HITRUST recognizes the challenges that assessed entities may be facing in completing their HITRUST CSF Validated Assessments and the possible impact of not maintaining HITRUST CSF Certification.
The HITRUST CSF Bridge Assessment provides a solution to assist organizations in addressing these challenges, allowing assessed entities to demonstrate a continued level of control effectiveness and assert continued progress towards the next HITRUST CSF Validated Assessment.
HITRUST also recognizes that any solution addressing these challenges must maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal additional costs and duplication of effort, and provide a reasonable level of assurance for anyone seeking to rely upon it.
Full details are listed in the new Assurance Advisory, HAA 2020-004: HITRUST CSF Bridge Assessments.
In addition, HITRUST has recently issued other advisories to address impacts of COVID-19 on performing CSF Assessments that can be found here.
- 19 requirement statements will be randomly selected by the HITRUST MyCSF platform from the entity’s previous validated assessment to serve as a HITRUST CSF Bridge Assessment.
- A HITRUST Authorized External Assessor will then test these requirement statements to confirm their maturity did not degrade since the previous assessment.
- The testing performed in the HITRUST CSF Bridge Assessment does not need to be performed again in the delayed validated assessment. In other words, HITRUST will not require re-testing of these 19 requirement statements.
- A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF Validated Report with Certification as it does not provide an equivalent level of assurance.
- A HITRUST CSF Bridge Certificate is also not an extension to an existing HITRUST CSF Certification (which still expires on the two-year certification anniversary).
Who qualifies? If my organization’s operations have been impacted by activating our business continuity plan, do I still qualify?
Any organization that (a) has a HITRUST CSF Validated Report with Certification, (b) will miss their validated assessment submission due-date, and (c) hasn’t missed that due date by more than 30 days.
Organizations that have implemented a business continuity plan still qualify as long as the scoped control environment hasn’t degraded while operating in emergency mode.
When can I create, complete, and submit a HITRUST CSF Bridge Assessment to HITRUST?
The HITRUST CSF Bridge Assessment object can be created no more than 60 days before and up to 30 days after the expiration date of the HITRUST CSF Certification then can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
My organization is a cloud service provider (CSP) participating in the HITRUST Inheritance Program. If my organization obtains a HITRUST Bridge Certificate, can customers still inherit applicable assessment information from our HITRUST CSF Assessment Report?
As previously stated, Bridge Certificates do not extend the expiration date of HITRUST CSF Validated Reports with Certification. Instead, they represent a form of certification that offers less assurance than HITRUST CSF Validated Reports with Certification. As such, inheritance from HITRUST CSF Validated Reports with Certification past the stated expiration date is not allowed (regardless of whether a Bridge Certificate was awarded to the organization).
Where can I find more information?
Please contact your HITRUST Customer Success Manager for more information, or refer to the following resources:
- HITRUST CSF Bridge Assessment Overview Deck
- HITRUST CSF Bridge Assessment Datasheet
- HITRUST Assurance Advisory, HAA 2020-04: HITRUST CSF Bridge Assessments