Interim Review FAQs
Will it be the same level of access as we get for full assessment submission?
Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.
Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?
Interim assessments need to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion.
If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
Interim assessments completed after April 1, 2019 need to adhere to the current guidelines, including submitting through MyCSF. The only exception is for organizations holding a certification on CSF v9.0 or prior versions – they can submit outside of MyCSF but must meet all other current interim assessment requirements.
How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
Since the controls are selected randomly by MyCSF, there is not a way to provide an advance notice. However, for MyCSF subscribers, interim assessments can be generated up to 120 days in advance of their due date.
Do you need evidence for every requirement statement and domain like on a validated assessment?
Yes, evidence is required for each selected control requirement in the interim assessment.
Do you have to submit complete scoring for each requirement statement?
Yes, complete scoring must be submitted for each selected control requirement.
Does the 90-day rule for evidence apply for interim assessments?
- Yes, for control requirements that are not associated with required CAPs, they must have been in place for 90 days in order to be scored and they must have been tested within in the preceding 90 days from submission to HITRUST. This should not be an issue as the controls should have been scored during the supporting full assessment.
- Changes in scores for control requirements that are associated with a required CAP are considered demonstration of progress and are not subject to the 90-day rule.
How do you submit an assessment if you were certified against CSF v9.0 or prior versions?
- HITRUST is granting exceptions for certifications obtained against HITRUST CSF v9.0.
- Since CSF v9.0 is not in the MyCSF tool, the assessment object cannot be recreated. Interim assessments meeting this criterion will be performed outside MyCSF, but non-subscribers are subject to all other interim assessment requirements, including the $2,900 fee.
How will the interim assessment process be different from the interim review memorandum previously used?
The interim assessment now requires full testing of the sampled control requirements and must undergo the same Quality Assurance process as a full assessment.
Will the validation of all maturity scores and related evidence be examined by HITRUST or will that only apply to scores that are measured and managed scores?
The interim assessment is performed against a random sample of control requirements. They will be assessed against all maturity domains and HITRUST will review all maturity domains of the sampled control requirements. In addition, control requirements that generated required CAPs will also be examined for evidence of progress.
Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?
The interim assessment will be performed against a random sample of requirements that will be selected at the time the interim assessment is generated. HITRUST will only process the selected sample but will verify, in cases where an object was recreated to ensure the accuracy of all the scores and integrity of the interim assessment.
Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?
The interim assessment must be completed by the assessed organization and then submitted to their assessor. The assessor must agree that all scores are accurate before generating the interim assessment. The assessor will submit the interim assessment to HITRUST once they have completed their testing.
Do I have to perform my interim assessment in MyCSF?
HITRUST is granting an exception for certifications obtained against HITRUST CSF v9.0 or earlier. Since CSF v9.0 and prior versions are not in the MyCSF tool, the assessment object cannot be recreated. Interim assessments meeting this criterion will be performed outside of MyCSF but are subject to all other interim assessment requirements, including a $2,900 fee.
Is there a fee for HITRUST to process the interim assessment?
- Yes, there is a fee of $2,900 but this is waived for active MyCSF subscribers.
- The fee includes 60 days of access to MyCSF for non-subscribers to recreate and submit their interim assessment, processing of the interim assessment and, upon successful completion, issuance of an Interim Letter.
How is the existing validated assessment utilized for the interim review?
The interim review is generated from the original certified assessment object.
My interim assessment is coming up, how do I get started?
- MyCSF subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date. Customers may begin the process 120 days before the submission date by manually generating the object.
- Non-subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date. They will have to contact our sales department to obtain access to MyCSF to generate their interim assessment. This access lasts for 60 days and you will be required to reconstruct your assessment scores, as well as the comments for all original control requirements marked as N/A.