MyCSF FAQs

Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?

No. This functionality is part of the HITRUST Assessment XChange. For more information on the XChange, contact jacob.bustos@hitrustax.com.

Can the tool link to supporting documents rather than copy?

Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.

Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

The only way to efficiently tailor an assessment and generate the control requirements is in MyCSF. Organizations that are undergoing a SOC2 that is based on the HITRUST CSF can leverage MyCSF to make the process more efficient. This is the case even if only pursuing the SOC2 and not HITRUST CSF Certification.

The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

Yes. We do not generate any type of assurance report for targeted assessments. There are assessments that you can perform internally, and you can generate score cards within the tool.

Do you have more information on the BASICs program? Can any organization participate or is there certain criteria that needs to be met?

The BASICs program is targeted to lower risk organizations. We will be defining the criteria of lower risk and these criteria will need to be met to participate.

Will HITRUST provide a webinar specifically for assessors and practitioners? How do practitioners see customer comments, the evidence cited and how will assessors and practitioners provide comments?

Yes. We will be revising the full and refresher training courses. These can be taken through our LMS and will walk assessors through the process. We intend to make this module available to all CCSFPs.

In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

The options are a function of the HITRUST CSF and will be updated to reflect more industry agnostic options with the release of HITRUST CSF v10.0.

Is there a limit to the number of active assessments?

Yes. The number of assessments that an organization can have is limited by the level of access they have in MyCSF. Subscribing customers can purchase additional assessment objects in MyCSF if necessary.

Can other types of assessments be done such as FISMA?

Yes. Targeted assessments can be performed against any of the authoritative sources of the HITRUST CSF. Targeted assessments are not submitted to HITRUST for validation and will not result in a HITRUST assurance report. They will only generate the appropriate scorecard within MyCSF.

If we use the API, is there a development environment available?

Deployment of the API focuses on getting information out of MyCSF and into your native toolsets. The API also allows getting information into MYCSF. Customers who subscribe at a level that includes this feature will be provided a test instance for integration testing.

Can you export assessments into a spreadsheet or csv document?

Organizations that have the appropriate subscription are able to export assessment data. Assessors’ test objects do not have this capability.

Can I get a HIPAA specific report?

Yes. In MyCSF 2.0 there is the ability to generate a targeted assessment against any one of the authoritative sources. Targeted assessments will only generate scorecards within MyCSF and will not result in a HITRUST Assurance Report.

Can organizations be able to select which assessment version they use?

MyCSF 2.0 will be launched with CSF v9.1 in its library. It will have the feature to maintain multiple CSF versions and you will be able to take advantage of this once CSF v10.0 is released.

When is the HITRUST CSF v10.0 being released?

HITRUST CSF v10.0 will be released 4Q 2020.

Do you support a hierarchy so that you can respond once on common controls like HR related items with the parent company and the responses go to all the sub assessments?

No. We do not have a hierarchy nor maintain any relationships between assessments. We encourage organizations to take advantage of the inheritance capability to achieve this.

Is inheritance all or nothing for each requirement or can it be weighted?

You can assign a weight to the inherited score that will apply to a particular control requirement.

APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?

The API allows use by many GRC tools. We are working with the largest players in the GRC market to develop guidance for the integration process. The current API deployment will allow for information to be extracted from MyCSF. In the future, you will be able to place information from your native tool sets into MyCSF. We will be publishing the API specification in the near future.

Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?

No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity domains.

Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?

No. A targeted assessment will be generated from the CSF library by pulling all requirements related to the targeted authoritative source. It will be a stand-alone assessment, but it can inherit from other assessments with the appropriate subscription level.

Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?

When possible, all evidence should be uploaded into MyCSF. This ensures a quick and consistent QA process. Failure to upload all evidence of testing will result in a “live” QA review by HITRUST via Webex.

Is there a fee associated with API integration? Or a subscription level?

Yes. This feature is only available with certain subscription levels.

Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

Anyone that wishes to allow their assessments to be inherited will need to subscribe. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with a service provider that they can inherit from. This should encourage organizations to do business with those that provide this service.

Are there any performance improvements with MyCSF 2.0?

Yes. We have minimized the number of clicks required to navigate an assessment. Also, we have tuned all queries and optimized caching to improve overall performance.

Does the tool support organizations other than those in healthcare?

Yes. MyCSF and the HITRUST CSF support organizations across all industries and globally.

Will companies still have to pay to allow their assessments to be inherited?

Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.

Does a subscription add value if I am not getting CSF Certified?

Yes, even if you are only completing an assessment. Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture, benchmarking data, ability to leverage the functionality to support Corrective Action Plan (CAPs) management and longer-term remediation tracking. A subscription also includes the interim assessment at no additional cost.

What are the advantages of having a subscription to MyCSF?

  1. To save time and costs :
    • A subscription enables clients to retain data, eliminating redundant (internal or assessor) data-entry tasks for the interim assessment and subsequent assessments saving organizations potentially hundreds of hours on a two-year assessment cycle.
    • With Advanced Analytics & Benchmarking in the MyCSF tool, reporting and analytics for managing the assessment will help reduce cycle time and resources required by providing actionable reports.
    • The interim assessment is included for no additional cost. A savings of $3000.
  2. Better understanding of risks :
    • A subscription provides an organization continuous visibility to risk posture throughout the assessment lifecycle and provides insight into their overall risk status. It allows organizations to continuously assess over time, reacting to changes to the HITRUST CSF and threats in its environment, and to maintain a constant and clear understanding of risk posture.
  3. Improves management reporting :
    • With Advanced Analytics & Benchmarking, organizations have the ability to communicate what has been done, is being done and needs to be done in the assessment process. Management and administrator reporting that enables organizations to maintain alignment across all levels of management and Board of Directors for accurate decision making.

What do I receive if I only purchase a report?

Those purchasing a report and not a subscription to MyCSF will only have access to the MyCSF Assessment and Reports for authoritative sources such as HIPAA, SOC2, and HITRUST. Also, report-only access is limited to 90 days. Extensions of access may be purchased for an additional fee. Each extension is for 30 days of access—a maximum of one extension is allowed.

Can I get a trial subscription or demo?

HITRUST does offer a free 2-week trial access in the MyCSF tool. This access is provided in a sandbox environment. This environment does not contain all of the functionality found in the production version of MyCSF and information input into this system will not transfer into production should you subscribe. It is designed for organizations to familiarize themselves with MyCSF. Organizations can also request a demonstration through our website.

Why should I purchase a MyCSF subscription if I just need a report?

Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture, benchmarking data, ability to leverage the functionality to support Corrective Action Plan (CAPs) management and longer-term remediation tracking. A subscription also includes the interim assessment for no additional cost.

Chat Now

This is where you can start a live chat with a member of our team