FAQ page header image

Read our Frequently Asked Questions

HITRUST CSF v11.1.0 Framework

  • Will v11.1.0 and v11.0.1 both be in HITRUST MyCSF?
  • What’s different between HITRUST CSF v11.1.0 and v11.0.1?
  • If an organization is in the process of starting an assessment in v11.0.1, should they re-evaluate and move to v11.1.0?
  • How will this impact existing v11.0.1 assessments in process?

HITRUST CSF v11 Framework

  • What has changed between v9.6 and v11?
  • How do the v11.0 i1 requirement statements compare to the v9.6 i1 requirement statements?
  • What does it mean for an Authoritative Source to be refreshed?
  • Will v11 and v9.1-9.6 all be in the HITRUST MyCSF platform?

HITRUST Essentials, 1-year (e1) Validated Assessment + Certification

  • What is the new HITRUST Essentials, 1-year (e1) Validated Assessment + Certification?
  • Does the e1 Essentials Assessment replace the Basic, Current-state (bC) Assessment? What if we already have a bC underway?
  • HITRUST indicates that the e1 Assessment is “cyber threat-adaptive” – what does cyber threat adaptive mean?
  • How much does an e1 Assessment cost?

HITRUST Implemented, 1-year (i1) Validated Assessment + Certification

  • How do the v11.0 i1 requirement statements compare to the v9.6 i1 requirement statements?
  • What is the HITRUST Implemented, 1-year (i1) Validated Assessment + Certification?
  • HITRUST indicates that the i1 Assessment is “cyber threat-adaptive” – what does cyber threat-adaptive mean?
  • Can organizations do i1 Assessments in back-to-back years?

HITRUST Results Distribution System

  • When will the RDS API functionality be available?
  • What is the HITRUST Results Distribution System (RDS)?
  • What are the benefits the HITRUST Results Distribution System (RDS) delivers over the outdated process of sharing and consuming third-party assurance reports in PDF form?
  • How will Relying Parties who use Vendor Risk Management (VRM) systems benefit?

HITRUST MyCSF Compliance and Reporting Pack for HIPAA

  • What is the MyCSF Compliance and Reporting Pack for HIPAA?
  • Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?
  • Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?
  • How does an inflight assessment leverage the new MyCSF Compliance and Reporting Pack for HIPAA?

HITRUST Bridge Assessment and Certificate

  • What is the HITRUST Bridge Assessment?
  • Is a Bridge Assessment only available for an r2 certification?
  • How does a Bridge Assessment affect the interim assessment due date?
  • Why is the three-month period of the HITRUST Bridge Certificate deducted from the organization’s next HITRUST Certification?

MyCSF

  • Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
  • Can the tool link to supporting documents rather than copy?
  • Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
  • The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

Inheritance and Shared Responsibility Program

  • Is inheritance all or nothing for each requirement or can it be weighted?
  • Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?
  • Who will need to subscribe to HITRUST MyCSF for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?
  • Will companies still have to pay to allow their assessments to be inherited?

HITRUST Assurance Program

  • What is the HITRUST Assurance Program?
  • How can I confirm an organizations certification status?
  • What is the process for an organization to achieve HITRUST Certification?
  • How many organizations have completed a HITRUST Assessment?

Accepting HITRUST Certified Assessment Reports

  • What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST assessed entity?
  • My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?
  • My customer has an issue with the perception of the assessor that performed my organization’s HITRUST Validated Assessment. How do I address their concern?
  • Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST Assessment/Certification and what can I do to prevent or minimize the impact of this?

Third-Party Assurance

  • If my Cloud Service Provider is HITRUST Certified, does that mean my environment is as well?
  • Can I provide my ISO 27001 certification in lieu of HITRUST Certification for third-party assurance?
  • What types of questions are there, and what information will we need to provide?
  • How do I understand the CSF Assessment report I have received?

External Assessor Program

  • What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
  • Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
  • What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
  • What are the costs associated with the Assessor program?

HITRUST Threat Catalogue

  • How often will the HITRUST Threat Catalogue be updated?
  • What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
  • How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
  • How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

HITRUST Risk Management Framework

  • Does a HITRUST Assessment include NIST Reporting?
  • Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Does a HITRUST Assurance assessment weight all controls equally?

HITRUST CSF Additional Frequently Asked Questions

  • Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
  • Is the scope of the HITRUST CSF too large for most organizations?
  • Does the HITRUST CSF take a “one-size-fits-all” approach to information protection?
  • What are the goals for the HITRUST CSF?

HITRUST Assurance Program and Certification

  • Does a HITRUST Assurance assessment weight all controls equally?
  • Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST Validated or Certified Report?
  • How often do I need to get a HITRUST Assessment report to support my third-party assurance requirements?
  • How can I use the HITRUST Assurance Program for third-party risk management?

HITRUST and the NIST Cybersecurity Framework

  • Does a HITRUST Assessment include NIST Reporting?
  • Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?
  • What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
  • Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST CSF and NIST CSF

  • What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
  • What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
  • Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
  • How long is HITRUST Certification for the NIST Cybersecurity Framework valid?

Interim Review

  • When is an Interim Assessment for an r2 Certification due?
  • What type of MyCSF access do non-subscribers receive when purchasing an Interim Assessment?
  • How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
  • Do you have to score each requirement statement selected in an Interim Assessment?

Control Maturity and Continuous Monitoring and Assessment

  • What is the role of continuous monitoring in the HITRUST scoring process?
  • Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
  • What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
  • How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Chat Now

This is where you can start a live chat with a member of our team