Advisories

HAA 2021-009: HITRUST MyCSF Enhancements – Webforms

Written by HITRUST | Mar 15, 2024 5:00:51 AM

Overview 
New webforms are being introduced into MyCSF assessments as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts build upon each other: 

The new webforms give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to enter organization and scope information directly into MyCSF; electronically sign key documents; and easily request draft report revisions. 

Benefits of these newly added webforms: 

  • Streamlines MyCSF data entry to prevent redundancy and clarify assessment scope. 
  • Eliminates risk of uploading incomplete offline documents and unreadable scanned images. 
  • Introduces new quality check automation and tool tips that provide real time feedback to help avoid common scoping issues. 
  • Streamlines presentation of scope in a tabular format inclusive of in-scope platforms and facilities. 
  • Clarifies association between platforms and their residing facilities. 
  • Simplifies identification of relevant third-party service providers. 
  • Introduces ability for Assessed Entities to specify draft report revisions and clearly track HITRUST responses to revision requests. 

Summary of Changes 
The introduction of webforms eliminates the need for the Assessed Entity and External Assessor to populate and upload the following offline templates: Organizational Overview & Scope document, Management Representation Letter, Validated Report Agreement, and QA Checklist. 

The Organizational Overview and Scope document will no longer be utilized. The organization and scoping information previously included within the Organizational Overview and Scope document will now be entered into MyCSF via webforms as follows: 

Legacy Organizational Overview & Scope Document Sections 

Webform 

Organization and Industry Segment Overview 

Overview of the Security Organization 

Organization Information 

Primary Systems 

Outsourced Services 

Scope Overview 

Scope Description 

Scope of the Assessment 

Third-Party Assessments 

Audits and Assessments Utilized 

 

The Management Representation Letter, Validated Report Agreement, and QA Checklist are integrated into MyCSF, providing the Assessed Entity and External Assessor the ability to sign the documents electronically. 

Additionally, the draft report revision request form has been updated to include new input fields that allow the Assessed Entity to clearly identify each revision request. 

Organization Information Webform 
The Organization Information section for HITRUST CSF Validated and Readiness assessments has been redesigned to serve as the primary location for entering background information about the Assessed Entity and their security organization, as well as their contact information and mailing address. 

To prevent redundancy, the Organization/Company Background and Overview of the Security Organization (previously provided in both MyCSF and the offline Organizational Overview and Scope document) will now be provided only through completion of the Organizational Information webform in MyCSF. The Organization Information webform contains guidance and tips to aid the Assessed Entity in providing appropriate content for the Organization/Company Background and Overview of the Security Organization fields. 

For more information, see the instructions for completing the Organization Information webform in Pre-Assessment Webforms. To view an example of the Organization Information webform in the HITRUST CSF Validated and Readiness Reports, seeHAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes. 

Scope of the Assessment Webform 
For HITRUST CSF Validated and Readiness assessments, the new Scope of the Assessment section of MyCSF streamlines the existing Systems and Facilities tables into a single webform that is now required to be completed by the Assessed Entity. The webform also includes a section for identifying outsourced service providers in tabular format, which replaces the free text field labeled “List any IT or security services outsourced, and the third party(ies) involved” which was previously included on the Organization Information page. 

Prior to the introduction of webforms, the Assessed Entity was required to identify the in-scope systems, facilities, and outsourced services within the offline Organizational Overview and Scope document, in addition to (optionally) identifying the in-scope systems and facilities within the Systems and Facilities table in MyCSF. For Validated and Readiness Assessments with webforms enabled, the offline Organizational Overview and Scope document will be retired and the new Scope of the Assessment webform will become the primary location for defining the platforms/systems, facilities, and services outsourced for the in-scope environment. 

For more information, see the instructions for completing the Scope of the Assessment webform in Pre-Assessment Webforms. To view an example of the Scope of the Assessment webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes. 

QA Checklist Webform
The QA Checklist for HITRUST CSF Validated Assessments (previously manually signed by the External Assessor’s Engagement Executive and QA Reviewer) has been digitally integrated into MyCSF. 

Prior to signing the QA Checklist webform, the Engagement Executive and QA Reviewer must be assigned by an External Assessor via a drop-down menu on the assessment’s Name & Security page. Each drop-down will contain a list of all External Assessors with access to the assessment. The user making the assignments must select an individual holding a CCSFP certification for Engagement Executive and an individual holding a CHQP certification for QA Reviewer. 

The QA Checklist webform introduces several business rules that eliminate incomplete submissions and errors and reduces the risk of uploading unreadable scanned images. 

  • To ensure that the correct individuals sign each QA Checklist webform item, only assigned Engagement Executives and QA Reviewers can sign the QA Checklist webform. Further, the Engagement Executive and QA Reviewer can only sign those items on the QA Checklist that apply to their role. 
  • MyCSF restricts the ability to sign off on the QA Checklist webform until the Test Plan has been uploaded and the External Assessor Time Sheet has been completed. 
  • MyCSF prevents completion of the assessment’s Performing Validation phase until each item on the QA Checklist webform has been verified by the appropriate individual. For visibility, all External Assessors with access to the assessment will have the ability to view the QA Checklist webform. 

Audits and Assessments Utilized Webform 
The Audits and Assessments Utilized webform is a new, required MyCSF webform for HITRUST CSF Validated Assessments. The Audits and Assessments Utilized webform is completed by the Assessed Entity and External Assessor to document reliance placed on the work of others through either the usage of the external inheritance feature within MyCSF or reliance on third-party attestation reports in support of the validation procedures performed by the External Assessor. This new webform replaces the Third-Party Assessment section of the offline Organizational Overview and Scope document. 

The Audits and Assessments Utilized webform should be used to identify where the External Assessor relied upon a third-party attestation report or used external inheritance during the assessment. For example: 

  • Scenario A: If an in-scope platform is hosted by a public cloud provider and the External Assessor used external inheritance on certain physical security requirements that were the responsibility of the cloud service provider. the cloud service provider’s inherited HITRUST CSF assessment automatically will be identified in this webform. 
  • Scenario B: If a relevant managed IT services provider’s third-party attestation report (e.g., SOC 2 Type II) is relied upon by the external assessor to reflect the service provider’s performance of one or more HITRUST CSF requirements, the managed IT services provider’s third-party attestation report should be described in this webform. 
  • Scenario C: If the External Assessor directly tests certain requirements owned by the assessed entity’s colocation provider instead of using external inheritance or reliance on a third party-issued attestation report, that colocation provider would not need to be discussed in the Audit and Assessments Utilized webform (as no third-party audit or assessment report associated with the colocation provider was used). However, the colocation provider would need to be identified in the Organization Information webform described above. 

The two possible utilization approaches that determine how the Audits and Assessments Utilized webform is populated are Inheritance and Reliance. 

  • Inheritance: When external inheritance is applied to a requirement statement by the Assessed Entity, MyCSF automatically adds the associated HITRUST CSF assessment that was externally inherited and populates that HITRUST CSF assessment’s details into the Audits and Assessments Utilized webform (including the assessment name, type, report date, and assessment domains for which external inheritance was utilized). The External Assessor will be required to complete the assessed organization name field and map the inherited HITRUST CSF assessment to related in-scope platforms and facilities within the Audits and Assessments Utilized webform. 
  • Reliance: For any third-party attestation reports being relied upon, the External Assessor or Assessed Entity (depending on who uploaded the document) must tag the report within the Documents repository or within the requirement statement (if uploading the document within a particular requirement statement) by checking the box labeled, “Is this an attestation report issued by a third party?” After tagging the document as an attestation report issued by a third party, the External Assessor or Assessed Entity populate the various report details, including assessed organization, report type, and report dates. The External Assessor or Assessed Entity must then map the utilized third-party attestation report to the related in-scope platforms and facilities within the Audits and Assessments Utilized webform. 

If the offline assessment template is utilized, the External Assessor or Assessed Entity may tag documents as attestation reports issued by a third party by selecting “Yes” in the “Third Party Report?” column within the Documents tab of the offline assessment workbook. After uploading the offline assessment, the External Assessor or Assessed Entity must enter the assessed organization, report type, and report dates within the Audits and Assessments Utilized webform. Finally, the External Assessor or Assessed Entity must map the utilized third-party attestation report to the in-scope Platforms and Facilities that are supported by the relied-upon assessment within the Audits and Assessments Utilized webform. 

For more detailed instructions, see Audits and Assessments Utilized Webform. To view an example of the Audits and Assessments Utilized webform in the HITRUST CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes. 

Management Representation Letter Webform 
The Management Representation Letter (Rep Letter) for HITRUST CSF Validated and Readiness Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow. 

The Rep Letter webform in MyCSF is completed by the Assessed Entity after the External Assessor team’s fieldwork period has ended and the External Assessor Timesheet has been completed. The Assessed Entity completes the Rep Letter webform by: 

  • Setting the Rep Letter date on or within two weeks following the end date of the External Assessor’s fieldwork period on the External Assessor Time Sheet. 
  • Entering the name, job title, and email address of the individual who will sign the Rep Letter. 
  • Uploading the organization’s logo. 

Once the webform is complete, a request to electronically sign the Rep Letter is sent to the designated management representative for signature via electronic signature workflow. The signer of the Rep Letter may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. Once signed, the Rep Letter will automatically be loaded into MyCSF and emailed to the individual who signed it. 

Validated Report Agreement Webform 
The Validated Report Agreement (VRA) for HITRUST CSF Validated Assessments (previously signed offline by the Assessed Entity and manually uploaded to MyCSF) will now be completed through MyCSF using an electronic signature workflow. 

The VRA webform can be completed by the Assessed Entity at any time, and in any phase, prior to submitting the assessment to HITRUST. The Assessed Entity completes the VRA webform by: 

  • Entering the name, job title, and email address of the individual who will sign the VRA. 
  • Entering the address of the organization. 

Once the webform is populated with the required information, a request to electronically sign the VRA is sent to the designated individual. The signer of the VRA may be any designated individual from the Assessed Entity’s organization and is not required to have a MyCSF account. After being signed by the Assessed Entity, the VRA is automatically routed to HITRUST for electronic signature. The Assessed Entity and External Assessor should allow up to one business day for the VRA to be signed by HITRUST. The Assessed Entity may contact their HITRUST Customer Success Manager or the Sales teamwith any questions related to signing of the VRA. 

Once signed by both parties, the VRA automatically will be loaded into MyCSF (within one hour) and emailed to the individuals who signed it. At that time, a green checkmark will appear next to the link to the Validated Report Agreement on the left navigation bar of MyCSF to indicate that the agreement has been fully signed. 

MyCSF requires that the VRA is signed by both parties — the Assessed Entity and HITRUST — prior to the assessment being submitted to HITRUST. For that reason, ensure that the VRA is sent for signature with enough time for both parties to sign the agreement prior to the assessment’s planned submission date. 

Draft Report Revision Request Webform 
The process to submit and manage draft report revision requests for HITRUST CSF Validated and Readiness Assessments has been transformed into an interactive process using webforms. The updated Revision Request webform includes new input fields that allow the Assessed Entity to clearly identify each revision request. For each revision request, the Assessed Entity must indicate: 

  • Location of the requested revision identified by the report, section, and page number. 
  • Current text present in the report to be revised. 
  • Proposed text for the revision. 

After adding all revision requests to the webform, the Assessed Entity submits the requests to HITRUST. As the HTRUST QA Analyst reviews each revision request, the status of each request will be identified as Not Started, Completed, or Not Accepted. For any requests Not Accepted by HITRUST, the QA Analyst will provide an explanation within the “Rationale” section of the webform. 

Once HITRUST addresses all revision requests, the Assessed Entity is notified and may either request additional revisions or approve the draft report via the “Approve HITRUST CSF Draft Report” button. The approval process in MyCSF has not changed. 

For more detailed instructions, see Draft Report Revision Requests. 

Implementation 
HITRUST CSF Validated Assessments 
All updates discussed above will be automatically enabled for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all the following criteria on February 15, 2022: 

  • Assessment has not previously been submitted to HITRUST. 
  • Assessment is in the Not Started or Answering Assessment state. 
  • No Assessment Domains have been submitted to the External Assessor for review. 

HITRUST CSF Readiness Assessments 
Updates to the Organization Information, Scope of the Assessment, Representation Letter, and Draft Report Revision Requests will be automatically enabled for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all the following criteria on February 15, 2022: 

  • Assessment has never been submitted to HITRUST. 
  • Assessment is in the Not Started or Answering Assessment state. 

HITRUST CSF Interim and Bridge Assessments 
The new webforms do not impact Interim and Bridge assessments. 

Additional Resources 
FAQs: Webforms 
Pre-Assessment Webforms 
Audits and Assessments Utilized Webform 
Draft Report Revision Requests