Advisories

HAA 2023-004: e1 Assessment Introduction

Written by HITRUST | Mar 5, 2024 10:55:26 AM

Overview
HITRUST now offers a new, lower-effort, validated cybersecurity assessment and accompanying certification — the HITRUST Essentials, 1-year (e1) Assessment — which is designed to move at the speed of business.

Key Characteristics of the e1 Assessment

  • The HITRUST e1 Assessment focuses on a curated set of cybersecurity controls encompassing fundamental cybersecurity practices, or “good cybersecurity hygiene”.
  • When viewed side-by-side with the HITRUST i1 and HITRUST r2, the HITRUST e1 shows a depth of control consideration that is significantly leaner by design.
  • The HITRUST e1 is designed to be an evolving, threat-adaptive certification. The requirements included in the HITRUST e1 address the most pressing active cyber threats (e.g., phishing, ransomware), while the requirements included in the HITRUST i1 controls address a broader range of active cyber threats. The e1 achieves threat-adaptiveness through the quarterly HITRUST reconciliation of cyber threat intelligence to the HITRUST CSF requirements.
  • Controls nest into the i1 and r2 to be fully inheritable, so e1 work can be reused.
  • When changes to the e1 requirement selection are deemed necessary, they will be included in major and minor releases of the HITRUST CSF. Consequently, all e1 Assessments performed against a particular version of the HITRUST CSF will include the same requirements, currently 44 requirements.
  • The e1 Assessment can be performed as a readiness or validated assessment. The e1 Readiness Assessment may be performed with an External Assessor or as a self-assessment.

 Use Cases
The HITRUST e1 is built for use by organizations seeking assurance for cybersecurity essentials that is more robust than questionnaires or other self-assessments (such as the HITRUST bC). This supports the following use cases:

  • When relying parties need to request a less rigorous, less demanding, easy-to-understand, and easy-to-execute assurance from vendors who pose a lower level of inherent risk.
  • An organization is seeking assurance for a limited set of controls that are inherently expected for nearly all entities.
  • An initial assessment of security maturity for a limited set of essential cybersecurity controls is quickly needed (such as for a newly onboarded vendor or for an entity still developing their cybersecurity program).

Secondary use cases for the HITRUST e1 include:

  • When a demonstrable assurance report is needed to establish a foundational benchmark for an organization’s assurance continuum.
  • Situations where an e1 assurance is the first step towards the eventual achievement of a HITRUST i1 or r2 Certification.

The e1 Assessment in the HITRUST Assessment Portfolio
The addition of the e1 Assessment is a continuation of the HITRUST Assessment Portfolio expansion designed to equip organizations with a broader range of validation and certification options to address varied assurance requirements. Not all vendor or third-party relationships warrant the level of assurance, or time and effort, required for HITRUST i1 or r2 Certifications. Validation of essential cybersecurity practices is still warranted for many vendors traditionally viewed as lower risk. Validated HITRUST e1 assessments and certifications meet this need.

How the e1 Fits into the HITRUST Assessment Family
The HITRUST Essentials, 1-year Validation + Certification Assessment complements other assessments in the HITRUST portfolio by providing suitable assurances for lower-risk scenarios, focusing on foundational, essential cybersecurity controls, and acting as an entry-level HITRUST Certification. The HITRUST Implemented, 1-year (i1) Certification introduced in 2022 provides suitable assurances for moderate-risk scenarios, focusing on cybersecurity best practices controls. The HITRUST Risk-based, 2-year (r2) Certification will continue to provide the highest level of information protection assurance for situations with greater risk exposure due to data volumes, regulatory compliance, and other risk factors. This assurance model is designed to support progression from an e1 to either an i1 or r2 where required for organizations or their relying parties. This traversable assessment approach supports situations where inherent risk is evolving and entities are seeking a higher level of assurance over time as well as when an assessed entity is still maturing their program and an initial assurance report is required for the most essential controls.

Comparison of the e1, i1, and r2 Certifications

Characteristic

e1

i1

r2

Deliverables

Can result in a HITRUST-issued certification (i.e., HITRUST certifiable)

Yes

Yes

Yes

Length of certification

1 year

1 year

2 years

Final reports resulting from the assessment can be shared through the HITRUST Assessment XChange and assessment results can be shared through the HITRUST Results Distribution System

Yes

Yes

Yes

Can result in a HITRUST-issued certification over the NIST Cybersecurity Framework

No

No

Yes

Assessments

Readiness assessments and validated assessments can be performed

Yes

Yes

Yes

Requires an Authorized HITRUST External Assessor Organization to inspect documented evidence to validate control implementation

Yes

Yes

Yes

Leverages the HITRUST Control Maturity Scoring Rubric

Yes

Yes

Yes

Assessor’s validated assessment fieldwork window (maximum)

90 days

90 days

90 days

HITRUST CSF requirements performed by the assessed entity’s service providers (such as cloud service providers) on behalf of the organization can be carved out / excluded from consideration

Yes

Yes

No

Personnel from either assessed entity or their external assessors are allowed to enter control maturity scoring and assessment scoping information

Yes

Yes

No

Requires an interim assessment

No

No

Yes

Can be bridged through a HITRUST Bridge Certificate

No

No

Yes

Subject matter

Threat-adaptive assessment

Yes

Yes

Yes*

Includes a fixed number of HITRUST CSF requirement statements

Yes

Yes

No

Includes HITRUST CSF requirements specifically tailored to the assessment scope

No

No

Yes

Can be tailored to optionally convey assurances over dozens of information protection regulations and standards (e.g., HIPAA, NIST CSF, PCI DSS).

No

No

Yes

Can be tailored to include privacy

No

No

Yes

Must use the most current version of the CSF available at time of assessment creation.

Yes

Yes

No

*v11 and later (see HAA 2022-002)

More Information About the e1 Certification and e1 Assessment
Control Maturity Levels Considered in e1 Assessments

  • Like the HITRUST i1, the HITRUST e1 focuses on the “Implemented” control maturity level of HITRUST’s control maturity evaluation model. Even though the e1 focuses on control Implementation, like the i1, some requirement statements necessitate reviewing Policy and Procedure documents. For example, implementing the HITRUST CSF requirement included in the e1 involves the creation of a written information protection program document: “0113.04a1Organizational.2- The organization’s information security policy is developed, published, disseminated, and implemented. The information security policy documents: state the purpose and scope of the policy; communicate management’s commitment; describe management and workforce members’ roles and responsibilities; and establish the organization’s approach to managing information security.”.

HITRUST Control Scoring Rubric Update (Version 4)
e1, i1, and r2 Assessments all leverage the HITRUST Control Maturity Scoring Rubric, although the e1 and i1 do not use the entire rubric. The rubric has been updated in support of the e1 Assessment to indicate that only the implemented control maturity level is considered for v11.

External Inheritance on e1 Assessments
External assessors and assessed entities of e1 Assessments will have two options of how to address situations in which a HITRUST CSF requirement is fully or partially performed by a service provider (e.g., by a cloud service provider): Inclusive and Exclusive (or Carve-out). These methods, detailed below, are the same two methods that can be used for i1 assessments.

  • The Inclusive method, whereby HITRUST CSF requirements performed by the service provider are included within the scope of the HITRUST Assessment and addressed through full or partial inheritance, reliance on third-party assurance reports, and/or direct testing.
  • The Exclusive (or Carve-out), method, whereby HITRUST CSF requirements performed by the service provider are excluded from the scope of the HITRUST Assessment and marked as N/A with supporting commentary that specifies that the HITRUST CSF requirement is fully performed by a party other than the assessed entity (for fully outsourced controls) or through commentary describing the excluded partial performance of the control (for partially outsourced controls).

Refer to HAA 2021-012 for additional details.

Cross-assessment-type inheritance is allowed, meaning that i1 or r2 Assessment results can be inherited into an e1 Assessment (and vice versa). However, only the implemented level’s scoring can be inherited when inheriting from an e1 Assessment into an r2 Assessment given that e1 Assessments only consider the implemented maturity level. This limitation does not absolve those involved in the inheriting r2 Assessment from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on supplemental validation procedures or (b) scoring the policy, procedure, measured and managed scores at 0 to reflect the inability to ascertain scoring on these control maturity levels.

HITRUST Quality Assurance (“QA”) Review of e1 Assessments
e1 assessments will feature the same high quality of deliverables as i1 and r2 Assessments, as ensured through HITRUST’s robust Quality Assurance process by HITRUST’s Assurance Intelligence Engine. Additionally, just like on i1 and r2 Assessments, the HITRUST QA review of e1 Assessments must be scheduled using the HITRUST QA Reservation System. Please be aware that e1, i1, and r2 Assessments require different types of report credits to book a reservation. For additional information on acquiring the correct type of report credit please contact your Customer Success Manager (CSM).

HITRUST will perform a sample-based QA review of requirement statements within e1 Validated Assessments much in the same manner as is performed on i1 and r2 Validated Assessments.

HITRUST QA for e1 Assessments is designed for speed
The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the external assessor’s documentation, the quality and consistency of the external assessor’s validation procedures, and on many other factors. However: The established e1 post-submission service level agreement (SLA) is not greater than 30 business days with HITRUST (otherwise the customer’s next e1 Validated Assessment Report credit is complementary).

This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase) or the last day of the QA block from the reservation. Days are counted for any weekdays where the assessment is in a HITRUST owned phase before the draft report is posted. Validated assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.

CAPs, Scoring, and Certification Thresholds on e1 Assessments
The scoring and certification thresholds for e1 Assessments are the same as those for i1 assessments. Refer to HAA 2021-012 for details.

e1 HITRUST CSF Reports
Upon completion of a e1 Assessment that meets the scoring thresholds for certification, HITRUST will issue the following reports:

  • HITRUST e1 Certification Report
  • HITRUST e1 Certification Letter
  • HITRUST e1 Certification Letter with Scope

Upon completion of an e1 Assessment that does not meet the scoring thresholds for certification, HITRUST will issue only the HITRUST e1 Validated Assessment Report.

Implementation and timeline
The ability to perform e1 Assessments in MyCSF is available as of the release of this advisory. 

Additional Resources
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.