The underlying logic concerning the automatic inclusion of requirement statements within MyCSF assessments has been updated.
With the HITRUST CSF v9.4 framework release, HITRUST has updated the underlying logic of the HITRUST MyCSF platform regarding how HITRUST CSF Assessments, which incorporate regulatory factors, are created. Now, the selection of an optional regulatory factor includes all relevant requirement statements, including those that map outside the controls required for HITRUST CSF Certification. This action was taken in response to feedback from stakeholders asking that we ensure complete coverage of requirement statements based on regulatory factor choices while excluding requirement statements that are not relevant.
Previously, requirement statements related to regulatory factors were only brought into the scope of a baseline assessment if they were related to one of the control references required for HITRUST CSF Certification. As of 6/22/2020, when a regulatory factor is selected, all associated requirement statements will be pulled into the assessment, even if they are related to a control reference that is not required for HITRUST CSF Certification. This change may increase the number of requirements included in an assessment but is necessary to ensure that both assessed entities and the parties relying upon them obtain the most accurate understanding of posture relative to a given regulatory requirement.
At the same time, HITRUST has also updated the MyCSF platform to support a reduction in requirement statements included in an assessment. Specifically, MyCSF no longer automatically pulls in additional regulatory factor-related requirement statements merely because they are associated with the same level (e.g., Level 2 or Level 3) as other requirement statements that may have previously been included, by default.
The result is that organizations will have greater certainty that their assessment contains all requirement statements necessary to provide proper assurances for their relevant regulatory factors, without the inclusion of superfluous requirement statements.