FAQ page header image

Read our Frequently Asked Questions

HITRUST CSF v9.6 Framework

  • Will v9.6.0 and v9.5.2 both be in the HITRUST MyCSF platform?
  • What’s different between HITRUST CSF v9.6.0 and v9.5.2?
  • If an organization is in the process of starting an assessment in v9.5.2, should they re-evaluate and move to v9.6.0?
  • How will this impact existing v9.5.2 assessments in process?

HITRUST Assessment Portfolio Expansion

  • Why did HITRUST need to add assessments to its portfolio? How do I know which one is appropriate to satisfy internal and external assurances and requests from third parties?
  • What is a “cybersecurity best practices” assessment, and how is it different than a “good security hygiene” assessment?
  • How do the new bC and i1 assessments compare in assurance and quality to the previous HITRUST CSF Validated Assessment (now called the r2)?
  • If I need to demonstrate compliance with HIPAA, which HITRUST assessment should I use?

HITRUST Implemented, 1-year (i1) Validated Assessment + Certification

  • What is the new HITRUST Implemented, 1-year (i1) Validated Assessment + Certification?
  • HITRUST indicates that the i1 Assessment is “threat-adaptive” – what does threat-adaptive mean?
  • How much does an i1 Assessment cost?
  • When will HITRUST make the i1 Assessment available?

HITRUST Basic, Current-state (bC) Verified Self-Assessments

  • How do I start a Basic Current-state (bC) Assessment?
  • Can you do carve-outs with a bC Assessment?
  • How much does a bC Assessment cost?
  • Is the bC “tailorable?”

HITRUST Results Distribution System

  • When will the RDS be available?
  • What is the HITRUST Results Distribution System (RDS)?
  • What are the benefits the HITRUST Results Distribution System (RDS) delivers over the outdated process of sharing and consuming third-party assurance reports in PDF form?
  • How will Relying Parties who use Vendor Risk Management (VRM) systems benefit?

HITRUST MyCSF Compliance and Reporting Pack for HIPAA

  • What is the MyCSF Compliance and Reporting Pack for HIPAA?
  • When will the MyCSF Compliance and Reporting Pack for HIPAA be available?
  • Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?
  • Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?

HITRUST Quality Assurance Reservation System

  • Do I need to make a reservation for a Bridge, Interim, or Readiness Assessments?
  • Does the date of my Reservation represent the date that will appear on my Final Report and/or Certification?
  • Are reservations required for HITRUST Validated Assessments?
  • Where do I make a reservation?

HITRUST Bridge Assessment and Certificate

  • What is the HITRUST Bridge Assessment?
  • Is a Bridge Assessment only available for an r2 certification?
  • How does a Bridge Assessment affect the interim assessment due date?
  • Why is the three-month period of the HITRUST Bridge Certificate deducted from the organization’s next HITRUST Certification?

MyCSF

  • Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
  • Can the tool link to supporting documents rather than copy?
  • Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
  • Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

Inheritance and Shared Responsibility Program

  • Is inheritance all or nothing for each requirement or can it be weighted?
  • Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?
  • Who will need to subscribe to HITRUST MyCSF for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?
  • Will companies still have to pay to allow their assessments to be inherited?

HITRUST Assurance Program

  • What is the HITRUST Assurance Program?
  • How can I confirm an organizations certification status?
  • What is the process for an organization to achieve HITRUST Certification?
  • How many organizations have completed a HITRUST Assessment?

Accepting HITRUST Certified Assessment Reports

  • What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST assessed entity?
  • My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?
  • My customer has an issue with the perception of the assessor that performed my organization’s HITRUST Validated Assessment. How do I address their concern?
  • Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST Assessment/Certification and what can I do to prevent or minimize the impact of this?

Third-Party Assurance

  • If my Cloud Service Provider is HITRUST Certified, does that mean my environment is as well?
  • Can any CPA firm issue a joint SOC 2/HITRUST Certified report?
  • Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
  • Can I provide my ISO 27001 certification in lieu of HITRUST Certification for third-party assurance?

External Assessor Program

  • What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
  • Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
  • What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
  • What are the costs associated with the Assessor program?

HITRUST Threat Catalogue

  • How often will the HITRUST Threat Catalogue be updated?
  • What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
  • How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
  • How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

HITRUST Risk Management Framework

  • Does a HITRUST Assessment include NIST Reporting?
  • Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Does a HITRUST Assurance assessment weight all controls equally?

HITRUST CSF Additional Frequently Asked Questions

  • Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
  • Is the scope of the HITRUST CSF too large for most organizations?
  • Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
  • What are the goals for the HITRUST CSF?

HITRUST Assurance Program and Certification

  • Does a HITRUST Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST Validated or Certified Report?
  • How often do I need to get a HITRUST Assessment report to support my third-party assurance requirements?
  • How can I use the HITRUST Assurance Program for third-party risk management?

HITRUST and the NIST Cybersecurity Framework

  • Does a HITRUST Assessment include NIST Reporting?
  • Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST CSF and NIST CSF

  • What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
  • What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
  • Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
  • How long is HITRUST Certification for the NIST Cybersecurity Framework valid?

Interim Review

  • When is an Interim Assessment for an r2 Certification due?
  • What type of MyCSF access do non-subscribers receive when purchasing an Interim Assessment?
  • How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
  • Do you have to score each requirement statement selected in an Interim Assessment?

Control Maturity and Continuous Monitoring and Assessment

  • What is the role of continuous monitoring in the HITRUST scoring process?
  • Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
  • What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
  • How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Chat Now

This is where you can start a live chat with a member of our team