment.
For more information, see the instructions for completing the Scope of the Assessment webform in Pre-Assessment Webforms. To view an example of the Scope of the Assessment webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.
QA Checklist Webform
The QA Checklist for HITRUST CSF Validated Assessments (previously manually signed by the External Assessor’s Engagement Executive and QA Reviewer) has been digitally integrated into MyCSF.
Prior to signing the QA Checklist webform, the Engagement Executive and QA Reviewer must be assigned by an External Assessor via a drop-down menu on the assessment’s Name & Security page. Each drop-down will contain a list of all External Assessors with access to the assessment. The user making the assignments must select an individual holding a CCSFP certification for Engagement Executive and an individual holding a CHQP certification for QA Reviewer.
The QA Checklist webform introduces several business rules that eliminate incomplete submissions and errors and reduces the risk of uploading unreadable scanned images.
Audits and Assessments Utilized Webform
The Audits and Assessments Utilized webform is a new, required MyCSF webform for HITRUST CSF Validated Assessments. The Audits and Assessments Utilized webform is completed by the Assessed Entity and External Assessor to document reliance placed on the work of others through either the usage of the external inheritance feature within MyCSF or reliance on third-party attestation reports in support of the validation procedures performed by the External Assessor. This new webform replaces the Third-Party Assessment section of the offline Organizational Overview and Scope document.
The Audits and Assessments Utilized webform should be used to identify where the External Assessor relied upon a third-party attestation report or used external inheritance during the assessment. For example:
The two possible utilization approaches that determine how the Audits and Assessments Utilized webform is populated are Inheritance and Reliance.
If the offline assessment template is utilized, the External Assessor or Assessed Entity may tag documents as attestation reports issued by a third party by selecting “Yes” in the “Third Party Report?” column within the Documents tab of the offline assessment workbook. After uploading the offline assessment, the External Assessor or Assessed Entity must enter the assessed organization, report type, and report dates within the Audits and Assessments Utilized webform. Finally, the External Assessor or Assessed Entity must map the utilized third-party attestation report to the in-scope Platforms and Facilities that are supported by the relied-upon assessment within the Audits and Assessments Utilized webform.
For more detailed instructions, see Audits and Assessments Utilized Webform. To view an example of the Audits and Assessments Utilized webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes.
Management Representation Letter Webform
The Management Representation Letter (Rep Letter) for HITRUST CSF Validated and Readiness Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow.
The Rep Letter webform in MyCSF is completed by the Assessed Entity after the External Assessor team’s fieldwork period has ended and the External Assessor Timesheet has been completed. The Assessed Entity completes the Rep Letter webform by:
Once the webform is complete, a request to electronically sign the Rep Letter is sent to the designated management representative for signature via electronic signature workflow. The signer of the Rep Letter may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. Once signed, the Rep Letter will automatically be loaded into MyCSF and emailed to the individual who signed it.
Validated Report Agreement Webform
The Validated Report Agreement (VRA) for HITRUST CSF Validated Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow.
The VRA webform can be completed by the Assessed Entity at any time, and in any phase, prior to submitting the assessment to HITRUST. The Assessed Entity completes the VRA webform by:
Once the webform is populated with the required information, a request to electronically sign the VRA is sent to the designated individual. The signer of the VRA may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. After being signed by the Assessed Entity, the VRA is automatically routed to HITRUST for electronic signature. The Assessed Entity and External Assessor should allow up to one business day for the VRA to be signed by HITRUST. The Assessed Entity may contact their HITRUST Customer Success Manager or the Sales team with any questions related to signing of the VRA.
Once signed by both parties, the VRA automatically will be loaded into MyCSF (within one hour) and emailed to the individuals who signed it. At that time, a green checkmark will appear next to the link to the Validated Report Agreement on the left navigation bar of MyCSF to indicate that the agreement has been fully signed.
MyCSF requires that the VRA is signed by both parties — the Assessed Entity and HITRUST — prior to the assessment being submitted to HITRUST. For that reason, ensure that the VRA is sent for signature with enough time for both parties to sign the agreement prior to the assessment’s planned submission date.
Draft Report Revision Request Webform
The process to submit and manage draft report revision requests for HITRUST CSF Validated and Readiness Assessments has been transformed into an interactive process using webforms. The updated Revision Request webform includes new input fields that allow the Assessed Entity to clearly identify each revision request. For each revision request, the Assessed Entity must indicate:
After adding all revision requests to the webform, the Assessed Entity submits the requests to HITRUST. As the HTRUST QA Analyst reviews each revision request, the status of each request will be identified as Not Started, Completed, or Not Accepted. For any requests Not Accepted by HITRUST, the QA Analyst will provide an explanation within the “Rationale” section of the webform.
Once HITRUST addresses all revision requests, the Assessed Entity is notified and may either request additional revisions or approve the draft report via the “Approve HITRUST CSF Draft Report” button. The approval process in MyCSF has not changed.
For more detailed instructions, see Draft Report Revision Requests.
Implementation
HITRUST CSF Validated Assessments
All updates discussed above will be automatically enabled for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all the following criteria on February 15, 2022:
HITRUST CSF Readiness Assessments
Updates to the Organization Information, Scope of the Assessment, Representation Letter, and Draft Report Revision Requests will be automatically enabled for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all the following criteria on February 15, 2022:
HITRUST CSF Interim and Bridge Assessments
The new webforms do not impact Interim and Bridge assessments.
Additional Resources
FAQs: Webforms
Pre-Assessment Webforms
Audits and Assessments Utilized Webform
Draft Report Revision Requests