HITRUST CSF Bridge Assessment and Certificate FAQs
How does a bridge assessment affect the interim assessment due date?
The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST CSF Certification is set to expire on 5/31/20 and this organization is awarded a HITRUST CSF Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the CSF Bridge Certificate’s expiration which results in a HITRUST CSF Certification. The organization’s newly issued HITRUST CSF Certification is dated 6/1/20, and the interim assessment would be due to HITRUST no later than 6/1/21.
Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?
The HITUST CSF Bridge Certificate is designed to assist organizations who need to maintain HITRUST CSF Certification but may be experiencing challenges in completing their next HITRUST CSF Validated Assessment.
The HITRUST CSF Bridge Assessment links the two HITRUST CSF Validated Assessments by offering a limited level of assurance during the period when the next HITRUST CSF Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST CSF Validated Assessment where the level of assurance can only be maintained for 24 months.
What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?
Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity activities, and/or adding a new vendor in observance of the organization’s third-party onboarding and review process.
What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?
HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include:
- Moving from an on-premise data center into a public cloud environment,
- Moving the organization’s physical headquarters,
- Decommissioning a data center and moving all assets to a different data center,
- Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS),
- Changing an in-scope system so it uses a NoSQL backend instead of a relational database,
- Moving away from an outsourced IT model by standing up an internal IT function,
- Decommissioning the helpdesk ticketing system, and/or
- New functionality in an in-scope platform enabling it to be accessed from a public location.
Are the 19 randomly selected HITRUST CSF requirement statements picked during the HITRUST CSF Bridge Assessment object creation?
When can I submit a completed HITRUST CSF Bridge Assessment to HITRUST?
The HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
When can I start a HITRUST CSF Bridge Assessment?
A HITRUST CSF Bridge Assessment object can be created in MyCSF up to 60 days prior to the existing HITRUST CSF Certification’s expiration.
When can I create the HITRUST CSF Bridge Assessment object in MyCSF?
The HITRUST CSF Bridge Assessment object can be created no more than 60 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
Who qualifies for the HITRUST CSF Bridge Assessment and Certificate?
Any organization that (a) has a HITRUST CSF Validated Report with Certification, (b) will miss their validated assessment submission due-date, and © hasn’t missed that due date by more than 30 days.
Will all of my relying parties accept the HITRUST CSF Bridge Certificate?
HITRUST believes that a HITRUST CSF Bridge Certificate adds value in demonstrating that an organization’s scoped control environment is unlikely to have degraded since the last validated assessment and that the organization has indicated its commitment to complete a HITRUST CSF Validated Assessment in the next 90 days.
Assessed entities should consult with their stakeholders and relying parties to determine if they will accept a HITRUST CSF Bridge Certificate while they await receipt of the intended HITRUST CSF Validated Report with Certification.
It should not be accepted in place of a complete HITRUST CSF Certification, as it does not convey the same level of assurance.
What is the HITRUST CSF Bridge Assessment?
The HITRUST CSF Bridge Assessment results in a HITRUST CSF Bridge Certificate. The HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST. It is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification and allows organizations to maintain a form of HITRUST CSF Certification status for an additional 90 days even if their validated assessment submission due date is missed.