HITRUST Essentials, 1-year (e1) Validated Assessment + Certification FAQs
What is the new HITRUST Essentials, 1-year (e1) Validated Assessment + Certification?
The e1 Assessment and accompanying certification is designed to address the need for demonstrable assurances over an organization’s performance of foundational cybersecurity practices and the most critical cybersecurity threats, either via self-assessments or validation by External Assessors. This very narrow focus allows the e1 to move at the speed of business, providing insight into cybersecurity hygiene quickly.
This new assessment can also benefit assessed entities by: (1) serving as a stepping-stone to comprehensive assessments of security maturity and risk management such as the HITRUST i1 or HITRUST r2, or (2) being the targeted “end goal” assurance mechanism for organizations of specific (lower) risk profiles or in certain scenarios such as M&A activity, newly onboarded vendors, or newly implemented IT platforms.
Does the e1 Essentials Assessment replace the Basic, Current-state (bC) Assessment? What if we already have a bC underway?
Yes. The e1 Assessment is a replacement for the bC in Version 11 and later of the HITRUST CSF framework, and also in version two of the HITRUST Assessment XChange Third-party Risk Management (TPRM) methodology. Those who already have a bC Assessment underway in MyCSF or the XChange will be able to complete their bC without issue.
HITRUST indicates that the e1 Assessment is “cyber threat-adaptive” – what does cyber threat adaptive mean?
The “cyber threat-adaptive” innovation in the HITRUST e1 Assessment is one of the most important benefits that makes it unique. Simply stated, cyber threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and e1 requirements will be updated to remain cyber relevant over time to reduce future risk. This cyber threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.
How much does an e1 Assessment cost?
For current e1 pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: firstname.lastname@example.org
When will HITRUST make the e1 Assessment available?
The ability to perform e1 Assessments in MyCSF became available on 1/18/2023.
Will there be any training specifically for the e1 Assessment?
All 2023 and later HITRUST Academy courses will cover the e1 in detail.
Can all HITRUST Authorized External Assessors perform e1 Assessments, or will there be a different type of External Assessor that is authorized to perform e1 Assessments?
No distinction. All HITRUST Authorized External Assessor Firms can perform e1, i1, and r2 Assessments.
Can organizations do e1 Assessments in back-to-back years?
Yes. For many organizations, the e1 will be the only information protection certification needed. Those organizations will simply perform a HITRUST e1 Validated Assessment annually.
Is there a requirement to go for an i1 or r2 after obtaining the e1?
No. HITRUST has no such requirement. The type of HITRUST certification an organization decides to pursue is based on many factors unique to each organization and its stakeholders.
Can I begin with an e1 and migrate to an i1 or r2 over time?
Will there be an e1 Readiness Assessment available?
Yes. Readiness assessment options exist for e1, i1 or r2 Assessments.
Is there an Interim Assessment for the e1?
No. Because the e1 is a one-year certification, no interim assessment is appropriate or necessary.
Can I do an e1 Assessment in place of an interim assessment for an r2?
Yes. The e1 is not intended to be an interim assessment replacement, however it will be accepted by HITRUST instead of an interim assessment for organizations holding an r2 certification and opting to go this route. Organizations who wish to use an e1 in lieu of an interim assessment for an r2 certification should notify HITRUST Support of their intentions prior to beginning their e1 assessment.
Can the e1 Validated Assessment get a bridge assessment certificate? In other words, can a HITRUST bridge assessment be performed by organizations holding an e1 Certification?
No. HITRUST will only award bridge certificates to organizations holding r2 certifications.
Is it possible for an organization to use a HITRUST bridge assessment when going from an r2 to an e1 when there is a gap in certification status in-between?
No, Bridge Assessments cannot be used between r2 and e1 Assessments to close a gap in certification. Bridge Assessments are only available between r2 Assessments. For example, if an r2 Certification expires in July, and an organization cannot achieve an e1 Certification until December, a gap in certification status would exist for the months of August through November.
Does a “comprehensive” assessment option exist for the e1 like for the r2?
No. While r2 Assessments can be tailored to include all security control references present in the HITRUST CSF, e1 Assessments cannot. Those seeking the comprehensive HITRUST assessment option will need to perform an r2 Comprehensive Assessment.
Does the e1 Validated Assessment include privacy-centric HITRUST CSF requirements?
No. While certain requirements within domain 19 are included in e1 Assessments, the e1 is designed to focus on cybersecurity only.
Can users add privacy into e1 Assessments like they can in the r2?
How many HITRUST CSF requirements are included in an e1 Assessment, and do the requirements vary based on inherent risk factors or inclusion of regulatory factors like they do on an r2 Assessment?
All e1 Assessments created against HITRUST CSF v11 have 44 HITRUST CSF requirements. The selection of HITRUST CSF requirements included in an e1 Assessment cannot be tailored using inherent risk factor questions or through adding in regulatory factors such as GDPR. Those seeking a tailorable, risk-based HITRUST assessment option should instead perform an r2 Assessment.
Can users see the HITRUST CSF requirements included in e1 Assessments in the HITRUST CSF PDF download?
No. HITRUST CSF requirement statements are not included in the free HITRUST CSF PDF download, and the e1 consists of a selection of HITRUST CSF requirement statements curated by HITRUST. Organizations interested in seeing the HITRUST CSF requirements included in an e1 Assessment are encouraged to create an e1 Assessment in MyCSF or to contact HITRUST.
Will the HITRUST CSF requirements included in e1 Assessments stay the same for each version of the CSF?
No, they will evolve. The e1 includes controls selected to address emerging cyber threats actively being targeted today. This exercise to renew controls will be reperformed for each subsequent major and minor release of the HITRUST CSF and will result in the e1 requirement selections evolving over time to address the then-relevant cybersecurity threats.
How much overlap exists between the HITRUST CSF requirements included in an e1 assessment and an i1 or r2 assessment?
As of Version 11 of the HITRUST CSF:
All HITRUST CSF requirements in the e1 can be found in all i1 and r2 assessments.
All HITRUST CSF requirements in the i1 can be found in all r2 assessments.
Can HITRUST CSF requirements in an e1 Assessment be deemed NA?
Yes. Just like on i1 and r2 Assessments.
Do e1 Assessments use the HITRUST scoring rubric to determine a control maturity score?
Yes. Just like in i1 assessments, the e1 only evaluates “implemented” control maturity (not policy, procedure, measured, or managed). As a result, only the implemented square on the front of the rubric chart along with the full guidelines on the back are used during e1 Assessments. However, e1 assessments minimally consider written policies and/or procedures, as some HITRUST CSF requirements included in the e1 focus on the existence of such documents.
Are PRISMA control maturity ratings such as 1-, 3, and 5+ used on e1 Assessments?
No. Because e1 Assessments (just like i1 assessments) do not include all control maturity levels and instead focus just on the control implementation maturity level, control maturity ratings such as 1-, 3, and 5+ are not used on e1 Assessments. Instead, only scores between 0 and 100 are used on e1 Assessments.
Why is the certification scoring threshold for e1 and i1 Assessments (83 domain-average minimum score) higher than for r2 Assessments (62 domain-average minimum score)? Is HITRUST raising the bar on what it takes to earn a certification?
While it may appear that HITRUST raised the bar for certifying an e1 and i1 assessment relative to an r2 Assessment, all HITRUST assessment types actually enforce a very similar certification threshold as shown in the following table. In an r2 Assessment, the highest achievable score when assessing through the Implemented level is a 75. In an e1 and i1 assessment the highest score achievable when assessing through the implemented level is 100. So the certification “bar” is equal for all HITRUST assessment types.
What determines whether an e1 Validated Assessment will result in HITRUST issuing a certification report as opposed to just a validated assessment report? In other words, what scoring is needed to get an e1 Certification?
Just like i1 assessments, for an e1 Validated Assessment to achieve certification, no assessment domain’s straight-average score can be below 83. By contrast, for an r2 Validated Assessment to earn an r2 Certification, no assessment domain’s straight-average score can be below 62.
Will the e1 Validated Assessment allow control carve-outs of service provider performed controls?
Yes. Just like i1 assessments: The e1 allows for either a “carve-out method” or “inclusive method” for controls performed by separate parties (e.g., cloud service providers). The r2 Validated Assessment only allows the inclusive method.
If I’m currently in the process of performing an i1 or r2 Validated Assessment and I’d like to change course and instead perform an e1 Validated Assessment, what’s the best course of action in HITRUST MyCSF?
You can take a few different routes in this scenario, depending on your MyCSF access level:
The first option is to create a new e1 Validated Assessment object in MyCSF and then internally inherit the scoring, commentary, and linked documents present in your i1 or r2 Assessment into your e1 Assessment. Then, complete the remainder of the e1 Assessment as needed and when ready, submit the e1 Assessment object to HITRUST.
A second option is to change your i1 or r2 Assessment object into an e1 Assessment object by modifying the pre-assessment configuration questions. After changing the object’s configuration from i1 or r2 to e1 and refreshing the assessment, it becomes an e1 Assessment object instead of an i1 or r2 Assessment object.
A third option is to clone your r2 Assessment object, then perform the steps outlined in option 2 against the cloned object.
How long will organizations have to finish e1 validated assessments?
90 days fieldwork maximum, just like i1 or r2 validated assessments.
Are there any differences in the incubation period for newly implemented or remediated controls on e1 Assessments compared to an i1 or r2?
No. For e1 Assessments, the incubation period for newly implemented and remediated controls is 90 days, the same as for i1 and r2 assessments.
Can internal assessors be leveraged for e1 Assessments?
Yes. It’s just like on i1 and r2 Assessments.
Can personnel performing e1 Assessments use MyCSF’s offline assessment template?
Just like i1 and r2 assessments: Yes, if allowed at the assessed entity’s MyCSF subscription level.
Is evidence required for submission with the e1?
Just like i1 and r2 assessments: Evidence supporting any control implementation scores greater than 0 in validated assessments must be either linked or uploaded in MyCSF. Supporting evidence is not required during readiness assessments.
Can an e1 Validated Assessment inherit from an i1 or r2 Validated Assessment, and vice versa?
Yes and Yes. However, note that only the implemented level’s scoring can be inherited when inheriting from an e1 Assessment into an r2 Assessment given that e1 Assessments only consider control implementation. This limitation does not absolve those involved in r2 Assessments from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on inspection of supporting evidence, or (b) scoring the policy, procedure, and (optionally) measured and managed scores at 0.
If an IT services provider (such as a cloud service provider) only publishes an e1 Validated Assessment for an external inheritance, how are their customers impacted?
While HITRUST anticipates that most organizations who publish their HITRUST assessments for external inheritance will use r2 (or possibly i1) Assessments instead of e1 Assessments, service providers such as CSPs do have the option to only perform e1 Assessments. In this case, their customers/tenants inheriting from them will be limited to inheriting only the implemented scoring and commentary from the e1 and no policy, procedure, measured, or managed scoring will be available for inheritance.
Are Corrective Action Plans (CAPs) allowed on an e1 Assessment, and what determines whether a CAP is needed instead of a gap?
Just like on i1 assessments: On e1 Assessments, HITRUST requires assessed entities to define Corrective Action Plans (CAPs) for all HITRUST CSF requirements meeting the following criteria: the requirement’s implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages less than 80. Any requirements where the implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages 80 or more, a gap is identified instead of a CAP.
Is a Certified HITRUST Quality Professional (CHQP) review and sign-off required before the submission of an e1 Validated Assessment to HITRUST?
Yes. It’s just like on i1 and r2 Validated Assessment submissions.
Can the HITRUST QA Reservation System be used for scheduling submission and QA for an e1 Validated Assessment?
Yes. It’s just like on i1 and r2 Validated Assessment submissions, a QA reservation is required.
Does HITRUST do a sample-based quality assurance review of submitted e1 Validated Assessments? Is this QA any different than the QA review performed for submitted r2 or i1 Validated Assessments?
Yes and Yes. HITRUST performs a sample-based QA for e1 Validated Assessment submissions much in the same manner that we do for r2 and i1 Validated Assessment submissions. The notable difference is that HITRUST does not QA a sample of requirements with measured and/or managed scores on e1 or i1 submissions (as these assessments do not include the measured and managed control maturity levels).
How long is QA expected to take for the e1 once HITRUST accepts the submission and begins review?
The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the External Assessor documentation, the quality and consistency of the External Assessor’s validation procedures, and on many other factors. However, the established HITRUST e1 post-submission Service Level Agreement (SLA) is not greater than 30 business days with HITRUST (otherwise the customer’s next e1 Validated Assessment report credit is free).
This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase), or the last day of the QA Block from the reservation. Days are counted for any business days where the assessment is in a HITRUST-owned phase before the draft report is posted. Validated Assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.
Can a HITRUST e1 Validated Assessment result in a certification?
Does the e1 produce a secondary certification like the r2 produces a NIST CSF certification?
No. Just a HITRUST certification.
Can the MyCSF Compliance and Reporting Pack for HIPAA be run against i1 or e1 Assessments?
No, the MyCSF Compliance and Reporting Pack for HIPAA cannot be run against i1 or e1 assessments. The MyCSF Compliance and Reporting Pack for HIPAA can be run against r2 assessments.
Can e1 Validated Assessment deliverables be shared via the HITRUST Results Distribution System, and can they be shared through the HITRUST Assessment XChange?
The HITRUST Results Distribution System (RDS) allows sharing e1 Assessment results through a web browser and/or API just like for i1 and r2 Assessment results. In addition, e1 PDF deliverables (e.g., the e1 Validated Assessment Report) can be shared through the HITRUST Assessment XChange just like i1 and r2 PDF deliverables.