HITRUST CSF Bridge Assessment and Certificate FAQs

How does a bridge assessment affect the interim assessment due date?

The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST CSF Certification is set to expire on 5/31/20 and this organization is awarded a HITRUST CSF Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the CSF Bridge Certificate’s expiration which results in a HITRUST CSF Certification. The organization’s newly issued HITRUST CSF Certification is dated 6/1/20, and the interim assessment would be due to HITRUST no later than 6/1/21.

Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?

The HITUST CSF Bridge Certificate is designed to assist organizations who need to maintain HITRUST CSF Certification but may be experiencing challenges in completing their next HITRUST CSF Validated Assessment.

The HITRUST CSF Bridge Assessment links the two HITRUST CSF Validated Assessments by offering a limited level of assurance during the period when the next HITRUST CSF Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST CSF Validated Assessment where the level of assurance can only be maintained for 24 months.

What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?

Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity activities, and/or adding a new vendor in observance of the organization’s third-party onboarding and review process.

What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include:

  • Moving from an on-premise data center into a public cloud environment,
  • Moving the organization’s physical headquarters,
  • Decommissioning a data center and moving all assets to a different data center,
  • Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS),
  • Changing an in-scope system so it uses a NoSQL backend instead of a relational database,
  • Moving away from an outsourced IT model by standing up an internal IT function,
  • Decommissioning the helpdesk ticketing system, and/or
  • New functionality in an in-scope platform enabling it to be accessed from a public location.


Should my organization pause or delay the process of starting a HITRUST CSF Assessment due to these upcoming changes?

No. There is no advantage in waiting to begin your HITRUST journey. The HITRUST MyCSF SaaS platform can be leveraged at any point after changes are introduced to compare the delta in requirement statements between different framework versions, helping customers determine whether switching from v9.x of the framework to v10 (future) makes sense for your organization. Whichever you decide, beginning a HITRUST CSF Assessment utilizing v9.x now will not cause delays or derail the assessment process, but rather give your organization a head start.

What level of implementation will the HITRUST CSF incorporate for NIST SP 800-53r5 (Low, Moderate, High, and/or Privacy)?

HITRUST will integrate all controls available in NIST SP 800-53r5. The HITRUST MyCSF SaaS platform will provide the ability to sub-select one or all of the NIST 800-53r5 baselines that work for your situation – Low, Moderate, High, and/or Privacy.

Will NIST SP 800-53r5 impact the structure of the HITRUST CSF?

The enhancements planned for Q1 2021 will structurally change the HITRUST CSF; however, it will not be impacted by the inclusion of NIST SP 800-53r5 nor will it require “relearning” of the framework. Upon release in Q1 2021, customers will have the ability to sort requirement statements by specific criteria such as NIST SP 800-53r5 within the HITRUST MyCSF SaaS platform.

Will HITRUST be incorporating NIST SP 800-53r5 into the HITRUST CSF and when?

Yes. HITRUST will soon announce more details on scheduled enhancements aimed at reducing complexity while maintaining comprehensive, best-in-class risk management strategies via the HITRUST Approach. These changes are planned for Q1 2021 and include incorporating 800-53r5 in the HITRUST CSF.


Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?

No. This functionality is part of the HITRUST Assessment XChange. For more information on the XChange, contact jacob.bustos@hitrustax.com.

Can the tool link to supporting documents rather than copy?

Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.

Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

The only way to efficiently tailor an assessment and generate the control requirements is in MyCSF. Organizations that are undergoing a SOC2 that is based on the HITRUST CSF can leverage MyCSF to make the process more efficient. This is the case even if only pursuing the SOC2 and not HITRUST CSF Certification.

CSF Assurance Program FAQs

How can I confirm an organizations certification status?

If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact support@hitrustalliance.net. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the organization.

How can my organization utilize the CSF framework for an AICPA SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality, and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework. This allows the client to receive in a combined format HITRUST Certification and a SOC 2 report. The next collaborative effort will be mapping the HITRUST CSF to the privacy principle.

For more information, refer to the SOC 2: Leveraging the CSF Webpage, and the HITRUST CSF to AICPA Trust Services Principles and Criteria mapping on the AICPA website.

What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor work is complete, please submit to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.

Reference: CSF Assurance Program Requirements

How many organizations have completed a HITRUST CSF Assessment?

38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for combined SOC 2 + HITRUST reports.

For more information, refer to the HITRUST Key Programs and Services overview.

Third-Party Assurance FAQs

If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?

No. If a Cloud Service Provider (CSP) is HITRUST CSF Certified, it does not mean your environment hosted by that CSP is also certified for the following reasons:

  • There could be control gaps, so it is still incumbent that you perform thorough due diligence to evaluate how the CSP’s HITRUST CSF Certification addresses the security and privacy requirements associated with your own organization’s risk profile and/or regulatory and customer compliance needs.
  • While there are a subset of controls that only the CSP is responsible for (for example, environmental security within a production datacenter), there are controls that remain only your responsibility as the accountable party governing the data entrusted and how your users appropriately access and operate that cloud-hosted environment; further, there remain a significant portion of controls that are shared, and therefore you remain partially responsible for full coverage of control effectiveness.

For more information, you can download the HITRUST Shared Responsibility Matrix included in the HITRUST CSF download package and refer to the detailed set of common use-case scenarios defined in the HITRUST Shared Responsibility Model. For guidance on how to communicate the value of offering your cloud services hosted on a HITRUST CSF Certified environment, please contact HITRUST Support at support@hitrustalliance.net.

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms. Many of these are CPA firms. If the current firm you use for your SOC 2 is not on the list, we would encourage you to ask what their plans are related to becoming an authorized HITRUST CSF assessor. Some may already be going through the process.

References: Risk Management Frameworks, CSF Assurance Program Requirements, and Risk Analysis Guide

Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to base future SOC 2 reports on the HITRUST CSF in order to fulfill the requirements of the program.

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).

While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the CSF Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a CSF validated or certified assessment from the onset.

References: Risk Management Frameworks, CSF Assurance Program Requirements and Risk Analysis Guide

External Assessor Program FAQs

What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST External Assessor is a firm that has met all the requirements to become authorized to perform HITRUST CSF validated assessments.

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The 4th year the process starts over with the onsite class.

What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class to assist organizations with certifications or independent consultants that have completed the HITRUST training class and assist organizations with self-assessments or implementing the CSF in their environment.

What are the costs associated with the Assessor program?

There are three costs associated with the HITRUST External Assessor Program:

  1. Application fee (one-time payment of $2,500)
  2. Training fee: Five people must complete the Certified CSF Practitioner (CCSFP) Training Course – $3,000 per individual. Additionally, two of those five people must complete the Certified HITRUST Quality Professional (CHQP) Course online – $2,000 per individual. Both the CCSFP and CHQP Courses are offered via the HITRUST Academy.
  3. Annual Program Fee (Tier rates based upon overall revenue from the prior year)

For exact pricing information and more details regarding the External Assessor Program, please contact csfassessor@hitrustalliance.net..

HITRUST Threat Catalogue FAQs

How often will the HITRUST Threat Catalogue be updated?

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements can be published in the next scheduled release of the HITRUST CSF.

How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several mechanisms by which HITRUST ensures the continued sufficiency of the HITRUST CSF.

How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and emerging threats by evaluating how well they’ve implemented related HITRUST CSF controls in their environment. More so, leveraging threat intelligence that can be correlated via the HITRUST Threat Catalogue’s mappings to the control specifications will allow organizations to determine likelihood and impact in order to further tailor their information protection program and manage their risk.

HITRUST Risk Management Framework FAQs

Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?

No, the interim review requirement only applies to the HITRUST Certification.

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/ cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/ HPH_Framework_Implementation_Guidance.pdf.

Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST CSF Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.

Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.

The biggest difference between the two certifications is what they intend to certify.

In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.

In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST CSF Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.

The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST CSF Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by an Authorized External Assessor Organization and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.

As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and CSF Assurance Program, one only has to look at the joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of industry-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.

The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.


What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?

Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification.

There are three (3) documents that have been updated to reflect this change:

  • Mapping of the HITRUST CSF to the Trust Services Criteria;
  • The Guidance/FAQ document; and
  • The Illustrative management assertion and CPA opinion.


Will it be the same level of access as we get for full assessment submission?

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped to each Core Subcategory within a Category. However, no additional Corrective Action Plans (CAPs) are needed to support HITRUST’s certification of the NIST Cybersecurity Framework beyond what is required for HITRUST CSF certification.

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. While the individual scores for each control requirement are the same, the scores are aggregated differently to support reporting against the HITRUST CSF Assessment Report domains and the NIST Cybersecurity Framework Core Categories.

Interim Review FAQs

Will it be the same level of access as we get for full assessment submission?

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?

Interim assessments need to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion.

If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?

Interim assessments completed after April 1, 2019 need to adhere to the current guidelines, including submitting through MyCSF. The only exception is for organizations holding a certification on CSF v9.0 or prior versions – they can submit outside of MyCSF but must meet all other current interim assessment requirements.

How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

Since the controls are selected randomly by MyCSF, there is not a way to provide an advance notice. However, for MyCSF subscribers, interim assessments can be generated up to 120 days in advance of their due date.

Control Maturity and Continuous Monitoring and Assessment FAQs

What is the role of continuous monitoring in the HITRUST scoring process?

Information security continuous monitoring (ISCM) has been a part of the HITRUST CSF control maturity and scoring model since the inception of the HITRUST CSF Assurance Program in 2009.

Typical assessment and audit approaches generally focus on policy and implementation of the controls needed to implement that policy. HITRUST takes a more robust approach by specifically looking at the implementation of the control, including how well the control is supported by policy and procedures, as well as how well the organization monitors the effectiveness of the control and whether it takes appropriate action should monitoring indicate a degradation in effectiveness or failure of the control.

As shown in the table below, continuous monitoring is addressed by the ‘Measured’ and ‘Managed’ maturity levels with a maximum of 15 and 10 points awarded for each level, respectively.


Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security and privacy controls specified for the vendor as well as the maturity scores required for an acceptable level of assurance.


As shown in the table above, the HITRUST risk triage approach provides (1) specific organizational, compliance and technical factors that help identify the type and amount of inherent risk the business relationship with the vendor poses; (2) a simple risk scoring model to help quantify the risk; and (3) specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.

By providing a common set of risk factors independent of the security and privacy controls that may or may not implemented by a third party, an organization can readily assess inherent risk and determine a reasonable and appropriate mechanism for the assurances it needs at a reasonable cost. Broad adoption will also significantly reduce costs for any third party that needs to provide assurances to multiple customers or business partners.

What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed. These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow these organizations to reduce the frequency of full, time-based recertification assessments, as shown in the graphic on the next page.

HITRUST plans to update the CSF Assurance Program to reward those organizations that have mature information protection programs as well as those that are actively implementing ISCM programs through a three-tiered certification program.

Organizations that demonstrate a ‘standard’ level of information protection, typically reflected in a CSF maturity score below 79, will undergo annual recertification assessments while those with higher scores striving to meet HITRUST requirements for ISCM would continue to undergo biannual recertification assessments with a targeted interim assessment.

Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program would conduct recertification assessments even less often, the frequency of which would be determined by its aggregated HITRUST CSF control maturity score and other criteria. Additional criteria will be developed by the HITRUST ISCM Working Group and integrated into the HITRUST CSF Assurance Program prior to its rollout, the timing of which is yet to be determined.

Benefits of the ISCM-based HITRUST CSF OC Program include:

  • On-demand, near real-time insight into their security and compliance risk posture* (visibility into how well stuff is protected)
  • The ability to make quick, risk-based decisions on system security in near real-time** (helps minimize the impact from bad things happening)
  • Better prioritization of remediation activities and corrective actions*** (helps identify the problems that need to be fixed first)
  • Consistent, continuous adoption of cybersecurity best practices**** (ensures extant and emerging threats continue to be addressed appropriately)
  • A higher level of assurance that personal data and individual privacy will continue to be protected and risk appropriately managed in the future (management can sleep better at night)
  • Longer periods between comprehensive control gap assessments (fewer interruptions at work)
  • Reduced time and effort needed to maintain certification (ability to focus on the real work)
  • Reduced lifecycle costs for maintaining certification (more money for other work)
  • Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers (everyone can sleep better at night)


*REFERENCE *: Eisensmith, J. (N.D.). Ongoing Authorization: Changing how Government does Security Compliance, CIO Review. Available from https://identity-governance-and-administration.cioreview.com/cxoinsight/ongoing-authorization-changing-how-government-does-security-compliance-nid-5608-cid-180.html.

*REFERENCE **: Eisensmith (N.D.).

*REFERENCE ***: Luu (2015). Implementing an Information Security Continuous Monitoring Solution—A Case Study. ISACA Journal
(1). Available from https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=264.

*REFERENCE ****: Luu (2015).

How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard vendor uses a proprietary approach to collecting data as well as proprietary analytics when computing the scores or ratings. In addition to the challenges inherent in their opacity, any changes to these proprietary approaches can change an organization’s score, sometimes dramatically, when there has been no discernable change in their actual security posture.* This is because the type of evidence collected for these scorecards is circumstantial and statements made about the actual state of the organization’s security posture must be inferred rather than directly observed.

Simply put, security scorecards cannot replace the level of assurance provided by a thorough assessment of an organization’s information protection program, including its overall approach to risk and risk management as well as detailed reviews of its privacy and security controls.

*REFERENCE *: CSO Online (2016, Aug 4).

Chat Now

This is where you can start a live chat with a member of our team