HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes

Written by HITRUST | Mar 15, 2024 5:00:48 AM

Overview
Several changes have been introduced to the contents and format of the CSF Validated Assessment Reports and Readiness Assessment Report in order to:

Streamline the presentation of information.
More clearly present assessment scope.
Accommodate changes to format of organization and scoping information introduced in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms.

The changes to the HITRUST CSF Validated Assessment and Readiness Assessment Reports are being introduced as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other:

HITRUST CSF Validated Assessment Report
The updates to the HITRUST CSF Validated Assessment Report are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Validated Assessment Report to view a sample report.

Legacy Report Section	New Report Section	Summary of Change(s)
1. HITRUST Background	1. HITRUST Background	No changes
2. Letter of Certification or Validation	2. Letter of Certification or Validation	No changes
3. Representation Letter from Management	3. Representation Letter from Management	No changes
4. Assessment Context	4. Assessment Context	This section has been streamlined with certain content being removed. See Assessment Context below for more details.
5. Scope of Systems in the Assessment	5. Scope of Systems in the Assessment	The format of scope information has been updated for clarity. The Overview of the Security Organization from the legacy section “6. Security Program Analysis” is now included in section “5. Scope of the Assessment”. See Scope of the Assessment below for more details.
6. Security Program Analysis	None	Section removed. See Removal of Security Program Analysis below for more details.
None	6. Procedures Performed by the External Assessor	This new section describes the procedures performed by the External Assessor and outlines any instances in which the External Assessor has relied upon the work of others through Inheritance or Reliance. See Procedures Performed by External Assessor below for more details.
7. Assessment Results	7. Assessment Results	No changes
8. PRISMA Control Maturity Model Overview	8. PRISMA Control Maturity Model Overview	No changes
8. PRISMA Control Maturity Model Overview	8. PRISMA Control Maturity Model Overview	No changes
9. Controls by Assessment Domain	9. Controls by Assessment Domain	No changes
Appendix A – Testing Summary	None	Section removed. See Removal of Appendix A – Testing Summary below for more details.
Appendix B – Corrective Action Plans Required for Certification	Appendix A – Corrective Action Plans Required for Certification	No changes have been made to the content or format of this section. The section name has been updated due to the removal of the legacy section, “Appendix A – Testing Summary”.
Appendix C – Additional Gaps Identified	Appendix B – Additional Gaps Identified	No changes have been made to the content or format of this section. The section name has been updated due to the removal of the legacy section, “Appendix A – Testing Summary”.
Appendix D – Assessment Results	Appendix C – Assessment Results	No changes have been made to the content or format of this section. The section name has been updated due to the removal of the legacy section, “Appendix A – Testing Summary”.

HITRUST CSF Validated Assessment Letter with Scope
The updates to the HITRUST CSF Validated Assessment Letter with Scope are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Validated Assessment Letter with Scope to view a sample report.

Legacy Report Section	New Report Section	Summary of Change(s)
Letter of Certification or Validation	Letter of Certification or Validation	No changes
Assessment Context	Assessment Context	This section has been streamlined with certain content being removed. See Assessment Context below for more details.
Scope of Systems in the Assessment	Scope of the Assessment	The format of scope information has been updated for clarity. See Scope of the Assessment below for more details.

HITRUST CSF Readiness Assessment Report
The updates to the HITRUST CSF Readiness Assessment Report are summarized in this table and detailed in the following sections. See Sample – HITRUST CSF Readiness Assessment Report to view a sample report.

Legacy Report Section	New Report Section	Summary of Change(s)
1. HITRUST Background	1. HITRUST Background	No changes
2. Letter of Readiness Assessment	2. Letter of Readiness Assessment	No changes
3. Representation Letter from Management	3. Representation Letter from Management	No changes
4. Assessment Context	4. Assessment Context	This section has been streamlined with certain content being removed. See Assessment Context below for more details.
5. PRISMA Control Maturity Model Overview	5. PRISMA Control Maturity Model Overview	No changes
6. Controls by Assessment Domain	9. Controls by Assessment Domain	No changes
Appendix A – Corrective Action Plans Required for Certification	Appendix A – Corrective Action Plans Required for Certification	No changes
Appendix B – Additional Gaps Identified	Appendix B – Additional Gaps Identified	No changes

Assessment Context
The Assessment Context section of the HITRUST CSF Validated Assessment Report, HITRUST CSF Validated Assessment Letter with Scope, and HITRUST CSF Readiness Assessment Report has been updated to remove the following content:

Organization Name and Mailing Address have been removed because this information is also included in the Letter of Certification or Validation section of the reports and letter.
Contact Name, Job Title, and Email Address have been removed as relying parties typically already have a point of contact at the Assessed Entity.
Company Background has been removed because this information is already included in the Scope of Systems in the Assessment section.
Number of Employees has been removed because it was not a tailoring question to derive the Assessed Entity’s customized set of HITRUST CSF requirements.

Scope of the Assessment

The Scope of Systems in the Assessment section of the HITRUST CSF Validated Assessment Report and HITRUST CSF Validated Assessment Letter with Scope has been redesigned to communicate the scope of the assessment more clearly. The updates to this section also reflect the introduction of Webforms, which replaced the legacy Organizational Overview and Scope document. For more information related to the Organization Information and Scope of the Assessment Webforms, see HAA 2021-009: HITRUST MyCSF Enhancements – Webforms.

The Scope of Systems in the Assessment section now contains the following subsections:

Company Background: The Company Background is populated with the contents of the Organization/Company Background field of the Organization Information Webform within MyCSF. This section may include information that would have previously been included within the legacy Organization and Industry Segment Overview and Services / Products Provided subsections.
In-scope Platforms and Facilities: The In-scope Platforms and Facilities is populated with the contents of the Platforms/Systems table and Facilities table of the Scope of the Assessment Webform within MyCSF. This section displays the in-scope platforms/systems that would have previously been included within the legacy Scope Overview subsection.
Services Outsourced: The Services Outsourced is populated with the contents of the Services Outsourced for In Scope Platforms and Facilities table of the Scope of the Assessment Webform within MyCSF. This section displays the same information as the legacy Services Outsourced subsection, but in a tabular format for clarity.
Overview of the Security Organization: The Overview of the Security Organization is populated with the contents of the field of the same name in Organization Information Webform within MyCSF. This section includes information that would have previously been included within the legacy HITRUST CSF Validated Assessment Report section Security Program Analysis.

The subsections of the legacy Scope of Systems in the Assessment section that have been removed from the HITRUST CSF Validated Assessment Report and HITRUST CSF Validated Assessment Letter with Scope are:

Primary Systems: The Primary Systems subsection has been removed because this information now appears in the In-scope Platforms and Facilities subsection.

Scope Diagram: The optional Scope Diagram has been removed because the information typically displayed in the diagram will now be included in the In-Scope Platforms and Facilities subsection.

Removal of Security Program Analysis
The legacy Security Program Analysis section of the HITRUST CSF Validated Assessment Report has been removed. The subsections of the legacy Security Program Analysis section have been moved to other sections of the report or removed as follows:

Overview of the Security Organization: The Overview of the Security Organization has been moved to the Scope of the Assessment section.
Types of Security Tools Deployed: The list of security tools deployed has been removed from the HITRUST CSF Validated Assessment Report as it is not necessary to readers of the report.
Third-Party Assessments: Any attestation reports issued by a third-party that are utilized during the External Assessor’s validation procedures through external inheritance or reliance are now captured in MyCSF within the Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms). The contents of that webform are included in the new Procedures Performed by the External Assessor section of the HITRUST CSF Validated Assessment Report.

Procedures Performed by the External Assessor
The Procedures Performed by the External Assessor section has been added to the HITRUST CSF Validated Assessment Report. This section contains a description of the procedures performed by the External Assessor to validate the Assessed Entity’s asserted control maturity scores. This section also includes a table outlining all attestation reports issued by third parties that were utilized by the External Assessor in lieu of direct testing. The table is populated from the Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms).

Removal of Appendix A – Testing Summary
The legacy Appendix A – Testing Summary of the HITRUST CSF Validated Assessment Report has been removed. The External Assessor will no longer be required to provide the lists of documentation reviewed, interviews conducted, and technical testing performed. Instead, the Procedures Performed by the External Assessor section now includes a standard description of the types of procedures that the assessor may have performed, which include:

Inquiry with key personnel.
Inspection of system-generated access listings, logs, configuration settings, sample items, and/or evidence.
On-site observations.
Reperformance of procedures performed by customer personnel.

Implementation
HITRUST CSF Validated Assessment
These report updates will affect HITRUST CSF Validated Assessment Reports and HITRUST CSF Validated Assessment Letters with Scope for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all of the following criteria on February 15, 2022:

Assessment has not previously been submitted to HITRUST.
Assessment is in the Not Started or Answering Assessment state.
No Assessment Domains have been submitted to the External Assessor for review.

The HITRUST CSF Letter (without scope) and HITRUST CSF NIST Reports are not affected by the changes described in this advisory.

HITRUST CSF Readiness Assessments
These report updates will affect HITRUST CSF Readiness Assessment Reports for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all of the following criteria on February 15, 2022:

Assessment has never been submitted to HITRUST.
Assessment is in the Not Started or Answering Assessment state.

HITRUST CSF Interim and Bridge Assessments
Interim Letters and Bridge Certificates are not affected by the changes described in this advisory.

Additonal Resources
Sample – HITRUST CSF Validated Assessment Report
Sample – HITRUST CSF Validated Assessment Letter with Scope
Sample – HITRUST CSF Readiness Assessment Report

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

View full post