HITRUST Implemented, 1-year (i1) Validated Assessment + Certification FAQs
What is the new HITRUST Implemented, 1-year (i1) Validated Assessment + Certification?
The i1 Assessment is designed to address the need for a continuously-relevant cyber security assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware and phishing. The design and selection of the controls for the i1 Assessment puts it in a new class of information security assessment that is “threat-adaptive” – developed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material. The i1 Assessment is intended for organizations needing a moderate level of assurance that delivers full transparency, accuracy, consistency, and integrity.
HITRUST indicates that the i1 Assessment is “threat-adaptive” – what does threat-adaptive mean?
The “threat-adaptive” innvovation in the HITRUST i1 Assessment is one of the most important benefits that makes it unique. Simply stated, threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and i1 requirements will be updated to remain cyber relevant over time to reduce future risk. This threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.
How much does an i1 Assessment cost?
For current i1 pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: email@example.com
When will HITRUST make the i1 Assessment available?
The ability to perform i1 Assessments in MyCSF is now available.
Will there be any training specifically for the i1 Assessment?
All 2022 and later HITRUST Academy courses will cover the i1 in detail.
Can all HITRUST Authorized External Assessors perform i1 Assessments, or will there be a different type of External Assessor that is authorized to perform i1 Assessments?
No distinction. All HITRUST Authorized External Assessor Firms can perform both r2 and i1 Assessments.
Can organizations do i1 Assessments in back-to-back years?
Yes. For many organizations, the i1 will be the only information protection certification needed. Those organizations will simply perform a HITRUST i1 Validated Assessment annually.
Is there a requirement to go for the r2 after obtaining the i1?
No. HITRUST has no such requirement. The type of HITRUST certification an organization decides to pursue is based on many factors unique to each organization and its stakeholders.
Can I begin with an i1 and migrate to an r2 over time?
Will there be an i1 Readiness Assessment available?
Yes. Readiness assessment options exist for both i1 and r2 Assessments.
Is there an Interim Assessment for the i1?
No. Because the i1 is a one-year certification, no interim assessment is appropriate or necessary.
Can I do an i1 Assessment in place of an Interim assessment for an r2?
Yes. The i1 is not intended to be an Interim assessment replacement, however it will be accepted by HITRUST instead of an Interim assessment for organizations holding an r2 Certification and opting to go this route. Organizations who wish to use an i1 in lieu of an interim assessment for an r2 Certification should notify HITRUST Support of their intentions prior to beginning their i1 assessment.
Can the i1 Validated Assessment get a Bridge Assessment certificate? In other words, can a HITRUST Bridge Assessment be performed by organizations holding an i1 Certification?
No. HITRUST will only award bridge certificates to organizations holding r2 Certifications.
Is it possible for an organization to use a HITRUST Bridge Assessment when going from an r2 to an i1 when there is a gap in certification status in-between?
No, Bridge Assessments cannot be used between r2 and i1 Assessments to close a gap in certification. Bridge Assessments are only available between r2 Assessments. For example, if an r2 Certification expires in July, and an organization cannot achieve an i1 Certification until December, a gap in certification status would exist for the months of August through November.
Does a “comprehensive” assessment option exist for the i1 like for the r2?
No. While r2 Assessments can be tailored to include all security control references present in the HITRUST CSF, i1 Assessments cannot. Those seeking the comprehensive HITRUST assessment option will need to perform an r2 Comprehensive Assessment.
Can users add Privacy into i1 Assessments like they can in the r2?
No. However, HITRUST is actively developing a Privacy Certification offering for those organizations seeking demonstrable, reliable assurances against privacy-centric requirements.
How many HITRUST CSF requirements are included in an i1 Assessment, and do the requirements vary based on inherent risk factors or inclusion of regulatory factors like they do on an r2 Assessment?
All i1 Assessments created against HITRUST CSF v9.6 have 219 HITRUST CSF requirements. The selection of HITRUST CSF requirements included in an i1 Assessment cannot be tailored using inherent risk factor questions or through adding in regulatory factors such as GDPR. Those seeking a tailorable, risk-based HITRUST assessment option should instead perform an r2 Assessment.
Can users see the HITRUST CSF requirements included in i1 Assessments in the HITRUST CSF PDF download?
No. HITRUST CSF requirement statements are not included in the free HITRUST CSF PDF download, and the i1 consists of a selection of HITRUST CSF requirement statements. Organizations interested in seeing the HITRUST CSF requirements included in an i1 Assessment are encouraged to create an i1 Assessment in MyCSF.
How did HITRUST select the HITRUST CSF requirements included in i1 Assessments?
The HITRUST i1 is designed to be an evolving, threat-adaptive assessment that leverages threat intelligence and best practice controls to deliver an assessment that addresses relevant practices and emerging cyber threats. HITRUST carefully selected the HITRUST CSF requirements included in i1 Assessments against numerous acceptance criteria, including:
- The i1 is designed to be an industry-agnostic assessment; the HITRUST CSF requirements included in i1 Assessments and their associated illustrative procedures and evaluative elements are also industry-agnostic and do not use any terminology specific to the US federal government or germane to any specific legislation or authoritative source (e.g., does not include terms such as “protected health information”, “cardholder data,” or “authority to operate”).
- HITRUST leveraged threat intelligence data from a leading threat intelligence provider spanning May 2021 to October 2021 to influence the selection of the technically-focused HITRUST CSF requirements included in i1 Assessments. As a result, the i1 includes controls selected exclusively to address cyber threats actively being targeted today. This exercise will be reperformed for each subsequent major and minor release of the HITRUST CSF and no less than quarterly and will result in the i1 requirement selection evolving over time considering the then-relevant cybersecurity threats.
- The i1 is designed to be a combination of good security hygiene controls and cybersecurity best-practice controls. Its design affords a high degree of coverage against authoritative sources generally viewed as security best practices. As a result, the HITRUST CSF requirements included in i1 Assessments provide a high degree of coverage against sources such as the HIPAA Security Rule; NIST SP 800-171; the NAIC Data Security Law; the FTC’s GLBA Safeguards Rule (both the current version as well as the 2021 proposed update); NISTIR 7621: Small Business Information Security Fundamentals; the DOL’s EBSA Cybersecurity Program Best Practices; and the HITRUST CSF requirements included in the HITRUST Basic, Current-state (bC) Assessment.
- All HITRUST CSF assessment domains and CSF control categories are represented in the i1.
Will the HITRUST CSF requirements included in i1 Assessments stay the same for each version of the CSF?
No, they will evolve. The i1 includes controls selected to address emerging cyber threats actively being targeted today. This exercise will be reperformed for each subsequent major and minor release of the HITRUST CSF and will result in the i1 requirement selections evolving over time to address the then-relevant cybersecurity threats.
Does the i1 Validated Assessment include privacy-centric HITRUST CSF requirements?
No. While certain requirements within domain 19 are included in i1 Assessments, the i1 is designed to focus on cybersecurity only. HITRUST is actively developing a Privacy Certification offering for those organizations seeking demonstrable, reliable assurances against privacy-centric requirements.
How much overlap exists between the HITRUST CSF requirements included in a Basic, Current-state (bC) Assessment, and an Implemented 1-year (i1) Assessment, and a Risk-based, 2-year (r2) Assessment?
Comparing the HITRUST CSF requirements included in bC and i1 Assessments is very straightforward given that both the bC and i1 Assessments consist of static, pre-selected HITRUST CSF requirements; nearly all the 71 HITRUST CSF requirements included in a bC Assessment are included in an i1 Assessment. However, drawing comparisons of the HITRUST CSF requirements included in r2 Assessments is less straight-forward given that the HITRUST CSF requirements included in r2 Assessments vary based on inherent risk factors (e.g., whether wireless is included in scope) and based on the optional inclusion of regulatory factors (such as: EU GDPR, PCI DSS, HIPAA). Comparing the i1 requirement set against the “level 1 baseline” (i.e., those HITRUST CSF requirements included by default on all r2 Assessments) shows that approximately half of the r2 level 1 baseline is included in the i1 requirement set. (Inclusion of the HIPAA Security Rule in an r2 substantially increases the overlap between the i1 requirement set and the r2.) Planned, future updates will be made to the HITRUST CSF to considerably increase the overlap between the i1 requirement set and the r2 level 1 baseline requirement set.
If I need to demonstrate compliance with HIPAA, which HITRUST Assessment should I use?
- The HIPAA Security Rule requires organizations to implement various security controls, perform a risk analysis, and establish reasonable and appropriate policies and procedures to comply with HIPAA standards and implementation specifications. To meet these requirements appropriately requires a HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the CSF Validated Assessment) because the comprehensive assurance methodology used in the r2 Validated Assessment includes a review of controls for implementation, processes, and procedures, whereas other assessments in the HITRUST portfolio do not.
- However, there may be instances when an organization has only implemented or partially implemented controls and does not already have an appropriate set of established policies and procedures, so they want to evaluate progress and effort towards HIPAA compliance. In this instance, an Implemented, 1-year (i1) Validated Assessment would be suitable as an intermediate step towards an r2 Validated Assessment, which is designed to demonstrate full HIPAA compliance.
Does the i1 Validated Assessment cover every HIPAA requirement?
- HIPAA includes several components (e.g., EDI rules specified in 45 CFR §162) which are outside the scope of any information protection framework. As a result, the HITRUST CSF—as an information protection framework—does not address all HIPAA requirements. However, the HITRUST CSF—again, as an information protection framework— does include controls and requirements which can be used to support assertions of compliance with HIPAA’s security, breach notification, and privacy rule requirements specified in 45 CFR §164.
- Organizations seeking demonstrable compliance with HIPAA’s security, breach notification, and privacy rule requirements specified in 45 CFR §164 are encouraged to explore the HITRUST r2 Validated Assessment offering. The r2 Assessment’s use of inherent risk factors (e.g., whether wireless is included in the scope of the assessment) helps derive a risk-based listing of HITRUST CSF requirements tailored to the organization’s unique needs.
- However, because the i1 was designed as a combination of good cybersecurity hygiene controls and cybersecurity best practices, the i1 affords a high degree of coverage against authoritative sources generally viewed as such. As a result, the HITRUST CSF requirements included in i1 Assessments provide a high degree of coverage against many authoritative sources (including HIPAA Security Rule). The HITRUST CSF requirements included in i1 Assessments created using v9.6 mapping to approximately 95% of the HIPAA Security Rule. The 5% of the HIPAA Security Rule’s requirements which do not have corresponding HITRUST CSF requirements in i1 Assessments—namely 164.316(b)(2)(i), 164.314(b)(1), 164.314(b)(2)(i), 164.314(b)(2)(ii), 164.314(b)(2)(iii), and 164.314(b)(2)(iv)—are those that are too healthcare-industry specific to be included in the i1, which is an industry-agnostic cybersecurity assessment. Also, note that the i1 does not include any HITRUST CSF requirements directly mapping to requirements found in the HIPAA breach notification rule or the HIPAA privacy rule.
Can HITRUST CSF requirements in an i1 Assessment be deemed NA?
Yes. Just like on r2 Assessments.
Do i1 Assessments use the HITRUST scoring rubric to determine a control maturity score?
Yes. However, the way the rubric is used differs from r2 Assessments because the i1 only evaluates “implemented” control maturity (not policy, procedure, measured, or managed). As a result, only the implemented square on the front of the rubric chart along with the full guidelines on the back are used during i1 Assessments.
Are PRISMA control maturity ratings such as 1-, 3, and 5+ used on i1 Assessments?
No. Because i1 Assessments do not include all control maturity levels and instead focus just on control implementation, control maturity ratings such as 1-, 3, and 5+ are not used on i1 Assessments. Instead, only scores between 0 and 100 are used on i1 Assessments.
Why is the certification scoring threshold for i1 Assessments (83 domain-average minimum score) higher than for r2 Assessments (62 domain-average minimum score)? Is HITRUST raising the bar on what it takes to earn a certification?
While it may appear that HITRUST raised the bar for certifying an i1 Assessment relative to an r2 Assessment, i1 and r2 Assessments actually enforce a very similar certification threshold as shown in the following table. In an r2 Assessment, the highest achievable score when assessing through the Implemented level is a 75. In an i1 Assessment the highest score achievable when assessing through the implemented level is 100. So the certification “bar” is equal for an i1 and an r2 Certification.
What determines whether an i1 Validated Assessment will result in HITRUST issuing a certification report as opposed to just a validated assessment report? In other words, what scoring is needed to get an i1 Certification?
For an i1 Validated Assessment to achieve certification, no assessment domain’s straight-average score can be below 83. By contrast, for an r2 Validated Assessment to earn an r2 Certification, no assessment domain’s straight-average score can be below 62.
Will the i1 Validated Assessment allow control carve-outs of fourth-party performed controls?
Yes. The i1 allows for either a “carve-out method” or “inclusive method” for controls performed by separate parties (e.g., cloud service providers). The r2 Validated Assessment only allows the inclusive method.
If I’m currently in the process of performing an r2 Validated Assessment and I’d like to change course and instead perform an i1 Validated Assessment, what’s the best course of action in HITRUST MyCSF?
You can take a few different routes in this scenario, depending on your MyCSF access level:
- The first option is to create a new i1 Validated Assessment object in MyCSF and then internally inherit the scoring, commentary, and linked documents present in your r2 Assessment into your i1 Assessment. Then, complete the remainder of the i1 Assessment as needed and when ready, submit the i1 Assessment object to HITRUST.
- A second option is to change your r2 Assessment object into an i1 Assessment object by modifying the pre-assessment configuration questions. After changing the object’s configuration from r2 to i1 and refreshing the assessment, it becomes an i1 Assessment object instead of an r2 Assessment object.
- A third option is to clone your r2 Assessment object, then perform the steps outlined in option 2 against the cloned object.
How long will organizations have to finish the i1 Report?
90 days fieldwork maximum, just like the r2.
Are there any differences in the incubation period for newly implemented or remediated controls on i1 Assessments compared to an r2?
No. For i1 Assessments, the incubation period for newly implemented and remediated controls is 90 days, the same as for the r2.
Can internal assessors be leveraged for i1 Assessments?
Yes. It’s just like on r2 Assessments.
Can personnel performing i1 Assessments use MyCSF’s offline assessment template?
Yes, if allowed at the assessed entity’s MyCSF subscription level.
Is evidence required for submission with the i1?
Yes. Evidence supporting any control implementation scores greater than 0 must be either linked or uploaded in MyCSF.
Can an i1 Validated Assessment inherit from an r2 Validated Assessment, and vice versa?
Yes and Yes. However, note that only the implemented level’s scoring can be inherited when inheriting from an i1 Assessment into an r2 Assessment given that i1 Assessments only consider control implementation. This limitation does not absolve those involved in r2 Assessments from either (a) accurately scoring the policy, procedure, and optionally measured and managed levels based on inspection of supporting evidence, or (b) scoring the policy, procedure, and (optionally) measured and managed scores at 0.
If an IT services provider (such as a cloud service provider) only publishes an i1 Validated Assessment for an external inheritance, how are their customers impacted?
While HITRUST anticipates that most organizations who publish their HITRUST assessments for external inheritance will use r2 Assessments instead of i1 Assessments, service providers such as CSPs do have the option to only perform i1 Assessments. In this case, their customers/tenants inheriting from them will be limited to inheriting only the implemented scoring and commentary from the i1 and no policy, procedure, measured, or managed scoring will be available for inheritance.
Are Corrective Action Plans (CAPs) allowed on an i1 Assessment, and what determines whether a CAP is needed instead of a gap?
On i1 Assessments, HITRUST requires assessed entities to define Corrective Action Plans (CAPs) for all HITRUST CSF requirements meeting the following criteria: the requirement’s implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages less than 80. Any requirements where the implemented maturity level scores less than “fully compliant” and the associated control reference (e.g., 00.a) averages 80 or more, a gap is identified instead of a CAP.
Is a Certified HITRUST Quality Professional (CHQP) review and sign-off required before the submission of an i1 Validated Assessment to HITRUST?
Yes. It’s just like on r2 Validated Assessment submissions.
Can the HITRUST QA Reservation System be used for scheduling submission and QA for an i1 Validated Assessment?
Yes. It’s just like on r2 Validated Assessment submissions, a QA reservation is required.
Does HITRUST do a sample-based quality assurance review of submitted i1 Validated Assessments? Is this QA any different than the QA review performed for submitted r2 Validated Assessments?
Yes and Yes. HITRUST performs a sample-based QA for i1 Validated Assessment submissions much in the same manner that we do for r2 Validated Assessment submissions. The notable difference is that HITRUST does not QA a sample of requirements with measured and/or managed scores on i1 submissions (as i1 Assessments do not include the measured and managed control maturity levels).
How long is QA expected to take for the i1 once HITRUST accepts the submission and begins review?
The time necessary to perform a quality assurance review of any validated assessment submission varies based on the complexity of the assessment, on the quality of the External Assessor documentation, the quality and consistency of the External Assessor’s validation procedures, and on many other factors. However, the established HITRUST i1 post-submission Service Level Agreement (SLA) is not greater than 45 business days with HITRUST (otherwise the customer’s next i1 Validated Assessment report credit is free).
This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase), or the last day of the QA Block from the reservation. Days are counted for any business days where the assessment is in a HITRUST-owned phase before the draft report is posted. Validated Assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.
Can a HITRUST i1 Validated Assessment result in a certification?
Does the i1 produce a secondary certification like the r2 produces a NIST CSF certification?
No. Just a HITRUST certification.
Can the MyCSF Compliance and Reporting Pack for HIPAA be run against i1 Assessments?
No, the MyCSF Compliance and Reporting Pack for HIPAA cannot be run against i1 Assessments. The MyCSF Compliance and Reporting Pack for HIPAA can be run against r2 Assessments.
Can i1 Validated Assessment deliverables be shared via the HITRUST Results Distribution System, and can they be shared through the HITRUST Assessment XChange?
i1 PDF deliverables (e.g., the i1 Validated Assessment Report) can be shared through the HITRUST Assessment XChange (“HAX”) just like r2 PDF deliverables. In addition, the HITRUST Results Distribution System (RDS) allows sharing i1 Assessment results through a web browser and/or API just like for bC and r2 Assessment results.