Advisories

HAA 2021-013: HITRUST Control Maturity Scoring Rubric Update (version 3)

Written by HITRUST | Mar 6, 2024 11:01:55 PM

Overview
HITRUST’s Control Maturity Scoring Rubric (“Rubric”), which assists assessed entities and their external assessors in assessment scoring, has been updated in support of the i1 assessment and to reflect previously announced changes. Key changes to the rubric include:

  • The Policy and Procedure maturity levels had their criteria and strength tiers updated based upon HAA 2021-002, which was released on June 7, 2021. The revised Policy and Procedure criteria presented in the Advisory were added to the ‘Other Key Concepts’ section of the rubric and, the five strength tiers for the Policy and Procedure maturity levels in the version 2 Rubric were reduced to three tiers in the version 3 Rubric as follows:
    • Tier 0 – No documented Policy and/or Procedure
    • Tier 1 – Undocumented Policy and/or Procedure
    • Tier 2 – Fully documented Policy and/or Procedure
  • HITRUST has updated the “minimum number of days that a remediated or newly implemented control must operate prior to assessor testing” to reflect 60 days for any policy or procedure remediation, corresponding to the revision communicated in HAA 2021-002.
  • HITRUST has included the current Bridge Certificate timing guidance into the Rubric.
  • HITRUST has added the following sample-based testing requirements:
    • Guidance requiring sampling lead sheets in the test plan to document the sampling approach.
    • Guidance stating that evidence used during sample testing must be retained.
    • Sampling guidance for semi-annual controls.
    • Guidance on the required population timeframe to consider when pulling samples of control occurrences over time as: “Minimum of 90 days prior to the date of testing with a maximum of one-year prior to the date of testing”.
    • Guidance that the control frequency should be defined prior to determining the sampling approach.

In addition to the above key changes, HITRUST has made other minor adjustments to the Rubric:

  • HITRUST has reformatted the guidance for supporting documentation to qualify as a measure for HITRUST assessment purposes.
  • The applicability of the timeframes has been updated to reflect whether they correspond to a HITRUST r2 validated assessment or i1 validated assessment.
  • HITRUST has removed sections from the “Timeframes” to streamline presentation of the key timeframes – not intended to reflect a change in prior guidance:
    • Access window for a HITRUST MyCSF “Report Only” object.
    • Targeted window for HITRUST’s performance of QA and draft report assembly procedures.
    • Window during which HITRUST will accept grammatical changes to a draft report.
    • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF.
    • Interim assessment object submission due date.
  • HITRUST has updated the links on the Rubric where additional guidance can be found.

Timetable for Implementation
The updated HITRUST Control Maturity Scoring Rubric is immediately available for download here.For HITRUST i1 validated assessments, use of the version 3 Rubric is required. For the HITRUST r2 validated assessments, either version 2 or version 3 of the Rubric may be used for assessments submitted prior to May 1, 2022. As of May 1, 2022, r2 validated assessment submissions must use the version 3 Rubric.

Additional Resources
Click here for a list of anticipated questions and answers.

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.