hitrustalliance.net
Open in
urlscan Pro
20.225.35.98
Public Scan
Submitted URL: https://events.hitrustalliance.net/e3t/Ctc/ZW+113/d2LJLY04/VWMttw205X4qW6R1S4s65fL3YW8BHpjy54sXpHN4lQrL03qgyTW7Y8-PT6lZ3n3N7NwLc67M...
Effective URL: https://hitrustalliance.net/advisories/?utm_campaign=FY23%20-%20News%20Alerts&utm_medium=email&_hsmi=277738240&_hsenc=p2ANqt...
Submission: On October 10 via api from US — Scanned from DE
Effective URL: https://hitrustalliance.net/advisories/?utm_campaign=FY23%20-%20News%20Alerts&utm_medium=email&_hsmi=277738240&_hsenc=p2ANqt...
Submission: On October 10 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form autocomplete="off" aria-label="Ajax search form" data-hs-cf-bound="true">
<input aria-label="Search input" type="search" class="orig" name="phrase" placeholder="Search" value="" autocomplete="off">
<input aria-label="Autocomplete input, do not use this" type="text" class="autocomplete" tabindex="-1" name="phrase" value="" autocomplete="off">
<input type="submit" value="Start search" style="width:0; height: 0; visibility: hidden;">
</form>Name: options —
<form name="options" autocomplete="off" data-hs-cf-bound="true">
<input type="hidden" name="filters_changed" style="display:none;" value="0">
<input type="hidden" name="filters_initial" style="display:none;" value="1">
<div class="asl_option_inner hiddend">
<input type="hidden" name="qtranslate_lang" id="qtranslate_lang1" value="0">
</div>
<fieldset class="asl_sett_scroll">
<legend style="display: none;">Generic selectors</legend>
<div class="asl_option">
<div class="asl_option_inner">
<input type="checkbox" value="exact" id="set_exactonly1" title="Exact matches only" name="asl_gen[]">
<label for="set_exactonly1">Exact matches only</label>
</div>
<div class="asl_option_label"> Exact matches only </div>
</div>
<div class="asl_option">
<div class="asl_option_inner">
<input type="checkbox" value="title" id="set_intitle1" title="Search in title" name="asl_gen[]" checked="checked">
<label for="set_intitle1">Search in title</label>
</div>
<div class="asl_option_label"> Search in title </div>
</div>
<div class="asl_option">
<div class="asl_option_inner">
<input type="checkbox" value="content" id="set_incontent1" title="Search in content" name="asl_gen[]" checked="checked">
<label for="set_incontent1">Search in content</label>
</div>
<div class="asl_option_label"> Search in content </div>
</div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="excerpt" id="set_inexcerpt1" title="Search in excerpt" name="asl_gen[]" checked="checked">
<label for="set_inexcerpt1">Search in excerpt</label>
</div>
</fieldset>
<fieldset class="asl_sett_scroll">
<legend style="display: none;">Post Type Selectors</legend>
<div class="asl_option">
<div class="asl_option_inner">
<input type="checkbox" value="post" id="1customset_11" title="Search in posts" name="customset[]" checked="checked">
<label for="1customset_11">Search in posts</label>
</div>
<div class="asl_option_label"> Search in posts </div>
</div>
<div class="asl_option">
<div class="asl_option_inner">
<input type="checkbox" value="page" id="1customset_12" title="Search in pages" name="customset[]" checked="checked">
<label for="1customset_12">Search in pages</label>
</div>
<div class="asl_option_label"> Search in pages </div>
</div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="press_release" id="1customset_13" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_13">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="webinar" id="1customset_14" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_14">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="certification" id="1customset_15" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_15">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="faqs" id="1customset_16" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_16">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="casestudy" id="1customset_17" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_17">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="assessors" id="1customset_18" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_18">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="product_tools" id="1customset_19" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_19">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="our_team" id="1customset_110" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_110">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="downloadcenter" id="1customset_111" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_111">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="assurance_bulletin" id="1customset_112" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_112">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="business" id="1customset_113" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_113">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
<div class="asl_option_inner hiddend">
<input type="checkbox" value="industry" id="1customset_114" title="Hidden option, ignore please" name="customset[]" checked="checked">
<label for="1customset_114">Hidden</label>
</div>
<div class="asl_option_label hiddend"></div>
</fieldset>
</form>Text Content
Skip to content
HITRUST PORTAL Contact Us
MENUMENU
* Solutions
* Products & Tools
* HITRUST CSF® Framework
* Download the HITRUST CSF
* MyCSF® – Our SaaS Platform
* MyCSF Tutorial Videos
* Schedule a Demo
* Free MyCSF Trial
* HITRUST Assessments
* e1 Essentials 1-year
* i1 Implemented 1-year
* r2 Risk-based 2-year
* Assessment Certifications
* Which Assessment is Right for Me?
* HITRUST Assurance Program
* HITRUST RightStart Program™
* HITRUST Venture Program
* Innovations
* HITRUST Results Distribution System™
* Assurance Intelligence Engine™
* HITRUST Control Maturity Scoring Rubric
* HITRUST Shared Responsibility and Inheritance Program™
* HITRUST Threat Catalogue®
* MyCSF Compliance and Reporting Pack for HIPAA
* HITRUST Academy
* Individual Certifications
* Certified CSF Practitioner Course
* Certified HITRUST Quality Professional Course
* HITRUST Adoption Course
* All Academy Course Descriptions
* Academy Schedule
* Enroll
* By Business Need
* My Organization Needs a HITRUST Certification
* I need to get a TEFCA Certification
* Risk Management & Compliance
* Third-Party Risk Management
* External Reporting
* Post Data Breach
* Data Privacy Compliance
* Help me explain HITRUST Internally
* I need to find a HITRUST Authorized External Assessor
* Trusted Network Accreditation Program
* * MyCSF - Our SaaS Platform
* HITRUST Assessments
* Resources
* Download HITRUST CSF
* Download HITRUST Threat Catalogue
* Assessors
* External Assessors
* Internal Assessors
* Download Center
* Case Studies
* eBooks
* Frequently Asked Questions
* Regulatory Assistance Center
* Events & Training
* Event Calendar
* Webinars
* Community Extension Program
* Annual Conference
* HITRUST Academy®
* HITRUST Adoption Course
* Certified CSF Practitioner Course
* CSF Practitioner Refresher Course
* Certified HITRUST Quality Professional Course
* Academy Schedule
* Enroll
* Newsroom
* Press Releases
* Advisories
* Blog
* Media Contacts
* Trademark Policy
* Company
* About HITRUST
* Board of Directors
* Executive Team
* Join The Team
* Download The HITRUST CSF®
Generic selectors
Exact matches only
Exact matches only
Search in title
Search in title
Search in content
Search in content
Search in excerpt
Post Type Selectors
Search in posts
Search in posts
Search in pages
Search in pages
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
Hidden
NEWSROOM ADVISORIES
* Advisories
* Press Release
* Blog
ASSURANCE ADVISORIES
HITRUST Assurance Advisories are communications that notify HITRUST Assurance
Program stakeholders of enhancements, changes, and/or provide additional
guidance regarding the HITRUST Assurance Program requirements and supporting
methodologies and tools. All Assurance Advisories contain important information
regarding adoption requirements, scope, and timing, which can impact HITRUST
Assurance Program stakeholders.
All HITRUST Assurance Program stakeholders should review each Assurance Advisory
to understand the potential impact on them.
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2023 (CLICK TO EXPAND)
HAA 2023-013: CSF Version 9.5 – 9.6 Decommission Notice
Impacted Policy/Program Name
HITRUST Assurance Program
Date
October 10, 2023
Advisory Type
Assurance Change
Overview
HITRUST is decommissioning CSF v9.5 and v9.6 according to the timeline below.
Notice and Timeline Details
Support of CSF v9.5 through v9.6
Effective as of the release of this advisory, maintenance support (i.e. CSF
updates that would result in an errata release according to HAA 2021-005: CSF
Versioning Policy) of v9.5 and v9.6 will be discontinued. Questions related to
these library versions will continue to be addressed via support tickets until
the libraries are removed from MyCSF on July 31, 2026. All assessments using
v9.5 – v9.6 will remain in MyCSF.
Key Assessment Dates
* Effective June 30, 2024, the ability to create new v9.5.0 through v9.6.2
assessment objects will be disabled. All new assessment objects created on or
after June 30, 2024, must be created using HITRUST CSF v11 or later.
* Effective April 30, 2025, the ability to submit v9.5.0 through v9.6.2
assessment objects to HITRUST for report processing will be disabled.
* Effective as of the release of this advisory, the QA Reservation system will
not allow the selection of a submission date after April 30, 2025 when
booking a reservation for an assessment object using v9.5.0 through v9.6.2.
Note that the following will not be impacted by the above notice:
* Interim and Bridge Assessments will continue to utilize the same version of
the HITRUST CSF that was used to create the original r2 Validated Assessment.
* Internal and external inheritance will continue to be available from v9.5.0
through v9.6.2 assessment objects until their expiration—for Uncertified r2
Validated Assessments, a period of one (1) year from report date, and for
Certified r2 Validated Assessments, a period of two (2) years from report
date and timely completion of its Interim Assessment.
Additional resources
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-012: CSF v11.1 Creation Deadline for e1 and i1 Assessments
Impacted Policy/Program Name
HITRUST Assurance Program
Date
October 10, 2023
Advisory Type
Assurance Change
Overview
Upon the release of CSF v11.2, all new e1 and i1 assessments must be created
using CSF v11.2.
Details
* Effective October 10, 2023, the ability to create new e1 and i1 assessment
objects in MyCSF using CSF v11.1 has been disabled.
* e1 and i1 assessments using CSF v11.1 can continue to be submitted after
October 10, 2023. HITRUST has not yet set an e1 and i1 submission deadline
for v11.0.0, v11.0.1, and v11.1.0. Once set, the e1 and i1 assessment
submission deadline will be announced a minimum of 90 days in advance.
e1 and i1 Assessment Change Summary
One requirement statement (16.09l1Organizational.4) included in the e1 and i1
assessment has been clarified in v11.2.
v11.2:
The organization maintains offline backups of
1. data.
v11.1:
The organization maintains offline backups of
1. data and
2. systems.
No other changes have been made to the e1 and i1 assessment requirement
statements between v11.1 and v11.2.
Additional resources
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-011: CSF Version 11.2 Release
Impacted Policy/Program Name
HITRUST Assurance Program
Date
October 10, 2023
Advisory Type
Assurance Change
Overview
The HITRUST CSF v11.2 framework (v11.2) is available within MyCSF and
downloadable here as of October 10, 2023.
The changes included in v11.2 consist of:
* An initial wave of requirement statement consolidation to reduce the volume
of requirement statement overlap within the CSF
* Several new and refreshed Authoritative Sources
New and Refreshed Authoritative Sources
v11.2 includes the following new Authoritative Sources:
* Added NIST AI RMF v1.0, ISO/IEC 23894, and ISO 31000 mapping and selectable
Compliance factor “Artificial Intelligence Risk Management”
* Added Ontario Personal Health Information Protection Act mapping and
selectable Compliance factor “Ontario Personal Health Information Protection
Act”
* Added Veteran Affairs Directive 6500 mapping and selectable Compliance
factor, “Veteran Affairs Directive 6500”
* Added ISO 27001:2022 mapping and added a selectable Compliance factor, “ISO
27001:2022”
* Added ISO 27002:2022 mapping and added a selectable Compliance factor, “ISO
27002:2022”
* Added NY OHIP Moderate-Plus v5 mapping and selectable Compliance factor, “NY
OHIP Moderate-plus Security Baselines v5”
* The existing NY OHIP Moderate-Plus Compliance factor, “NY OHIP
Moderate-plus Security Baselines v3.” will not be selectable as of v11.2.
The following Authoritative Sources have been refreshed in v11.2:
* Refreshed 23 NYCRR 500 mapping and selectable Compliance factor, “23 NYCRR
500”
* Refreshed FTC Red Flags Rule mapping and selectable Compliance factor, “FTC
Red Flags Rule”
* Refreshed NV Title 52 603A mapping and selectable Compliance factor, “NV
Title 52 603A”
Additionally, minor enhancements were made to the NIST SP 800-53 R5 mapping.
Changes to the r2 Assessment Baseline
One requirement statement (16.09l1Organizational.4) included in the r2
assessment baseline has been clarified in v11.2.
v11.2:
The organization maintains offline backups of
1. data.
v11.1:
The organization maintains offline backups of
1. data and
2. systems.
No other changes have been made to the baseline r2 assessment requirement
statements between v11.1 and v11.2. See HAA 2023-012 – CSF v11.1 Creation
Deadline for e1 and i1 Assessments for the impact to the e1 and i1 assessment
requirement statements.
Additional resources
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-010: HITRUST Risk Management Handbook
Impacted Policy/Program Name
HITRUST Assurance Program
Date
September 12, 2023
Advisory Type
Assurance Change
Overview
The Risk Management Handbook presents risk management concepts and methodologies
foundational to the HITRUST Approach™. This handbook is intended to help support
integration of HITRUST products, services, and tools into an organization’s
existing risk management program.
Details
Since its release in 2009, HITRUST has developed and communicated specific
elements of its Risk Management Framework (RMF) through various whitepapers,
presentations, and other documents. The new Risk Management Handbook
consolidates and aligns these elements by providing a centralized discussion of
the underlying methodologies that make up the HITRUST RMF. The Risk Management
Handbook helps illustrate how those concepts support the various products,
services, and tools that collectively make up the HITRUST Approach.
The original risk analysis guidance present in the following documents will be
removed from the HITRUST website on December 12, 2023.
* Risk Analysis Guide
* Understanding HITRUST’s Approach to Risk vs. Compliance-based Information
Protection
* Risk Management Frameworks
While the Risk Management Handbook illustrates the foundational risk management
concepts underlying the HITRUST risk management framework (also known as the
HITRUST Approach), the Assessment Handbook (announced in exposure draft
alongside the Risk Management Handbook in HAA 2023-008) defines the requirements
for Assessed Entities and External Assessors completing readiness or validated
assessments and provides guidance and expectations of the assessment and
certification processes. Please note that the final version of the HITRUST
Assessment Handbook will be published in a future Advisory.
Additional resources
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-009: Shared Responsibility Matrix (SRM) V1.4.1 Update
Impacted Policy/Program Name
HITRUST Shared Responsibility and Inheritance Program
Date
August 17, 2023
Advisory Type
Assurance Change
Overview
The HITRUST Shared Responsibility Matrix® (SRM) has been updated to V1.4.1. The
upgrade could impact Assessed Entities and their External Assessors who utilize
inheritance within their HITRUST assessments. Assessed Entities and External
Assessors who do not utilize inheritance within their HITRUST assessments are
not impacted by this Advisory.
SRM V1.4.1 Changes
SRM V1.4.1 adds inheritability values (e.g., fully, partially or not
inheritable) at the evaluative element (EE) level. Transparency at the EE-level
inheritability has several benefits, including:
* Better precision in pre-assessment inheritance strategy-setting efforts.
* More easily identifying requirement statements containing a mix of
inheritable and not inheritable EEs.
* More informed determination of inheritance weights, especially in partial
inheritance scenarios.
As a result of taking the SRM down to the EE level, 129 requirement statements
increased inheritability and 73 requirement statements decreased inheritability
totaling 202 (7%) changes applied to the 2,724 SRM baseline requirement
statements spanning CSF v9.1 to v11.1.0. The rollout of the SRM V1.4.1 update
via the timeline below is intended to minimize the impact to assessments using
the legacy SRM V1.4 inheritability values that are already planned or in
process. For further details on these inheritability changes, refer to the
following:
* The SRM V1.4.1 baseline template overview includes a table with the number of
requirement statements impacted by inheritability changes per each HITRUST
Assessment Domain.
* All V1.4.1 SRMs include the legacy SRM V1.4 inheritability values in column C
to be viewed side-by-side with SRM V1.4.1 inheritability values in column B
that may have been updated.
SRM V1.4.1 Rollout and Timeline
Concurrent with the release of this advisory:
* The HITRUST SRM baseline template available for download in MyCSF (full
version) and hitrustalliance.net (public version) has been updated to SRM
V1.4.1 and includes the legacy SRM V1.4 inheritability values for references
purposes.
* All SRMs tailored for inheritance providers (e.g., AWS, GCP, Azure) have also
been updated to SRM V1.4.1.
For the requirement statements with changed inheritability values in SRM V1.4.1,
all inheritance providers with a published SRM have confirmed that external
inheritance requests in a “Submitted” status within MyCSF with a weight using
either SRM V1.4 or SRM V1.4.1 will be approved by the inheritance provider,
assuming all other criteria set by the inheritance provider have been met, until
January 31, 2024.
All external inheritance requests submitted to inheritance providers after
January 31, 2024 are expected to be weighted in observance of inheritability
values in the latest SRM version.
Additional resources
For any additional questions, please contact our support team at
support@hitrustalliance.net or a HITRUST Customer Success Manager. For more
information about the HITRUST Shared Responsibility and Inheritance program
please visit, https://hitrustalliance.net/hitrust-srm-inheritance-program.
HAA 2023-008: Exposure Drafts – Risk Management Handbook and Assessment Handbook
Impacted Policy/Program Name
HITRUST Assurance Program
Date
April 4, 2023
Advisory Type
Assurance Quality
Overview
HITRUST has published exposure drafts of the Risk Management Handbook and
Assessment Handbook.
* The Risk Management Handbook presents risk management concepts and
methodologies foundational to the HITRUST Approach™. The handbook is intended
to help support integration of HITRUST products, services, and tools into an
organization’s existing risk management program.
* The Assessment Handbook defines the requirements for organizations assessing
their information protection programs against the HITRUST CSF through a
readiness or validated assessment. The assessment handbook is intended to
provide guidance and expectations of the assessment process to the HITRUST
community.
HITRUST invites all stakeholders to review the proposed Risk Management Handbook
and Assessment Handbook, then submit feedback using the links below.
Exposure Drafts
Risk Management Handbook Exposure Draft
Submit Comments
Assessment Handbook Exposure Draft
Submit Comments
Timeline
The exposure drafts of the Risk Management Handbook and Assessment Handbook are
available now for review. Please use the links above to access the handbooks and
submit all comments by July 7, 2023.
The Risk Management Handbook and Assessment Handbook are not yet final and will
not be enforced during the exposure draft review period. HITRUST will continue
to enforce the existing guidance published within the HITRUST website
(www.hitrustalliance.net).
Additional Information
For any additional questions, please contact our Support team.
HAA 2023-007: CSF v11.0 Creation Deadline for e1 and i1 Assessments
Impacted Policy/Program Name
HITRUST Assurance Program
Date
April 4, 2023
Advisory Type
Assurance Change
Overview
Upon the release of CSF v11.1, HITRUST is announcing the deadline for creating
e1 and i1 assessments using CSF v11.0.
Timeline
Details
New e1 and i1 assessments may continue to use CSF v11.0 until July 31, 2023.
* Effective July 31, 2023, the ability to create new e1 and i1 assessments
using CSF v11.0 will be disabled.
* e1 and i1 assessments using CSF v11.0 can continue to be submitted after July
31, 2023. The v11.0 e1 and i1 assessment submission deadline will be
announced a minimum of 90 days in advance.
e1 and i1 Assessment Change Summary
e1 Assessment
The e1 assessment requirement statements have not changed between v11.0 and
v11.1.
i1 Assessment
One requirement statement (0506.09m1Organizational.12) included in the i1
assessment has been updated for clarity in v11.1.
* v11.1:Where a specific business need for wireless access has been identified
the organization requires end points to encrypt traffic prior to transmitting
information over a wireless network. For devices that do not have an
essential wireless business purpose, the organization disables wireless
access in the hardware configuration (basic input/output system or extensible
firmware interface).
* v11.0:Where a specific business need for wireless access has been identified,
the organization configures wireless access on client machines to allow
access only to authorized wireless networks. For devices that do not have an
essential wireless business purpose, the organization disables wireless
access in the hardware configuration (basic input/output system or extensible
firmware interface).
No other changes have been made to the i1 assessment requirement statements
between v11.0 and v11.1.
Additional Information
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-006: CSF Version 11.1 Release
Impacted Policy/Program Name
HITRUST Assurance Program
Date
April 4, 2023
Advisory Type
Assurance Change
Overview
The HITRUST CSF v11.1 framework (v11.1) is available within MyCSF and
downloadable here as of April 4, 2023.
Included in v11.1 are several new and refreshed authoritative sources.
New and Refreshed Authoritative Sources
v11.1 includes the following new and refreshed Authoritative Sources:
* Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2”
* The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable
as of v11.1.
* Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor,
“IRS Pub. 1075 (Rev. 11-2021)”
* The existing “IRS Pub. 1075” Compliance factor, will not be selectable as
of v11.1.
* Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”
Changes to the r2 Assessment Baseline
One requirement statement (0506.09m1Organizational.12) included in the r2
assessment baseline has been clarified in v11.1.
* v11.1:Where a specific business need for wireless access has been identified
the organization requires end points to encrypt traffic prior to transmitting
information over a wireless network. For devices that do not have an
essential wireless business purpose, the organization disables wireless
access in the hardware configuration (basic input/output system or extensible
firmware interface).
* v11.0:Where a specific business need for wireless access has been identified,
the organization configures wireless access on client machines to allow
access only to authorized wireless networks. For devices that do not have an
essential wireless business purpose, the organization disables wireless
access in the hardware configuration (basic input/output system or extensible
firmware interface).
No other changes have been made to the baseline r2 assessment requirement
statements between v11.0 and v11.1.
Additional Information
For additional questions please contact our Support team.
HAA 2023-005: i1 Rapid Recertification
Impacted Policy/Program Name
HITRUST Assurance Program
Date
January 18, 2023
Advisory Type
Assurance Change
Overview
HITRUST is introducing the Rapid Recertification option for i1 assessments which
provides an accelerated way to obtain your next i1 certification.
The HITRUST i1 Rapid Recertification Assessment allows Assessed Entities and
their External Assessors to evaluate a selection of i1 requirement statements to
demonstrate that the control environment has not materially degraded since the
previous i1 Certification was obtained. Upon successfully demonstrating that the
control environment has not materially degraded, the Assessed Entity is
permitted to roll forward scores from their previous, certified i1 Assessment
for the remaining requirement statements – thus reducing the amount of testing
required to complete the assessment. The i1 Rapid Recertification results in the
same i1 Assessment Reports and i1 Certification as a full i1 Assessment.
Leveraging the i1 Rapid Recertification Assessment
The i1 Rapid Recertification assessment may be leveraged by organizations who
meet all of the following conditions:
* The Assessed Entity currently holds an i1 Certification based on CSF v11 or
later.
* The Assessed Entity intends to assess the same scope assessed in the prior i1
assessment.
* No significant changes have occurred since the previous i1 Certification date
in the Assessed Entity’s business or security policies, processes, controls,
hosting locations, or technologies.
* The control environment has not materially degraded since the previous
standard i1 Assessment was performed.
* The Assessed Entity has an available assessment object in MyCSF.
When Assessed Entities are not eligible to complete an i1 Rapid Recertification
Assessment, a full i1 Assessment must be completed in order to obtain an i1
Certification.
Key similarities between the i1 Assessment and the i1 Rapid Recertification
Assessment
The i1 Rapid Recertification Assessment is comparable to the full i1 Assessment
in many ways, the most notable of which include:
* Both provide a means to convey information protection assurances over the
assessed entity’s scoped and implemented control environment through a
shareable, final report with certification issued by HITRUST.
* Both use the same i1 requirements resident in the HITRUST CSF and use MyCSF.
* Both require an Authorized HITRUST External Assessor Organization to inspect
documented evidence to validate control implementation.
* Both leverage the HITRUST Control Maturity Scoring Rubric.
* Final reports resulting from i1 Rapid Recertification Assessments can be
shared through the HITRUST Assessment XChange and the HITRUST Results
Distribution System.
HITRUST CSF requirements included in i1 Rapid Recertification Assessments
Just like a full i1 Assessment, the i1 Rapid Recertification Assessment consists
of all i1 requirement statements for the current CSF version at the time the i1
Rapid Recertification Assessment is created. The i1 Rapid Recertification
Assessment is different in that some requirement statements are not required to
be evaluated and may instead have scores carried over from the previously
completed full i1 Assessment. The following sections detail the selection of
requirement statements that are required to be evaluated during the i1 Rapid
Recertification Assessment and those that are not.
Requirement statements that are required to be evaluated during the i1 Rapid
Recertification Assessment
* If the i1 Rapid Recertification Assessment is created using a newer CSF
version than that which was utilized for the Assessed Entity’s full i1
assessment, there may be additional requirement statements included in the i1
Rapid Recertification due to the quarterly threat analysis that impacts the
i1 requirement statement selection. The additional requirement statements
included in the newer CSF version are required to be evaluated in the i1
Rapid Recertification Assessment.
* A sample of 60 requirement statements that were scored (not N/A) in the full
i1 Assessment need to be evaluated in the i1 Rapid Recertification Assessment
Note that any requirement statements that are not included in the i1
requirement selection for the current CSF version are excluded from this
sample.
* Requirement statements that were marked as N/A during the full i1 assessment
are required to be reviewed during the i1 Rapid Recertification Assessment to
confirm that the N/A rationale remains accurate. Note that any requirement
statements marked N/A that are not included in the i1 requirement selection
for the current CSF version are excluded.
* Requirement statements that required a CAP during the full i1 Assessment are
required to be assessed during the i1 Rapid Recertification Assessment. Note
that any requirement statements requiring a CAP that are not included in the
i1 requirement selection for the current CSF version will be excluded.
Requirement statements that are not required to be evaluated during the i1 Rapid
Recertification Assessment
All other i1 requirement statements for the current CSF version are included
within the i1 Rapid Recertification Assessment object, but are not required to
be assessed. By default, these requirement statements appear within the
assessment in a read-only state and include the scores that were entered in the
previous i1 Assessment. The Assessed Entity may optionally include any of these
requirement statements by toggling the requirement statement to an editable
state.
Detection of Control Degradation
Before creating an i1 Rapid Recertification Assessment, the Assessed Entity must
attest that the control environment has not materially degraded since the full
i1 Assessment was performed.
During the performance of the i1 Rapid Recertification Assessment, MyCSF
monitors the scoring of requirement statements that are evaluated in the current
i1 Rapid Recertification Assessment and compares the scores to the previously
completed i1 Assessment.
* If scores are lowered for two or fewer requirement statements, the i1 Rapid
Recertification assessment may be submitted to HITRUST.
* If MyCSF detects either three or four requirement statements with lower
scores in the i1 Rapid Recertification Assessment, the Assessed Entity and
External Assessor will be presented with two options for how to proceed:
Option 1: Expand the sample of requirement statements to be evaluated in the
i1 Rapid Recertification Assessment. If this option is selected, an
additional sample of 60 requirement statements will be required to be
assessed in the i1 Rapid Recertification Assessment. When the additional 60
requirement statements are introduced, MyCSF will allow a total of five
requirement statements with lower scores than the previously completed i1
Assessment. If MyCSF detects six or more requirement statements with lower
scores in the i1 Rapid Recertification Assessment, option 2 must be
followed.Option 2: Complete a full i1 Assessment. If this option is selected,
the i1 Rapid Recertification Assessment may be converted to a full i1
Assessment so that the scoring and documentation already entered in MyCSF is
retained.
* If MyCSF detects five or more requirement statements with lower scores in the
i1 Rapid Recertification Assessment, a full i1 Assessment will be required to
be completed. If this occurs, the i1 Rapid Recertification Assessment may be
converted to a full i1 Assessment so that the scoring and documentation
already entered in MyCSF is retained.
HITRUST’s Quality Assurance (“QA”) Review of i1 Rapid Recertification
Assessments
i1 Rapid Recertification Assessments feature the same high quality of
deliverables as full i1 Assessments, as ensured through HITRUST’s robust Quality
Assurance process using HITRUST’s Assurance Intelligence Engine. Additionally,
just like on full i1 Assessments, HITRUST’s QA review of i1 Rapid
Recertification Assessments must be scheduled using the HITRUST QA Reservation
System. Full i1 Assessments and i1 Rapid Recertification Assessments use the
same type of report credits to book a reservation.
HITRUST performs a sample-based QA review of the requirement statements in the
i1 Rapid Recertification Assessment in much the same manner as a full i1
Assessment. The notable difference is that HITRUST does not QA any requirement
statements with scores that were carried from the previous assessment.
Detection of control degradation during QA
If scores are lowered during the QA review process, HITRUST will consider
whether the scores have been lowered due to an issue with the operation of the
control or due to an error in testing approach or testing documentation. Scores
lowered due to an error in testing approach or testing documentation are not
considered to be control degradation. Only scores lowered due to an issue with
the operation of the control will count toward the threshold for control
degradation.
If scores are lowered due to an issue with control operation, there is a
possibility that the threshold for number of scores lowered to indicate material
degradation is met during the QA review process. If this occurs, the Assessed
Entity and External Assessor will be required to expand the sample of
requirement statements evaluated in the i1 Rapid Recertification Assessment or
complete a full i1 assessment according to the guidelines presented in the
previous section.
HITRUST QA timeline for i1 Rapid Recertification Assessments
HITRUST’s established i1 post-submission service level agreement (SLA), not
greater than 45 business days with HITRUST, also applies to the i1 Rapid
Recertification Assessment. Should HITRUST exceed the stated SLA, customers can
request a complimentary report credit by contacting their Customer Success
Manager within 14 days after the final report has been issued. i1 Rapid
Recertification submissions entering escalated QA due to quality concerns are
exempted from this SLA, as processing such submissions may take longer than
processing non-escalated submissions.
CAPs, Scoring, and Certification Thresholds on i1 Rapid Recertification
Assessments
The scoring and certification thresholds for i1 Rapid Recertification
Assessments are the same as those for full i1 Assessments. For the requirement
statements that were not assessed during the i1 Rapid Recertification
Assessment, the scores from the previous i1 Assessment are utilized for the
calculation of average domain scores and the identifications of CAPs and gaps.
Assessment Reports
The i1 Rapid Recertification Assessment results in the same assessment reports
that are issued for a full i1 assessment. These reports can be shared through
the HITRUST Assessment XChange and assessment results can be shared through the
HITRUST Results Distribution System.
Implementation and Timeline
A subsequent advisory will provide additional details and announce the release
of the i1 Rapid Recertification Assessment in MyCSF.
Additional Resources
For a list of anticipated questions please click here. For any additional
questions, please contact our Support team or a HITRUST Customer Success
Manager.
HAA 2023-004: e1 Assessment Introduction
Impacted Policy/Program Name
HITRUST Assurance Program
Date
January 18, 2023
Advisory Type
Assurance Change
Overview
HITRUST now offers a new, lower-effort, validated cybersecurity assessment and
accompanying certification—the HITRUST Essentials, 1-year (e1) Assessment—which
is designed to move at the speed of business.
Key Characteristics of the e1 Assessment
* The HITRUST e1 Assessment focuses on a curated set of cybersecurity controls
encompassing fundamental cybersecurity practices, or “good cybersecurity
hygiene”.
* When viewed side-by-side with the HITRUST i1 and HITRUST r2, the HITRUST e1
shows a depth of control consideration that is significantly leaner by
design.
* The HITRUST e1 is designed to be an evolving, threat-adaptive certification.
The requirements included in the HITRUST e1 address the most pressing active
cyber threats (e.g., phishing, ransomware), while the requirements included
in the HITRUST i1 controls address a broader range of active cyber threats.
The e1 achieves threat-adaptiveness through the quarterly HITRUST
reconciliation of cyber threat intelligence to the HITRUST CSF requirements.
* Controls nest into the i1 and r2 to be fully inheritable, so e1 work can be
reused.
* When changes to the e1 requirement selection are deemed necessary, they will
be included in major and minor releases of the HITRUST CSF. Consequently, all
e1 Assessments performed against a particular version of the HITRUST CSF will
include the same requirements, currently 44 requirements.
* The e1 Assessment can be performed as a readiness or validated assessment.
The e1 Readiness Assessment may be performed with an External Assessor or as
a self-assessment.
Use Cases
The HITRUST e1 is built for use by organizations seeking assurance for
cybersecurity essentials that is more robust than questionnaires or other
self-assessments (such as the HITRUST bC). This supports the following use
cases:
* When relying parties need to request a less rigorous, less demanding,
easy-to-understand, and easy-to-execute assurance from vendors who pose a
lower level of inherent risk.
* An organization is seeking assurance for a limited set of controls that are
inherently expected for nearly all entities.
* An initial assessment of security maturity for a limited set of essential
cybersecurity controls is quickly needed (such as for a newly onboarded
vendor or for an entity still developing their cybersecurity program).
Secondary use cases for the HITRUST e1 include:
* When a demonstrable assurance report is needed to establish a foundational
benchmark for an organization’s assurance continuum.
* Situations where an e1 assurance is the first step towards the eventual
achievement of a HITRUST i1 or r2 Certification.
The e1 Assessment in the HITRUST Assessment Portfolio
The addition of the e1 Assessment is a continuation of the HITRUST Assessment
Portfolio expansion designed to equip organizations with a broader range of
validation and certification options to address varied assurance requirements.
Not all vendor or third-party relationships warrant the level of assurance, or
time and effort, required for HITRUST i1 or r2 Certifications. Validation of
essential cybersecurity practices is still warranted for many vendors
traditionally viewed as lower risk. Validated HITRUST e1 assessments and
certifications meet this need.
How the e1 Fits into the HITRUST Assessment Family
The HITRUST Essentials, 1-year Validation + Certification Assessment complements
other assessments in the HITRUST portfolio by providing suitable assurances for
lower-risk scenarios, focusing on foundational, essential cybersecurity
controls, and acting as an entry-level HITRUST Certification. The HITRUST
Implemented, 1-year (i1) Certification introduced in 2022 provides suitable
assurances for moderate-risk scenarios, focusing on cybersecurity best practices
controls. The HITRUST Risk-based, 2-year (r2) Certification will continue to
provide the highest level of information protection assurance for situations
with greater risk exposure due to data volumes, regulatory compliance, and other
risk factors. This assurance model is designed to support progression from an e1
to either an i1 or r2 where required for organizations or their relying parties.
This traversable assessment approach supports situations where inherent risk is
evolving and entities are seeking a higher level of assurance over time as well
as when an assessed entity is still maturing their program and an initial
assurance report is required for the most essential controls.
Comparison of the e1, i1, and r2 Certifications
Characteristic e1 i1 r2 Deliverables Can result in a HITRUST-issued
certification (i.e., HITRUST certifiable) Yes Yes Yes Length of certification 1
year 1 year 2 years Final reports resulting from the assessment can be shared
through the HITRUST Assessment XChange and assessment results can be shared
through the HITRUST Results Distribution System Yes Yes Yes Can result in a
HITRUST-issued certification over the NIST Cybersecurity Framework No No Yes
Assessments Readiness assessments and validated assessments can be performed Yes
Yes Yes Requires an Authorized HITRUST External Assessor Organization to inspect
documented evidence to validate control implementation Yes Yes Yes Leverages the
HITRUST Control Maturity Scoring Rubric Yes Yes Yes Assessor’s validated
assessment fieldwork window (maximum) 90 days 90 days 90 days HITRUST CSF
requirements performed by the assessed entity’s service providers (such as cloud
service providers) on behalf of the organization can be carved out / excluded
from consideration Yes Yes No Personnel from either assessed entity or their
external assessors are allowed to enter control maturity scoring and assessment
scoping information Yes Yes No Requires an interim assessment No No Yes Can be
bridged through a HITRUST Bridge Certificate No No Yes Subject matter
Threat-adaptive assessment Yes Yes Yes* Includes a fixed number of HITRUST CSF
requirement statements Yes Yes No Includes HITRUST CSF requirements specifically
tailored to the assessment scope No No Yes Can be tailored to optionally convey
assurances over dozens of information protection regulations and standards
(e.g., HIPAA, NIST CSF, PCI DSS). No No Yes Can be tailored to include privacy
No No Yes Must use the most current version of the CSF available at time of
assessment creation. Yes Yes No
* v11 and later (see HAA 2022-002)
More Information About the e1 Certification and e1 Assessment
Control Maturity Levels Considered in e1 Assessments
* Like the HITRUST i1, the HITRUST e1 focuses on the “Implemented” control
maturity level of HITRUST’s control maturity evaluation model. Even though
the e1 focuses on control Implementation, like the i1, some requirement
statements necessitate reviewing Policy and Procedure documents. For example,
implementing the HITRUST CSF requirement included in the e1 involves the
creation of a written information protection program document:
“0113.04a1Organizational.2- The organization’s information security policy is
developed, published, disseminated, and implemented. The information security
policy documents: state the purpose and scope of the policy; communicate
management’s commitment; describe management and workforce members’ roles and
responsibilities; and establish the organization’s approach to managing
information security.”.
HITRUST Control Scoring Rubric Update (Version 4)
e1, i1, and r2 Assessments all leverage the HITRUST Control Maturity Scoring
Rubric, although the e1 and i1 do not use the entire rubric. The rubric has been
updated in support of the e1 Assessment to indicate that only the implemented
control maturity level is considered for v11.
External Inheritance on e1 Assessments
External assessors and assessed entities of e1 Assessments will have two options
of how to address situations in which a HITRUST CSF requirement is fully or
partially performed by a service provider (e.g., by a cloud service provider):
Inclusive and Exclusive (or Carve-out). These methods, detailed below, are the
same two methods that can be used for i1 assessments.
* The Inclusive method, whereby HITRUST CSF requirements performed by the
service provider are included within the scope of the HITRUST Assessment and
addressed through full or partial inheritance, reliance on third-party
assurance reports, and/or direct testing.
* The Exclusive (or Carve-out), method, whereby HITRUST CSF requirements
performed by the service provider are excluded from the scope of the HITRUST
Assessment and marked as N/A with supporting commentary that specifies that
the HITRUST CSF requirement is fully performed by a party other than the
assessed entity (for fully outsourced controls) or through commentary
describing the excluded partial performance of the control (for partially
outsourced controls).
Refer to HAA 2021-012 for additional details.
Cross-assessment-type inheritance is allowed, meaning that i1 or r2 Assessment
results can be inherited into an e1 Assessment (and vice versa). However, only
the implemented level’s scoring can be inherited when inheriting from an e1
Assessment into an r2 Assessment given that e1 Assessments only consider the
implemented maturity level. This limitation does not absolve those involved in
the inheriting r2 Assessment from either (a) accurately scoring the policy,
procedure, and optionally measured and managed levels based on supplemental
validation procedures or (b) scoring the policy, procedure, measured and managed
scores at 0 to reflect the inability to ascertain scoring on these control
maturity levels.
HITRUST Quality Assurance (“QA”) Review of e1 Assessments
e1 assessments will feature the same high quality of deliverables as i1 and r2
Assessments, as ensured through HITRUST’s robust Quality Assurance process by
HITRUST’s Assurance Intelligence Engine. Additionally, just like on i1 and r2
Assessments, the HITRUST QA review of e1 Assessments must be scheduled using the
HITRUST QA Reservation System. Please be aware that e1, i1, and r2 Assessments
require different types of report credits to book a reservation. For additional
information on acquiring the correct type of report credit please contact your
Customer Success Manager (CSM).
HITRUST will perform a sample-based QA review of requirement statements within
e1 Validated Assessments much in the same manner as is performed on i1 and r2
Validated Assessments.
HITRUST QA for e1 Assessments is designed for speed
The time necessary to perform a quality assurance review of any validated
assessment submission varies based on the complexity of the assessment, on the
quality of the external assessor’s documentation, the quality and consistency of
the external assessor’s validation procedures, and on many other factors.
However: The established e1 post-submission service level agreement (SLA) is not
greater than 30 business days with HITRUST (otherwise the customer’s next e1
Validated Assessment Report credit is complementary).
This Service Level Agreement (SLA) is calculated using a measurement called
“days with HITRUST”. The measurement is calculated from the earlier of the day
that HITRUST begins QA (the day the assessment moves into the Performing QA
phase) or the last day of the QA block from the reservation. Days are counted
for any weekdays where the assessment is in a HITRUST owned phase before the
draft report is posted. Validated assessment submissions entering escalated QA
due to quality concerns are exempted from this SLA, as processing such
submissions may take longer than processing non-escalated submissions. The days
with HITRUST measure are visible to customers as part of the assessment details
page within MyCSF. Should HITRUST exceed the stated SLA customers can request a
complimentary report credit by contacting their Customer Success Manager within
14 days after the final report has been issued.
CAPs, Scoring, and Certification Thresholds on e1 Assessments
The scoring and certification thresholds for e1 Assessments are the same as
those for i1 assessments. Refer to HAA 2021-012 for details.
e1 HITRUST CSF Reports
Upon completion of a e1 Assessment that meets the scoring thresholds for
certification, HITRUST will issue the following reports:
* HITRUST e1 Certification Report
* HITRUST e1 Certification Letter
* HITRUST e1 Certification Letter with Scope
Upon completion of an e1 Assessment that does not meet the scoring thresholds
for certification, HITRUST will issue only the HITRUST e1 Validated Assessment
Report.
Implementation and timeline
The ability to perform e1 Assessments in MyCSF is available as of the release of
this advisory.
Additional Resources
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-003: CSF v9.6.2 Creation and Submission Deadlines for i1 Assessments
Impacted Policy/Program Name
HITRUST Assurance Program
Date
January 18, 2023
Advisory Type
Assurance Change
Overview
Upon the release of CSF v11, HITRUST is announcing the deadline for creating and
submitting i1 assessments using CSF v9.6.2 and earlier.
Details
* Between the release of v11 on January 18, 2023 and April 30, 2023, i1
assessments may be created using either v11 or v9.6.2.
* Effective April 30, 2023, the ability to create new i1 assessments using CSF
v9.6.2 will be disabled.
* Effective July 31, 2023, the ability to submit i1 assessments using CSF
v9.6.2 and earlier will be disabled.
* Effective as of the release of this advisory, the QA Reservation system
will not allow the selection of a submission date after July 31, 2023 when
booking a reservation for an i1 assessment object using v9.6.2.
* As of July 31, 2023, any unsubmitted i1 assessment objects utilizing v9.6.2
and earlier will be marked with a MyCSF banner indicating that they cannot
be submitted to HITRUST for processing. These assessments must be upgraded
to v11 in order to be submitted to HITRUST.
Additional Resources
For a comparison of the v9.6 i1 requirement statements to the v11.0 i1
requirement statements click here.
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-002: CSF Version 9.1 – 9.4 Decommission Notice
Impacted Policy/Program Name
HITRUST Assurance Program
Date
January 18, 2023
Advisory Type
Assurance Change
Overview
HITRUST invests in continuously evaluating new control requirements and
expanding the coverage of security and privacy authoritative sources supported
by the HITRUST CSF framework. To facilitate and empower customers to take
advantage of this investment and ensure HITRUST assessments are generated and
inherited from (and/or relied upon) the latest available HITRUST CSF controls
and mappings, HITRUST is decommissioning CSF v9.1 through v9.4 according to the
timeline below.
Notice and Timeline Details
Support of CSF v9.1 through v9.4
Effective as of the release of this advisory, maintenance support (i.e. CSF
updates that would result in an errata release according to HAA 2021-005: CSF
Versioning Policy) of v9.1 through v9.4 will be discontinued. Questions related
to these library versions will continue to be addressed via support tickets
until the libraries are removed from MyCSF on March 31, 2026. All Assessments
using v9.1 – v9.4 will remain in MyCSF.
Key Assessment Dates
* Effective September 30, 2023, the ability to create new v9.1 through v9.4
assessment objects will be disabled. All new assessment objects created on or
after September 30, 2023, must be created using HITRUST CSF v9.5.x or later.
* Effective December 31, 2024, the ability to submit v9.1 through v9.4
assessment objects to HITRUST for report processing will be disabled.
* Effective as of the release of this advisory, the QA Reservation system
will not allow the selection of a submission date after December 31, 2024
when booking a reservation for an assessment object using v9.1 through
v9.4.
* As of December 31, 2024, any unsubmitted assessment objects utilizing v9.1
through v9.4 will be marked with a MyCSF banner indicating that they cannot
be submitted to HITRUST for processing.
Note that the following will not be impacted by the above notice:
* Interim and Bridge Assessments will continue to utilize the same version of
the HITRUST CSF that was used to create the original r2 Validated Assessment.
* Internal and external inheritance will continue to be available from v9.1
through v9.4 assessment objects until their expiration—for Uncertified r2
Validated Assessments, a period of one (1) year from report date, and for
Certified r2 Validated Assessments, a period of two (2) years from report
date and timely completion of its Interim Assessment.
Additional Resources
For any additional questions, please contact our Support team or a HITRUST
Customer Success Manager.
HAA 2023-001: CSF Version 11 Release
Impacted Policy/Program Name
HITRUST Assurance Program
Date
January 18, 2023
Advisory Type
Assurance Change
Overview
The HITRUST CSF version 11 (v11) enables a fully traversable portfolio, which
facilitates seamless movement between HITRUST assessments based on the use of
common requirement statements to maximize reusability. As risk and compliance
program maturity or information protection needs change, v11 allows
organizations to use what they have already done to easily upgrade to higher
levels of HITRUST assurance with just incremental effort. v11 enables cyber
threat adaptive HITRUST Assessments across the portfolio that continuously
evolve to address emerging threats such as ransomware and phishing.
The HITRUST CSF v11 framework includes new and refreshed Authoritative Sources
powered by the speed and efficiency of Artificial Intelligence (AI). Plus,
changes to Evaluative Elements and Illustrative Procedures that make it easier
for MyCSF users to parse and score Requirement Statements.
Traversable and Threat-Adaptive Portfolio
Traversable Portfolio
For v11, HITRUST has aligned the selection of requirement statements used for
the e1 assessment (HAA 2023-004), i1 assessment, and r2 assessment baseline so
that each assessment builds upon the core requirement statements that are
included in the e1 assessment.
* The e1 assessment includes a selection of 44 requirement statements that
address a curated set of cybersecurity controls generally viewed as
fundamental essential cybersecurity practices, or “essential cybersecurity
hygiene”.
* The i1 assessment includes a selection of 182 requirement statements that are
comprised of the 44 e1 requirement statements along with an additional 138
requirement statements that address cybersecurity best practices and a
broader range of active cyber threats than the e1 assessment.
* The r2 assessment includes the 182 i1 requirement statements as a baseline
along with additional requirement statements that are included through the r2
assessment tailoring process.
This nesting of requirement statements allows organizations to begin with the
entry-level e1 or moderate level i1 assessment and subsequently move through the
assessment portfolio to demonstrate increased levels of information protection
assurance without losing the investment made by completing previous assessments.
Threat-Adaptive Portfolio
As described in HAA 2021-012 and HAA 2023-004, e1 and i1 assessments are
designed to be threat-adaptive through the selection of requirement statements
that address active cyber security threats based on HITRUST’s quarterly
reconciliation of cyber threat intelligence to the HITRUST CSF requirements. The
inclusion of the i1 requirement statements in the r2 assessment introduces the
threat-adaptive nature of the e1 and i1 to the r2.
Inheritance
External Inheritance can be used between v11 assessments and v9.1 – v9.6.2
assessments. However, due to the change in the r2 baseline described above,
there may be requirement statements present in baseline v9.x assessments that
are not present in baseline v11 assessments and vice versa. To address this, a
Community Supplemental Requirement (CSR) and associated factor called “Legacy
Inheritance Support” will be introduced for use in v11 assessments. The Legacy
Inheritance Support factor includes additional inheritable 9.x requirement
statements into v11 r2 Assessments. For additional information regarding the
functionality and limitations of this factor, please see v11 FAQs.
HITRUST encourages inheritance providers using v11 to include the Legacy
Inheritance Support factor so that their v11 r2 Assessment includes v9.x
requirement statements that Assessed Entities may hope to inherit.
New and Refreshed Authoritative Sources
The Authoritative Source updates in v11 are powered by new AI processing
technologies that enhance the efficiency of producing Authoritative Source
mappings.
v11 contains the following new and refreshed Authoritative Sources:
* Added NIST SP 800-53 revision 5 mapping and selectable Compliance factor
* Added Health Industry Cybersecurity Practices mapping and selectable
Compliance factor
* Refreshed NIST SP 800-171 mapping
* Refreshed NIST Cybersecurity Framework mapping
* Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping
Evaluative Elements Moved to the Requirement Statement
For assessments using v11, HITRUST has moved the evaluative elements from the
policy level illustrative procedure to the requirement statement for improved
visibility. Further, the requirement statement text is formatted to display each
evaluative element in a numbered list.
v11 Requirement Statement Example
For v9.1 – v9.6, the evaluative elements remain within the policy level
illustrative procedures. Like v9.6, the illustrative procedure for v9.1 – v9.5
are now formatted to specifically enumerate each evaluative element as described
in HAA 2021-014.
Illustrative Procedure Updates
Due to the move of the evaluative elements from the policy level illustrative
procedure into the requirement statement, the v11 policy level illustrative
procedures have been updated to standard text for all requirement statements.
Additionally, the formatting of the v11 implemented and measured illustrative
procedures have been updated to more clearly display the requirement specific
implementation and measured testing guidance.
Clarification of Factor Definitions
HITRUST has updated the factor definitions to improve tailoring for v11 r2
assessments. Within MyCSF, the Factors page for r2 assessments using v11 will
contain information icons that display the factor definition for reference.
The legacy factor definitions found at help.mycsf.net/factors should continue to
be used for v9.1 – v9.6 r2 assessments.
Implementation and Timeline
v11 is available within MyCSF and for download here as of January 18, 2023.
Additional Information
In addition to the updates detailed above, CSF v11 includes assorted errata
updates consistent with the CSF Versioning Policy. The errata updates include
refreshes to BUIDs primarily based on changes to requirement statement levels
and control references. Further, the following seven Authoritative Sources have
been removed in CSF v11:
* CAQH CORE Phase 1 [CAQH Core Phase 1]
* CAQH CORE Phase 2 [CAQH Core Phase 2]
* Cloud Security Alliance (CSA) Cloud Controls Matrix Version 3.0.1 [CSA CCM
v3.0.1]
* Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC)
version 1.0 [CMMC v1.0]
* Department of Homeland Security (DHS) Critical Resilience Review (CRR) v1.1
[DHS CISA CRR (2016)]
* ISO/IEC 29151:2017: Information Technology – Security Techniques – Code of
Practice for Personally Identifiable Information Protection [ISO/IEC
29151:2017]
* Precision Medicine Initiative Data Security Policy Principles and Framework
v1.0 (PMI DSP): Achieving the Principles through a Precision Medicine
Initiative Data Security Policy Framework [PMI DSP Framework]
The CSF Summary of Changes document offers additional details regarding CSF
changes. MyCSF subscribers can utilize the preview functionality described in
HAA 2021-006 to determine impact on an existing assessment prior to upgrading to
v11 including a detailed look at the direct changes that will apply to the
assessment.
For a list of anticipated questions please click here.
For a comparison of the v9.6 i1 requirement statements to the v11.0 i1
requirement statements click here.
For additional questions please contact our Support team.
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2022 (CLICK TO EXPAND)
HAA 2022-001: Retirement of Legacy Assessment Workflows
Impacted Policy/Program Name
HITRUST Assurance Program
Date
July 12, 2022
Advisory Type
Assurance Change
Overview
On February 15, 2022, HITRUST implemented a suite of enhancements to the MyCSF
platform that are described in the following Assurance Advisories:
* HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
* HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
* HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
* HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
* HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST Report Format Changes
This suite of enhancements was applied to HITRUST r2 Validated Assessments, r2
Readiness Assessments, Interim Assessments, and Bridge Assessments meeting
certain criteria outlined in the Advisories listed above.
On October 1, 2022, HITRUST will convert any remaining r2 Validated Assessments
and r2 Readiness Assessments that have not previously been submitted to HITRUST
for processing to utilize the enhancements outlined in the advisories listed
above.
Note: i1 Assessments incorporate these enhancements by default, so i1
Assessments will not need to be converted.
Details
The suite of enhancements will be automatically implemented for all r2 Validated
Assessments and r2 Readiness Assessments that meet all the following criteria on
October 1, 2022:
* The assessment has not previously been submitted to HITRUST
* The assessment is using the legacy assessment workflow
Note: r2 Validated Assessments that are in the Assessment Submitted to External
Assessor state on October 1, 2022, will be automatically reverted to the
Answering Assessment state prior to the enhancements being implemented.
Refer to FAQs: Retirement of Legacy Assessment Workflows for more information
and instructions for determining whether your assessment is utilizing the legacy
assessment workflow.
Save as PDF
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2021 (CLICK TO EXPAND)
HAA 2021-014: CSF Version 9.6 Release
Impacted Policy/Program Name
HITRUST Assurance Program
Date
December 30, 2021
Advisory Type
Assurance Change
Implementation and Timeline
v9.6 is available within MyCSF and for download here as of December 30, 2021.
Overview
The CSF Version 9.6 Release includes both CSF and MyCSF enhancements which are
described further below. The CSF enhancements are changes related to the HITRUST
CSF framework, while MyCSF enhancements are related to the MyCSF platform.
CSF Enhancements
CSF Version 9.6 (v9.6) contains the following enhancements:
* Refreshed NIST SP 800-53 revision 4 mapping and added NIST SP 800-53 revision
4 as a selectable compliance factor
* Updates to some requirement statements and illustrative procedures in
anticipation of the HITRUST Implemented, 1-year (i1) Validated Assessment
release
* Assorted errata updates consistent with the CSF Versioning Policy
The CSF Summary of Changes document offers additional details regarding CSF.
MyCSF subscribers can utilize the preview functionality described in HAA
2021-006 to see the potential impact on an existing assessment prior to
upgrading to v9.6.
MyCSF Enhancements
1. CMMC Compliance Factor
The CMMC Compliance factor will now contain a “Deprecated” flag (see Figure 1)
to indicate that the version of CMMC currently mapped to the CSF has been
superseded. The CMMC Compliance factor appears in versions 9.4, 9.5, and 9.6 of
the CSF and each of these versions will display the “Deprecated” flag. More
information about the CMMC program is available here.
Figure 1
2. Illustrative Procedure Enhancements
Beginning in v9.6, the Policy and Implemented illustrative procedures have been
formatted to enhance usability and clarity. The Policy illustrative procedures
have been formatted to specifically enumerate each evaluative element when the
illustrative procedures are displayed from the “More Information” menu as shown
in Figure 2. Additionally, the evaluative element count will be shown when the
requirement is displayed as shown in Figure 3. For assessments that are
performed using v9.6, the evaluative element count displayed within MyCSF must
be the denominator for the calculation of coverage for scoring of the
requirement statement for the Policy, Procedure, Implemented, and Measured
maturity levels in the HITRUST Control Maturity Scoring Rubric. Note that these
illustrative procedure enhancements are present on all HITRUST assessments
performed using v9.6 and later of the HITRUST CSF where applicable, regardless
of assessment type (i1 or r2).
The Implemented and Measured illustrative procedure formatting has been updated
to identify each testing procedures should the maturity level be scored (see
Figure 2).
Figure 2
Figure 3
3. Sampling Badge
In addition, the requirement statement view within MyCSF will now contain a
badge (see Figure 4) when the Implemented illustrative procedure requires the
External Assessor to select a sample of items and/or occurrences to test. If
circumstances exist which prevent sample-based testing (such as a lack of
control occurrences), the external assessor must document a rationale for not
performing sample-based testing for that HITRUST CSF requirement’s implemented
control maturity level.
Figure 4
Additional Information
For additional questions please contact our Support Team.
Save as PDF
HAA 2021-013: HITRUST Control Maturity Scoring Rubric Update (version 3)
Impacted Policy/Program Name
HITRUST Assurance Program
Date
i1 – Immediately; r2 – May 1, 2022;
Advisory Type
Assurance Change
Overview
HITRUST’s Control Maturity Scoring Rubric (“Rubric”), which assists assessed
entities and their external assessors in assessment scoring, has been updated in
support of the i1 assessment and to reflect previously announced changes. Key
changes to the rubric include:
* The Policy and Procedure maturity levels had their criteria and strength
tiers updated based upon HAA 2021-002, which was released on June 7, 2021.
The revised Policy and Procedure criteria presented in the Advisory were
added to the ‘Other Key Concepts’ section of the rubric and, the five
strength tiers for the Policy and Procedure maturity levels in the version 2
Rubric were reduced to three tiers in the version 3 Rubric as follows:
* Tier 0 – No documented Policy and/or Procedure
* Tier 1 – Undocumented Policy and/or Procedure
* Tier 2 – Fully documented Policy and/or Procedure
* HITRUST has updated the “minimum number of days that a remediated or newly
implemented control must operate prior to assessor testing” to reflect 60
days for any policy or procedure remediation, corresponding to the revision
communicated in HAA 2021-002.
* HITRUST has included the current Bridge Certificate timing guidance into the
Rubric.
* HITRUST has added the following sample-based testing requirements:
* Guidance requiring sampling lead sheets in the test plan to document the
sampling approach.
* Guidance stating that evidence used during sample testing must be retained.
* Sampling guidance for semi-annual controls.
* Guidance on the required population timeframe to consider when pulling
samples of control occurrences over time as: “Minimum of 90 days prior to
the date of testing with a maximum of one-year prior to the date of
testing”.
* Guidance that the control frequency should be defined prior to determining
the sampling approach.
In addition to the above key changes, HITRUST has made other minor adjustments
to the Rubric:
* HITRUST has reformatted the guidance for supporting documentation to qualify
as a measure for HITRUST assessment purposes.
* The applicability of the timeframes has been updated to reflect whether they
correspond to a HITRUST r2 validated assessment or i1 validated assessment.
* HITRUST has removed sections from the “Timeframes” to streamline presentation
of the key timeframes – not intended to reflect a change in prior guidance:
* Access window for a HITRUST MyCSF “Report Only” object.
* Targeted window for HITRUST’s performance of QA and draft report assembly
procedures.
* Window during which HITRUST will accept grammatical changes to a draft
report.
* Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF.
* Interim assessment object submission due date.
* HITRUST has updated the links on the Rubric where additional guidance can be
found.
Timetable for Implementation
The updated HITRUST Control Maturity Scoring Rubric is immediately available for
download at
https://hitrustalliance.net/content/uploads/HITRUST-CSF-Control-Maturity-Scoring-Rubric-Version-3.pdf.
For HITRUST i1 validated assessments, use of the version 3 Rubric is required.
For the HITRUST r2 validated assessments, either version 2 or version 3 of the
Rubric may be used for assessments submitted prior to May 1, 2022. As of May 1,
2022, r2 validated assessment submissions must use the version 3 Rubric.
Additional Resources
Click
https://hitrustalliance.net/content/uploads/HITRUST-Control-Maturity-Scoring-Rubric-Update-FAQs.pdf
for a list of anticipated questions and answers. For additional questions please
contact our Support team.
Save as PDF
HAA 2021-012: i1 Introduction and r2 Enhancements
Impacted Policy/Program Name
HITRUST Assurance Program
Date
December 30, 2021
Advisory Type
Assurance Change
Implementation and Timeline
The ability to perform HITRUST Implemented 1-Year (i1) assessments in MyCSF will
be released at the start of the 2022 calendar year. The updates to the
Risk-based, 2-Year (r2) assessment (formerly the HITRUST CSF Validated
Assessment) reports described in this advisory will be reflected in all r2
reports issued 12/31/21 and later.
Overview
To date, HITRUST has offered only one information protection certification, the
HITRUST CSF Certification, achievable only by demonstrating sufficiently strong
control maturity through the performance of a validated assessment. By design,
this single HITRUST certification offers a gold standard level of assurance due
to the comprehensive control requirements and assurance program requirements.
However, completion of a HITRUST validated assessment can be a significant
undertaking for an organization. HITRUST acknowledges that the highest level of
information protection assurance is not needed by every organization or vendor
relationship.
A broader range of certification options is necessary to address varying
assurance requirements and needs—as determined by factors such as level of
effort, budget, and purpose. To address these needs, HITRUST is introducing the
HITRUST Implemented, 1-year (i1) Certification, a new assessment mechanism and
accompanying certification that requires reduced effort and cost than today’s
validated assessment, while still living up to the gold standard level of
quality for which HITRUST certifications are known. To differentiate the
certifications in our newly expanded assessment portfolio, HITRUST is also
renaming our existing certification to the HITRUST Risk-based, 2-year (r2)
Certification. Further, HITRUST is taking this opportunity to update the
content, layout, and formatting of HITRUST-issued certification reports.
The HITRUST Risk-based, 2-year r2 Certification will continue to provide the
highest level of information protection assurance for situations with greater
risk exposure due to data volumes, regulatory compliance, or other risk factors.
The new HITRUST Implemented, 1-year i1 Certification will provide, when compared
to the r2, a relatively moderate level of information protection assurance,
focusing on good security hygiene and cybersecurity best practices controls.
Both the i1 and r2 certifications will uphold the high-quality bar for which
HITRUST is known.
Key similarities between i1 and r2 certifications
The HITRUST Implemented, 1-year i1 Certification shares several characteristics
with the HITRUST Risk-based, 2-year r2 Certification, the most notable of which
include:
* Both provide a means to convey information assurances over the assessed
entity’s scoped control environment through a shareable, final report with
certification issued by HITRUST.
* Both use requirements resident in the HITRUST CSF and use MyCSF.
* Readiness assessments and validated assessments can be performed for both.
* Both require an Authorized HITRUST External Assessor Organization to inspect
documented evidence to validate control implementation.
* Both leverage the HITRUST Control Maturity Scoring Rubric (although the i1
does not use the entire rubric). While the rubric has been updated in support
of the i1 assessment (as described in HAA 2021-013), no significant changes
were made to the rubric to accommodate its use on i1 assessments other than
indicating that only the Implemented control maturity level is considered
during i1 assessments.
* Final reports resulting from i1 assessments (such as the HITRUST i1 Validated
Assessment Report) can be shared through the HITRUST Assessment XChange just
like those resulting from r2 assessments, and i1 assessment results can be
shared through the HITRUST Results Distribution System just like the results
of r2 assessments.
* The external assessor’s fieldwork window is capped at a maximum of 90 days on
both i1 and r2 assessments.
Key differences between i1 and r2 certifications
The i1 and r2 are distinct in many ways, the most notable of which are:
* r2 certifications are valid for 2 years, while i1 certifications are valid
for 1 year.
* While the HITRUST CSF requirements considered in r2 assessments are tailored
based on the assessed entity’s inherent risk factors (such as whether
in-scope systems are accessible from the Internet, whether wireless networks
are used in the scoped environment, etc.), the HITRUST CSF requirements in an
i1 assessment are carefully curated by HITRUST and only vary when performed
against different versions of the HITRUST CSF.
* r2 assessments can be tailored to optionally convey assurances over dozens of
information protection regulations and standards (including: HIPAA, NIST CSF,
PCI DSS) while i1 assessment are pre-set.
* While r2 assessments can be tailored to include all security control
references present in the HITRUST CSF through use of the “comprehensive
assessment” option, i1 assessments cannot.
* Privacy-centric HITRUST CSF controls and requirements can optionally be added
into an r2, but not into an i1. While certain requirements within domain 19
are included in i1 assessments, the i1 is designed to focus on cybersecurity
only.
* Many control maturity levels (policy, process, implemented, and optionally
measured and managed) are considered when scoring HITRUST CSF requirements
included in r2 assessments, while the scoring of HITRUST CSF requirements
included in i1 assessments considers only control implementation. In other
words: only control implementation is considered during i1 assessments.
* HITRUST CSF requirements performed by the assessed entity’s service providers
(such as cloud service providers) on behalf of the organization can be carved
out / excluded from consideration in i1 validated assessments, but such
carve-outs are not permitted in r2 assessments.
* Interim assessments are not necessary for i1 certifications, as a full
re-assessment is necessary each year to maintain i1 certification status.
* r2 certifications can be bridged through a HITRUST Bridge Certificate, while
i1 certifications cannot.
* Validated r2 assessments can result in a HITRUST-issued certification over
the NIST Cybersecurity Framework, while i1 validated assessments cannot.
* Newly created i1 assessments must use the most current version of the CSF
available at time of object creation.
* Minor differences are present on the External Assessor QA checklist used on
i1 assessments, as certain checklist items are only applicable on r2
assessments.
More information about the i1 certification and i1 assessments
HITRUST’s quality assurance (“QA”) review of i1 assessments
i1 assessments will feature the same high quality of deliverables as r2
assessments, as ensured through HITRUST’s robust Quality Assurance process,
which includes the HITRUST Assurance Intelligence Engine. In addition, just like
on r2 assessments, HITRUST’s QA review of i1 assessments must be scheduled using
the HITRUST QA Reservation System. Please be aware that i1 and r2 assessments
require different types of report credits to book a reservation. For additional
information on acquiring the correct type of report credit please contact your
Customer Success Manager (CSM).
HITRUST will perform a sample-based QA review for i1 validated assessment
submissions much in the same manner as is performed on r2 validated assessment
submissions. The notable difference is that HITRUST will not QA a sample of
requirements with measured and/or managed scores on i1 submissions in addition
to reviewing a “Core QA” sample of requirements (as i1 assessments do not
consider the measured and managed control maturity levels).
The time necessary to perform a quality assurance review of any validated
assessment submission varies based on the complexity of the assessment, on the
quality of the external assessor’s documentation, the quality and consistency of
the external assessor’s validation procedures, and on many other factors.
However: HITRUST’s established i1 post-submission Service Level Agreement (SLA)
is not greater than 45 business days with HITRUST (otherwise the customer’s next
i1 validated assessment report credit is complimentary). This Service Level
Agreement (SLA) is calculated using a measurement called “days with HITRUST.”
The measurement is calculated from the earlier of the day that HITRUST begins QA
(the day the assessment moves into the Performing QA phase) or the last day of
the QA block from the reservation. Days are counted for any business days where
the assessment is in a HITRUST owned phase before the draft report is posted.
Validated assessment submissions entering escalated QA due to quality concerns
are exempted from this SLA, as processing such submissions may take longer than
processing non-escalated submissions. The days with HITRUST measure are visible
to customers as part of the assessment details page within MyCSF. Should HITRUST
exceed the stated SLA, customers can request a complimentary report credit by
contacting their Customer Success Manager within 14 days after the final report
has been issued.
Usability improvements on i1 assessments
Those performing i1 assessments will enjoy several usability and quality-of-life
enhancements in MyCSF, including:
* All i1 assessments feature HITRUST’s enhanced Assessment Workflows, webforms,
and Kanban-style status tracking boards. For additional details, see HITRUST
Advisories HAA 2021-007 through HAA 2021-011.
* Illustrative procedures of HITRUST CSF requirements for versions 9.6 and
later feature formatting and list items to aid in easily identifying the
illustrative procedure’s unique content. In i1 assessments, this illustrative
procedure enhancement applies only to the implemented level (as only the
implemented control maturity level is considered in i1 assessments). In r2
assessments, this illustrative procedure enhancement applies to both the
policy and implemented levels. Pictured below is an example of an implemented
illustrative procedure featuring this enhancement:
* On i1 assessments, the unique elements associated with each HITRUST CSF
requirement which must be implemented by the assessed entity and evaluated by
the External Assessor (referred to as “evaluative elements”) are not shown in
the requirement’s policy illustrative procedure (as they are in r2
assessments), because i1 assessments do not consider the policy control
maturity level. Instead, i1 assessments present each HITRUST CSF
requirement’s evaluative elements as stand-alone sentences in a numbered
list. Further, the count of evaluative elements associated with each HITRUST
CSF requirement is clearly shown in MyCSF for i1 and r2 assessments using
HITRUST CSF v9.6 and later. An example of the new “Evaluative Elements” count
is pictured below as well as an example of enumerated and numbered evaluative
elements.
* In i1 and r2 assessments using HITRUST CSF v9.6 and later, a new sampling
badge is shown in MyCSF for each HITRUST CSF requirement having an
implemented illustrative procedure that calls for testing a sample. This
sampling badge helps external assessors quickly and easily identify areas
where sampling may be required during the testing of the implemented control
maturity level. When this sampling badge is present, the external assessor is
expected to perform sample-based testing. If circumstances exist which
prevent sample-based testing (such as a lack of control occurrences), the
external assessor must document a rationale (in the test plan and/or in
external assessor comment fields in MyCSF) for not performing sample-based
testing for that HITRUST CSF requirement’s implemented control maturity
level. Pictured below is an example of this sampling badge and accompanying
mouse-over tooltip. An indicator is present in the new, downloadable test
plan template (discussed below) showing the requirements possessing this
sampling badge.
* A new, Excel-based test workbook template will be available for use by
assessors performing i1 assessments. This template can be downloaded from the
test plan upload page in MyCSF. External assessors are not required to use
this test plan template.
* Assessed entities and their external assessors have flexibility with respect
to who populates an i1 assessment in MyCSF. Personnel from either the
assessed entity or their external assessors are allowed to enter control
maturity scoring and assessment scoping information in i1 assessments. When a
member of the external assessor enters control maturity scoring and/or
assessment scoping information, MyCSF will automatically apply the external
assessor’s thumbs-up / agreement. However, when control maturity scoring
and/or assessment scoping information is initially entered by the assessed
entity, a member of the external assessor team is required to evaluate the
entered data and manually enter their thumbs-up / agreement. This added
flexibility allows control maturity scoring and assessment scoping
information to be either (a) initially populated in MyCSF by the assessed
entity and then manually agreed to by the external assessor (just like in r2
assessments), and/or (b) populated and auto-agreed entirely by the external
assessor. There is no preference or option to configure; MyCSF will recognize
the role (external assessor, standard user) and adjust accordingly. As a
result of this added flexibility and to reflect that submission of a
completely and accurately populated MyCSF assessment to HITRUST is ultimately
the External Assessor’s responsibility, an i1 validated assessment’s
not-yet-scored requirements are shown in the Kanban-style status view as
pending the External Assessor team.
HITRUST CSF requirements included in i1 assessments
HITRUST CSF requirements are included in r2 assessments through the combination
of a purposive sample of 75 HITRUST CSF control references required for
certification, the inherent risks present in the assessed environment (such as
whether the scoped system is accessible from the Internet), and the optional
inclusion of regulations and standards such as PCI DSS, HIPAA, and EU GDPR. As a
result, the HITRUST CSF requirements included in r2 assessments can vary from as
few as 198 requirements to nearly 2000 requirements.
A completely different approach drives the selection of HITRUST CSF requirements
included in i1 assessments. HITRUST has carefully selected the HITRUST CSF v9.6
requirements to be included in i1 assessments in light of several factors:
* The i1 is designed to be an industry-agnostic assessment, so the HITRUST CSF
requirements included in the i1 assessment and their associated illustrative
procedures and evaluative elements are also industry-agnostic and do not use
any terminology specific to the US federal government or germane to any
specific legislation or authoritative source (e.g. does not include terms
such as “protected health information”, “cardholder data”, or “authority to
operate”).
* The i1 is designed to be an evolving, threat-adaptive certification that
leverages threat intelligence and best practice controls to deliver an
assessment that addresses relevant practices and active cyber threats.
HITRUST evaluated existing information security controls to identify those
relevant to mitigating known risks and leveraged cyber threat intelligence
data from a leading threat intelligence provider spanning May 2021 to Oct.
2021 to influence the selection of technically-focused HITRUST CSF
requirements included in i1 assessments. As a result, the i1 includes
controls that were selected exclusively to address emerging cyber threats
actively being targeted today. HITRUST will review cyber threat intelligence
data for potential updates to the i1 requirements on a quarterly basis to
maintain the threat responsive nature of the i1. Updates to the i1
requirement statement selection will be published as part of either a major
or minor release of the HITRUST CSF. Consequently, all i1 assessments
performed against a particular version of the HITRUST CSF will include the
same requirement statements.
* The i1 is designed to be a combination of good security hygiene controls and
cybersecurity best-practice controls. The design affords a high degree of
coverage against authoritative sources generally viewed as security best
practices. As a result, the HITRUST CSF requirements included in i1
assessments provide a high degree of coverage against sources such as the
HIPAA Security Rule; NIST SP 800-171; the NAIC Data Security Law; the FTC’s
GLBA Safeguards Rule (both the current version as well as the 2021 proposed
update); NISTIR 7621: Small Business Information Security Fundamentals; the
DOL’s EBSA Cybersecurity Program Best Practices; and the HITRUST CSF
requirements included in HITRUST’s Basic, Current-state (“bC”) assessment.
* All HITRUST CSF assessment domains and CSF control categories are represented
in the i1.
Because the i1 consists of a selection of HITRUST CSF requirement statements,
and because HITRUST CSF requirement statements are not included in the free
HITRUST CSF PDF download, organizations interested in seeing the HITRUST CSF
requirements included in an i1 assessment are encouraged to create an i1
assessment in MyCSF.
CAPs, scoring, and certification thresholds on i1 assessments
The scoring and certification thresholds for i1 assessments are different than
those for r2 assessments, as follows:
* i1 assessment scoring will always be shown as the overall score (e.g., 75,
100) rather than the maturity rating (e.g., 1-, 3+). Because i1 assessments
do not include all control maturity levels (and instead focus solely on
control implementation), the control maturity rating scheme used on r2
assessments are not suitable for use on i1 assessments. Instead, only scores
between 0 and 100 are used on i1 assessments.
* For an i1 validated assessment to result in certification, no assessment
domain’s straight-average score can be below 83. (To contrast this scoring
against r2 assessments: For an r2 validated assessment to result in an r2
certification, no assessment domain’s straight-average score can be below
62.)
* For i1 assessments, assessed entities are required to define Corrective
Action Plans (CAPs) for all HITRUST CSF requirements meeting the following
criteria: the requirement’s implemented maturity level scores less than
“fully compliant” / 100 and the associated control reference (e.g., 00.a)
averages less than 80. For any requirements where the implemented maturity
level scores less than “fully compliant” / 100 and the associated control
reference (e.g., 00.a) averages 80 or more, a gap is identified instead of a
CAP. The difference between a gap and a CAP on an i1 assessment is that
management of the assessed entity is required to provide a written plan of
action for remediation of CAPs, but not for gaps.
External inheritance on i1 assessments
External assessors and assessed entities of i1 assessments will have two options
to address situations in which a HITRUST CSF requirement is fully or partially
performed by a service provider (such as by a cloud service provider):
* The Inclusive method, whereby HITRUST CSF requirements performed by the
service provider are included within the scope of the HITRUST assessment and
addressed through full or partial inheritance, reliance on third-party
assurance reports, and/or direct testing.
* The Exclusive (or Carve-out), method, whereby HITRUST CSF requirements
performed by the service provider are excluded from the scope of the HITRUST
CSF assessment and marked as N/A with supporting commentary that specifies
that the HITRUST CSF requirement is fully performed by a party other than the
assessed entity (for fully outsourced controls) or through commentary
describing the excluded partial performance of the control (for partially
outsourced controls).
HITRUST has always and will continue to require that the inclusive method be
used on all r2 assessments, but HITRUST will allow use of both the inclusive and
exclusive methods on i1 assessments. Regardless of the assessment type or the
approach utilized, the external assessor and/or assessed entity will be required
to specify which method is utilized for each service provider relevant to the
scope of an i1 assessment. Within the assessment object in MyCSF, the assessed
entity and/or the external assessor is required to select Included or Excluded
from a “Consideration in this Assessment” drop-down menu within the “Services
Outsourced for In-Scope Platforms and Facilities” table on the “Scope of the
Assessment” screen. (This value is locked to “Included” for all identified
service providers relevant to the scope of r2 assessments.) This selected method
will then be reflected in the final reports resulting from both r2 and i1
assessments.
Both approaches may be utilized in the same i1 assessment (e.g., using the
inclusive approach on one service provider and the exclusive approach on
another). Applying both the inclusive and carve-out methods for the same service
provider is not permitted, and therefore only one method can be selected for
each service provider relevant to the scope of the assessed entity’s assessment.
In instances in which a requirement is partially performed by the assessed
entity and partially performed by a carved-out service provider, the assessed
entity’s and/or external assessor’s commentary must clearly reflect that the
requirement’s control maturity scoring is reflective of just the requirement’s
performance by the assessed entity.
When the Inclusive method is utilized on i1 assessments, the same options are
available for using the work of others as exist on r2 assessments:
* Inheritance of results or reliance upon another validated HITRUST CSF
assessment,
* Reliance on audits and/or assessments performed by a third party, and/or
* Reliance on testing performed by the assessed entity (i.e., by internal
assessors).
When inheritance or reliance methods are utilized to address requirements
performed by a service provider, that service provider must be marked as
Included within the “Services Outsourced for In-Scope Platforms and Facilities”
table on the “Scope of the Assessment” screen within MyCSF.
Cross-assessment-type inheritance is allowed, meaning that an r2 assessment’s
results can be inherited into an i1 assessment (and vice versa). However, only
the implemented level’s scoring can be inherited when inheriting from an i1
assessment into an r2 assessment given that i1 assessments only consider the
implemented maturity level. This limitation does not absolve those involved in
the inheriting r2 assessment from either (a) accurately scoring the policy,
procedure, and optionally measured and managed levels based on supplemental
validation procedures or (b) scoring the policy, procedure, measured and managed
scores at 0 to reflect the inability to ascertain scoring on these control
maturity levels.
While HITRUST anticipates that most organizations who publish their HITRUST
assessments for external inheritance will use r2 assessments instead of i1
assessments, service providers such as Cloud Service Providers (CSPs) do have
the option to only perform and publish i1 assessments. In this case, their
customers/tenants inheriting from them will be limited to inheriting only the
implemented scoring and commentary (no policy, procedure, measured, or managed
scoring will be available for inheritance).
Changes to HITRUST CSF reports
In addition to introducing the HITRUST Implemented, 1-year i1 Certification,
HITRUST is applying layout and formatting updates to the HITRUST Risk-based,
2-year r2 Certification reports, as follows:
--------------------------------------------------------------------------------
Changes to r2 reports
Reports Section* Changes** Cover page Additonal graphics added 1. HITRUST
Background No Changes 2. Letter of Certification or Letter of Validation No
Changes 3. Representation Letter from Management Minor wording changes to
clarify the contents of the Management Representation Letter 4. Assessment
Context No Changes 5. Scope of the Assessment No Changes 6. Procedures Performed
by the External Assessor No Changes 7. Assessment Results
* Section moved to occur after the PRISMA Control Maturity Model Overview
section. This change places all sections containing assessment results in
consecutive order.
* Section title changed to 8. Results by Control Reference to better describe
the contents of the section and reflect the reordering of sections.
8. PRISMA Control Maturity Model Overview
* Section moved to precede section 8. Results by Control Reference. This change
places all sections containing assessment results in consecutive order.
* Section title changed to 7. PRISMA Control Maturity Model Overview to reflect
the reordering of sections.
9. Controls by Assessment Domain Section title changed to 9. Results by
Assessment Domain to better describe the contents of the section. Appendix A –
Corrective Action Plans Required for Certification No Changes Appendix B –
Additional Gaps Identified Introductory paragraph added to describe the
Additional Gaps table. Appendix C – Assessment Results No Changes
*As defined in HITRUST Assurance Advisory 2021-011: HITRUST MyCSF Enhancements –
HITRUST CSF Report Format Changes
**Various sections noted above may include minor wording changes in order to
differentiate between the HITRUST Risk-based, 2-year r2 Validated Assessment and
the HITRUST Implemented, 1-year i1 Validated Assessment.
--------------------------------------------------------------------------------
Differences between i1 and r2 reports
r2 Reports Section* Key Differences in an i1 Report Cover page No Differences 1.
HITRUST Background No Differences 2. Letter of Certification or Letter of
Validation Language amended to indicate the following:
* A HITRUST i1 Certification is valid for one year.
* The HITRUST i1 Certification does not require the Assessed Entity to
demonstrate progress against required CAPs to HITRUST or their External
Assessor.
* The HITRUST i1 Certification does not require performance of an Interim
assessment.
3. Representation Letter from Management No Differences 4. Assessment Context
HITRUST i1 Validated Assessments do not leverage the scoping factors that are
utilized for HITRUST r2 Validated Assessments. For that reason rather than an
outline of the r2 scoping factors, Section 4 of a HITRUST i1 Report will
describe the i1 Validated Assessment, the level of assurances provided relative
to r2 assessments, and the approach used to select the HITRUST CSF requirements
included in i1 assessments. 5. Scope of the Assessment No Differences 6.
Procedures Performed by the External Assessor
* Section 6 of a HITRUST i1 report contains only a description and table
listing the external assessor’s use of the work of others through external
inheritance or reliance. The description of other procedures performed by the
external assessor has been moved to Section 7 of the i1 report.
* For i1 reports, this section is titled 6. Use of the Work of Others.
7. PRISMA Control Maturity Model Overview
* For HITRUST i1 reports, Section 7 will contain a generic description of the
required validation approach taken by the external assessor to perform a
HITRUST i1 Validated Assessment. This will include a description of the i1
scoring methodology.
* For i1 reports, the section is titled 7. Assessment Approach.
8. Results by Control Reference For HITRUST i1 reports, Section 8 contains the
results of all control references included in all HITRUST i1 assessments rather
than the 75 controls required for HITRUST r2 Certification. 9. Results by
Assessment Domain No Differences Appendix A – Coorective Action Plans Required
for Certification No Differences Appendix B – Additional Gaps Identified No
Differences Appendix C – Assessment Results No Differences
*Various sections noted above may include minor wording changes in order to
differentiate between the HITRUST Risk-based, 2-year r2 Validated Assessment and
the HITRUST Implemented, 1-year i1 Validated Assessment.
Additional resources
For a list of anticipated questions please click here. For an example of the
HITRUST Implemented, 1-year (i1) Certification Report click here and for an
example of the HITRUST Risk-based, 2-year (r2) Certification Report click here.
For any additional questions, please contact our Support Team or a HITRUST
Customer Success Manager.
Save as PDF
HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
November 4, 2021
Advisory Type
Assurance Change
Overview
Several changes have been introduced to the contents and format of the CSF
Validated Assessment Reports and Readiness Assessment Report in order to:
* Streamline the presentation of information
* More clearly present assessment scope
* Accommodate changes to format of organization and scoping information
introduced in HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
The changes to the HITRUST CSF Validated Assessment and Readiness Assessment
Reports are being introduced as part of a larger suite of enhancements to the
MyCSF platform. These enhancements are being announced collectively in a series
of five Assurance Advisories. These Assurance Advisories should be reviewed in
the following order as the concepts introduced in each Assurance Advisory build
upon each other:
* HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
* HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
* HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
* HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
* HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
--------------------------------------------------------------------------------
HITRUST CSF Validated Assessment Report
The updates to the HITRUST CSF Validated Assessment Report are summarized in
this table and detailed in the following sections. See Sample – HITRUST CSF
Validated Assessment Report to view a sample report.
Legacy Report Section New Report Section Summary of Change(s) 1. HITRUST
Background 1. HITRUST Background No changes 2. Letter of Certification or
Validation 2. Letter of Certification or Validation No changes 3. Representation
Letter from Management 3. Representation Letter from Management No changes 4.
Assessment Context 4. Assessment Context This section has been streamlined with
certain content being removed. See Assessment Context below for more details. 5.
Scope of Systems in the Assessment 5. Scope of Systems in the Assessment The
format of scope information has been updated for clarity. The Overview of the
Security Organization from the legacy section “6. Security Program Analysis” is
now included in section “5. Scope of the Assessment”. See Scope of the
Assessment below for more details. 6. Security Program Analysis None Section
removed. See Removal of Security Program Analysis below for more details. None
6. Procedures Performed by the External Assessor This new section describes the
procedures performed by the External Assessor and outlines any instances in
which the External Assessor has relied upon the work of others through
Inheritance or Reliance. See Procedures Performed by External Assessor below for
more details. 7. Assessment Results 7. Assessment Results No changes 8. PRISMA
Control Maturity Model Overview 8. PRISMA Control Maturity Model Overview No
changes 8. PRISMA Control Maturity Model Overview 8. PRISMA Control Maturity
Model Overview No changes 9. Controls by Assessment Domain 9. Controls by
Assessment Domain No changes Appendix A – Testing Summary None Section removed.
See Removal of Appendix A – Testing Summary below for more details. Appendix B –
Corrective Action Plans Required for Certification Appendix A – Corrective
Action Plans Required for Certification No changes have been made to the content
or format of this section. The section name has been updated due to the removal
of the legacy section, “Appendix A – Testing Summary”. Appendix C – Additional
Gaps Identified Appendix B – Additional Gaps Identified No changes have been
made to the content or format of this section. The section name has been updated
due to the removal of the legacy section, “Appendix A – Testing Summary”.
Appendix D – Assessment Results Appendix C – Assessment Results No changes have
been made to the content or format of this section. The section name has been
updated due to the removal of the legacy section, “Appendix A – Testing
Summary”.
--------------------------------------------------------------------------------
HITRUST CSF Validated Assessment Letter with Scope
The updates to the HITRUST CSF Validated Assessment Letter with Scope are
summarized in this table and detailed in the following sections. See Sample –
HITRUST CSF Validated Assessment Letter with Scope to view a sample report.
Legacy Report Section New Report Section Summary of Change(s) Letter of
Certification or Validation Letter of Certification or Validation No changes
Assessment Context Assessment Context This section has been streamlined with
certain content being removed. See Assessment Context below for more details.
Scope of Systems in the Assessment Scope of the Assessment The format of scope
information has been updated for clarity. See Scope of the Assessment below for
more details.
--------------------------------------------------------------------------------
HITRUST CSF Readiness Assessment Report
The updates to the HITRUST CSF Readiness Assessment Report are summarized in
this table and detailed in the following sections. See Sample – HITRUST CSF
Readiness Assessment Report to view a sample report.
Legacy Report Section New Report Section Summary of Change(s) 1. HITRUST
Background 1. HITRUST Background No changes 2. Letter of Readiness Assessment 2.
Letter of Readiness Assessment No changes 3. Representation Letter from
Management 3. Representation Letter from Management No changes 4. Assessment
Context 4. Assessment Context This section has been streamlined with certain
content being removed. See Assessment Context below for more details. 5. PRISMA
Control Maturity Model Overview 5. PRISMA Control Maturity Model Overview No
changes 6. Controls by Assessment Domain 9. Controls by Assessment Domain No
changes Appendix A – Corrective Action Plans Required for Certification Appendix
A – Corrective Action Plans Required for Certification No changes Appendix B –
Additional Gaps Identified Appendix B – Additional Gaps Identified No changes
--------------------------------------------------------------------------------
Assessment Context
The Assessment Context section of the HITRUST CSF Validated Assessment Report,
HITRUST CSF Validated Assessment Letter with Scope, and HITRUST CSF Readiness
Assessment Report has been updated to remove the following content:
* Organization Name and Mailing Address have been removed because this
information is also included in the Letter of Certification or Validation
section of the reports and letter.
* Contact Name, Job Title, and Email Address have been removed as relying
parties typically already have a point of contact at the Assessed Entity.
* Company Background has been removed because this information is already
included in the Scope of Systems in the Assessment section.
* Number of Employees has been removed because it was not a tailoring question
to derive the Assessed Entity’s customized set of HITRUST CSF requirements.
Scope of the Assessment
The Scope of Systems in the Assessment section of the HITRUST CSF Validated
Assessment Report and HITRUST CSF Validated Assessment Letter with Scope has
been redesigned to more clearly communicate the scope of the assessment. The
updates to this section also reflect the introduction of Webforms, which
replaced the legacy Organizational Overview and Scope document. For more
information related to the Organization Information and Scope of the Assessment
Webforms, see HAA 2021-009: HITRUST MyCSF Enhancements – Webforms.
The Scope of Systems in the Assessment section now contains the following
subsections:
* Company Background: The Company Background is populated with the contents of
the Organization/Company Background field of the Organization Information
Webform within MyCSF. This section may include information that would have
previously been included within the legacy Organization and Industry Segment
Overview and Services / Products Provided subsections.
* In-scope Platforms and Facilities: The In-scope Platforms and Facilities is
populated with the contents of the Platforms/Systems table and Facilities
table of the Scope of the Assessment Webform within MyCSF. This section
displays the in-scope platforms/systems that would have previously been
included within the legacy Scope Overview subsection.
* Services Outsourced: The Services Outsourced is populated with the contents
of the Services Outsourced for In Scope Platforms and Facilities table of the
Scope of the Assessment Webform within MyCSF. This section displays the same
information as the legacy Services Outsourced subsection, but in a tabular
format for clarity.
* Overview of the Security Organization: The Overview of the Security
Organization is populated with the contents of the field of the same name in
Organization Information Webform within MyCSF. This section includes
information that would have previously been included within the legacy
HITRUST CSF Validated Assessment Report section Security Program Analysis.
The subsections of the legacy Scope of Systems in the Assessment section that
have been removed from the HITRUST CSF Validated Assessment Report and HITRUST
CSF Validated Assessment Letter with Scope are:
* Primary Systems: The Primary Systems subsection has been removed because this
information now appears in the In-scope Platforms and Facilities subsection.
* Scope Diagram: The optional Scope Diagram has been removed because the
information typically displayed in the diagram will now be included in the
In-Scope Platforms and Facilities subsection.
Removal of Security Program Analysis
The legacy Security Program Analysis section of the HITRUST CSF Validated
Assessment Report has been removed. The subsections of the legacy Security
Program Analysis section have been moved to other sections of the report or
removed as follows:
* Overview of the Security Organization: The Overview of the Security
Organization has been moved to the Scope of the Assessment section.
* Types of Security Tools Deployed: The list of security tools deployed has
been removed from the HITRUST CSF Validated Assessment Report as it is not
necessary to readers of the report.
* Third-Party Assessments: Any attestation reports issued by a third-party that
are utilized during the External Assessor’s validation procedures through
external inheritance or reliance are now captured in MyCSF within the Audits
and Assessments Utilized Webform (described in HAA 2021-009: HITRUST MyCSF
Enhancements – Webforms). The contents of that webform are included in the
new Procedures Performed by the External Assessor section of the HITRUST CSF
Validated Assessment Report.
Procedures Performed by the External Assessor
The Procedures Performed by the External Assessor section has been added to the
HITRUST CSF Validated Assessment Report. This section contains a description of
the procedures performed by the External Assessor to validate the Assessed
Entity’s asserted control maturity scores. This section also includes a table
outlining all attestation reports issued by third-parties that were utilized by
the External Assessor in lieu of direct testing. The table is populated from the
Audits and Assessments Utilized Webform (described in HAA 2021-009: HITRUST
MyCSF Enhancements – Webforms).
Removal of Appendix A – Testing Summary
The legacy Appendix A – Testing Summary of the HITRUST CSF Validated Assessment
Report has been removed. The External Assessor will no longer be required to
provide the lists of documentation reviewed, interviews conducted, and technical
testing performed. Instead, the Procedures Performed by the External Assessor
section now includes a standard description of the types of procedures that the
assessor may have performed, which include:
* Inquiry with key personnel
* Inspection of system-generated access listings, logs, configuration settings,
sample items and/or evidence,
* On-site observations
* Reperformance of procedures performed by customer personnel
Implementation
HITRUST CSF Validated Assessment
These report updates will affect HITRUST CSF Validated Assessment Reports and
HITRUST CSF Validated Assessment Letters with Scope for all Validated
Assessments created on or after February 15, 2022, as well as all existing
Validated Assessments meeting all of the following criteria on February 15,
2022:
* Assessment has not previously been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
* No Assessment Domains have been submitted to the External Assessor for review
The HITRUST CSF Letter (without scope) and HITRUST CSF NIST Reports are not
affected by the changes described in this advisory.
HITRUST CSF Readiness Assessments
These report updates will affect HITRUST CSF Readiness Assessment Reports for
all Readiness Assessments created on or after February 15, 2022 as well as all
existing Readiness Assessments meeting all of the following criteria on February
15, 2022:
* Assessment has never been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
HITRUST CSF Interim and Bridge Assessments
Interim Letters and Bridge Certificates are not affected by the changes
described in this advisory.
Additonal Resources
Sample – HITRUST CSF Validated Assessment Report
Sample – HITRUST CSF Validated Assessment Letter with Scope
Sample – HITRUST CSF Readiness Assessment Report
Save as PDF
HAA 2021-010: HITRUST MyCSF Enhancements – Tasks and Notifications
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
November 4, 2021
Advisory Type
Assurance Change
Overview
Tasks in MyCSF give HITRUST Assessed Entities and their HITRUST Authorized
External Assessor Organizations the ability to track and respond to questions
and follow-up items from HITRUST during assessment check-in and QA. Each task
contains an action item for the Assessed Entity or External Assessor resulting
from the check-in or QA review of the assessment by HITRUST.
Some benefits of tasks in MyCSF include:
* Eliminates email communication from QA Analyst to Assessed Entity or External
Assessor
* Automates notifications to Assessed Entity or External Assessor when tasks
are created
* Clearly outlines (through individualized action items) what is needed to
complete QA, including which party is responsible for completion
* Better tracking of open items that need to be addressed by either Assessed
Entity or External Assessor to complete QA
* Better visibility on how long QA items have been open and the state the
assessment is in
* Ability to categorize tasks for trending analysis and the ability for HITRUST
to provide more meaningful feedback to assessor firms
Task functionality is being introduced into MyCSF as part of a larger suite of
enhancements to the MyCSF platform. These enhancements are being announced
collectively in a series of five Assurance Advisories. These Assurance
Advisories should be reviewed in the following order as the concepts introduced
in each Assurance Advisory build upon each other:
* HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
* HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
* HAA 2021-009: HITRUST MyCSF Enhancements – Webforms</a.
* HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications</a.
* HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
Tasks During Check-in
When HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments are
submitted to HITRUST, they enter the Performing Check-In phase in which HITRUST
performs automated QA checks and a high-level review of the assessment. Refer to
HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows for more
information related to the Check-In phase.
For Validated Assessments, when the check-in review identifies a small number of
potential issues, typically related to the required documents and webforms (e.g.
Organization Information, Scope of the Assessment, Factors, VRA, Management
Representation Letter, Test Plans, External Assessor Time Sheet, QA Checklist,
and Audits and Assessments Utilized), HITRUST will create Check-In Tasks within
the assessment for the External Assessor and Assessed Entity to address prior to
the assessment being accepted by HITRUST. After the necessary Check-In Tasks
have been resolved by the External Assessor and Assessed Entity, the assessment
will be accepted by HITRUST and the QA review will begin during the reserved QA
Block.
For Validated Assessments, when the check-in review identifies a larger number
of potential issues, rather than creating Check-In tasks, HITRUST reverts the
assessment back to the Performing Validation phase and supplies the External
Assessor and Assessed Entity with a set of pre-QA quality recommendations to
address the potential issues identified. For more information, refer to the
Performing Check-In section of HAA 2021-007: HITRUST MyCSF Enhancements – New
Assessment Workflows.
For Interim and Bridge Assessments, when questions arise during the check-in
review, HITRUST will create Check-In Tasks within the assessment for the
External Assessor and Assessed Entity to address prior to the assessment being
accepted by HITRUST. After the necessary Check-In Tasks have been resolved by
the External Assessor and Assessed Entity, the assessment will be accepted by
HITRUST and enter a queue to await the QA review.
For Readiness Assessments, when the check-in review identifies an error with the
Management Representation Letter, HITRUST will create a Check-In Task for the
Management Representation Letter to be corrected. After the Check-In Task has
been resolved by the Assessed Entity, the assessment will be accepted by HITRUST
and HITRUST will prepare the draft report.
Tasks During QA
HITRUST CSF Validated, Interim, and Bridge Assessments undergo a Quality
Assurance Review performed by a HITRUST QA Analyst.
As the QA Analyst performs their review of the assessment, they will create QA
Tasks for the External Assessor and Assessed Entity to address. All Assessed
Entity and External Assessor users with access to the assessment in MyCSF will
have access to view all tasks created within an assessment and may edit the
Tasks assigned to their group.
Over the normal course of QA, all QA questions will be sent to the External
Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for
the QA Analyst to send some QA questions through email or offline documents.
However, if the QA review identifies more significant QA concerns than normal,
rather than creating tasks, HITRUST will provide the External Assessor with a
workbook outlining the QA concerns, communicate via email to the External
Assessor and Assessed Entity, and will meet with the External Assessor to review
those concerns to bring them to resolution.
Task Management View
Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment will
contain an Assessment Task Management page that can be accessed by clicking
Tasks in the left navigation bar within an assessment. The Assessment Task
Management page is where Check-In and QA Tasks for a particular assessment can
be addressed and where the status of open and pending tasks can be tracked.
When the Assessment Task Management page is accessed by an Assessed Entity or
External Assessor user, the My Task Queue displays all open tasks assigned to
the user’s group. For a listing of all tasks within the assessment, the All
Tasks tab may be viewed by any user.
The My Task Queue and All Tasks tabs contain the following task information:
* Assessment Task Number: The unique identifier assigned to the task
* Name: The name of the task
* Organization Name: The Assessed Entity organization name
* Assessment Name: The name of the Assessment that the task is for
* Assigned: The group to which the task is currently assigned (Subscriber,
External Assessor, or HITRUST)
* Type: The type of task (General or Proposed. See the Types of Tasks section
below for the details of each task type)
* Date Opened: The date that HITRUST initially opened the task
* Date Assigned: The date the task was assigned to the group it is currently
assigned
* Days Assigned: The number of days the task has been assigned to the current
group since it was last assigned
* Date Completed: The date that HITRUST closed the task
* Status: The status of the task (Open, Pending, or Closed)
* Open: The task is assigned to the Assessed Entity or External Assessor
awaiting a response.
* Pending: The Assessed Entity or External Assessor has responded to the task
and the task is awaiting review by the Check-in or QA Analyst.
* Closed: the HITRUST Check-in or QA Analyst agrees that the task has been
addressed and can be considered complete.
The Assessment Task Management page also contains a pie chart displaying the
number of open and pending tasks assigned to each group, as well as a banner
indicating whether there are any requirement statements or CAPs within the
assessment that require attention due to a change made via a task.
In addition to the assessment-specific Task Management page, Assessed Entity and
External Assessor users may access a global Task Management page from the top
navigation bar of MyCSF to view tasks within all assessments to which the user
has access. When accessing either the global Task Management page or an
assessment-specific Task Management page, the user may sort and filter the tasks
displayed based on the task type, current assigned group, status, and more.
Additionally, users have the option to download a .CSV file containing task
information.
Additional information related to the status of tasks and other open items may
be accessed via the Assessment Details View (see HAA 2021-008: HITRUST MyCSF
Enhancements – Status Dashboards for details).
Types of Tasks
During Check-in and QA, two types of tasks may be created: General Tasks and
Proposed Tasks.
General Tasks
A general task opens a screen or a field to be edited by the Assessed Entity or
External Assessor.
For example, a general task could allow the:
* Assessed Entity to edit the Organization Information or the Scope of the
Assessment Webform.
* External Assessor or Assessed Entity to edit the Audit and Assessments
Utilized Webform.
* Assessed Entity to edit the Representation Letter Webform.
* Assessed Entity to edit the Validated Report Agreement Webform.
* Assessed Entity to update a CAP (Corrective Action Plan) response.
* Assessed Entity to edit a Not Applicable rationale.
* External Assessor to edit document linkages for a requirement statement.
Within a general task, the Assessed Entity and External Assessor will see the
following:
* Assessment Task Number: The unique identifier assigned to the task
* Description: A description of the task
* Name: The name of the task
* Assigned: The group to which the task is currently assigned (Subscriber,
External Assessor, or HITRUST)
* Created: The date that HITRUST initially opened the task
* Last Assigned: The date that the task was assigned to the group to which it
is currently assigned
* Status: The status of the task (Open, Pending, or Closed)
* Assessment Location: A link to the area of the assessment to which the task
pertains (example: Factors page, a specific requirement statement, etc.)
* Field to be Updated: When the assessment field that the task pertains to can
be updated within the task itself, the field name and its current value are
present within the task. If an assessment field is not present within the
task, an Assessment Location link can be used to access the area of the
assessment to which the task pertains to make the requested update in that
location.
* HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to
describe the question or request within the task
* New Comments: A field to allow the Assessed Entity, External Assessor, and
HITRUST Check-In or QA Analyst to comment to each other within the task.
* History: A log of the creation and assignment changes of the task, as well as
any changes to assessment fields made within the task
During Check-In and QA, HITRUST will initially assign all general tasks to the
External Assessor. This allows the External Assessor to review each general task
and take one of the following next steps:
* Address the task: When the general task includes a request from HITRUST to
update document linkages, Test Plans, the External Assessor Time Sheet, or
the Audits and Assessments Utilized Webform, the External Assessor may
address the task by making the requested update on the relevant assessment
page. After making the requested update, the External Assessor should leave a
comment within the task to state the update that was made and should send the
task back to HITRUST.
* Leave a comment within the task and send it back to HITRUST: If the External
Assessor would like to respond to the task by leaving a comment or question
for the Check-in or QA Analyst, the External Assessor may enter their comment
within the task and send the task back to HITRUST. Some examples for when
this option may be used are:
* The task contains a question from HITRUST that does not require any
assessment content to be updated. In this case, the External Assessor may
answer the question by leaving a comment within the task and sending the
task to HITRUST.
* The task contains a request from HITRUST for assessment content to be
updated, but the External Assessor does not understand the request or has a
question related to the request. In this case, the External Assessor may
leave their question as a comment within the task and send the task to
HITRUST.
* The task contains a request from HITRUST for assessment content to be
updated, but the External Assessor does not agree with the request. In this
case, the External Assessor may leave a comment within the task to explain
their disagreement and send the task to HITRUST.
* Send the task to the Assessed Entity to be addressed: When the general task
is a request from HITRUST to update the Organization Information Webform,
Scope of the Assessment Webform, Factors, requirement statement scoring or
applicability, N/A rationale, Management Representation Letter, VRA, or a CAP
response, the general task should be sent to the Assessed Entity.
When the External Assessor has assigned a general task to the Assessed Entity,
the Assessed Entity may take one of the following next steps:
* Leave a comment within the task and send it back to the External Assessor: If
the Assessed Entity would like to respond to the task by leaving a comment or
question for the External Assessor or the HITRUST Check-in or QA Analyst, the
Assessed Entity may enter their comment within the task and send the task
back to the External Assessor.
* The task contains a question from HITRUST that does not require any
assessment content to be updated. In this case, the Assessed Entity may
answer the question by leaving a comment within the task and sending the
task to External Assessor.
* The task contains a request from HITRUST for assessment content to be
updated, but the Assessed Entity does not understand the request or has a
question related to the request. In this case, the Assessed Entity may
leave their question for the External Assessor or HITRUST as a comment
within the task and send the task to the External Assessor.
* The task contains a request from HITRUST for assessment content to be
updated, but the Assessed Entity does not agree with the request. In this
case, the Assessed Entity may leave a comment within the task to explain
their disagreement and send the task to the External Assessor.
* Address the task: When the general task includes a request from HITRUST to
update the Organization Information Webform, Scope of the Assessment Webform,
Factors, requirement statement scoring or applicability, N/A rationale,
Management Representation Letter, VRA, or a CAP response, the Assessed Entity
may address the task by making the requested update. Depending on the
instructions within the task, the requested update will either be made within
the task itself or on the relevant page of the assessment. After addressing
the task, the Assessed Entity should leave a comment within the task to state
the update that was made and should send the task back to the External
Assessor.
General tasks may be sent back and forth between the Assessed Entity and
External Assessor as many times as needed for the task to be addressed. When the
task has been addressed, the External Assessor should send the task to HITRUST.
After the general task has been sent back to HITRUST by the External Assessor,
HITRUST may close the task if it has been appropriately resolved or may leave a
comment in the task to explain any additional action needed and send the task
back to the External Assessor.
The Assessed Entity and External Assessor should also be aware that the actions
taken to resolve a general task may generate additional requirement statements
or CAPs that must be addressed before Check-in or QA is completed. (For more
information refer to the Addressing Check-in Tasks and Addressing QA Tasks
sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment
Workflows.) When any requirement statements or CAPs within the assessment
require attention during Check-in or QA, the Task Management page will display a
banner to indicate that there are requirement statements or CAPs requiring input
or validation. The banner contains a link to the Assessment Homepage where those
requirement statements and CAPs will be identified by the requirement statement
response status. The following scenarios are examples of when a requirement
statement or CAP may require attention during Check-In or QA:
* When a requirement statement score is updated through a general task, the
requirement statement will have a status of External Assessor Review Pending
to allow the External Assessor to review and thumb up the updated score and
link documents as needed.
* When a requirement statement score is lowered through a general task, after
the External Assessor has reviewed and thumbed up the score, new required
CAPs may be generated. Any requirement statements requiring CAPs during QA
will have a status of CAP Required to allow the Assessed Entity to enter a
CAP and then the External Assessor to review the CAP.
Proposed Tasks:
A proposed task allows HITRUST to propose a specific value for a field. For this
type of task, the Assessed Entity or External Assessor can only apply the value
proposed by HITRUST and cannot change any other fields within MyCSF.
For example, a proposed task can be used to change a:
* Technical Factor answer from ‘No’ to ‘Yes’ or vice versa.
* Geographical Factor answer from drop-down menu options.
* Requirement which has been scored to Not Applicable.
* Maturity level score to a specific proposed value.
Within a proposed task, the Assessed Entity and External Assessor will see the
following:
* Assessment Task Number: The unique identifier assigned to the task
* Description: A description of the task
* Name: The name of the task
* Assigned: The group to which the task is currently assigned (Subscriber,
External Assessor, or HITRUST)
* Created: The date that HITRUST initially opened the task
* Last Assigned: The date the task was assigned to the group it is currently
assigned
* Status: The status of the task (Open, Pending, or Closed)
* Assessment Location: A link to the area of the assessment to which the task
pertains (example: Factors page, a specific requirement statement, etc.).
* Field to be Updated: The name of the assessment field that the proposed
change is for, as well as its current value and proposed value
* HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to
describe the question or request within the task
* New Comments: A field to allow the Assessed Entity, External Assessor, and
HITRUST Check-In or QA Analyst to comment to each other within the task.
* History: A log of the creation and assignment changes of the task as well as
any changes to assessment fields made within the task.
During Check-In and QA, HITRUST will initially assign all proposed tasks to the
External Assessor. This allows the External Assessor to review each proposed
task and take one of the following next steps:
* Apply the Proposed Change: The External Assessor may apply any changes
proposed by HITRUST. This includes proposed tasks to change factor responses
and requirement statement scoring. The External Assessor is expected to
discuss any proposed changes with the Assessed Entity prior to applying them.
After applying the change proposed within the task, the task will
automatically be sent back to HITRUST. If a proposed change adds additional
requirements to the assessment (e.g., factor change) or additional required
CAPs (e.g., certain scoring changes), the Assessed Entity users with access
to the assessment will be notified of the change via email and MyCSF
notifications. The notifications outline whether a factor response or
requirement statement score was changed, the email address of the individual
who applied the proposed change, and whether there is a new requirement
statement or CAP to be addressed.
* Reject the Proposed Change: If the External Assessor does not agree with the
proposed change, the External Assessor may reject the proposed change. When
rejecting the proposed change, the External Assessor is required to enter a
comment within the task to explain why the change was rejected. The task will
automatically be sent back to HITRUST.
* Send the task to the Assessed Entity to be addressed: If the External
Assessor would like the Assessed Entity to review the task and make the
decision to either apply or reject the proposed change, the External Assessor
may send the task to the Assessed Entity.
When the External Assessor has assigned a proposed task to the Assessed Entity,
the Assessed Entity may take one of the following steps:
* Apply the Proposed Change: The Assessed Entity may apply any changes proposed
by HITRUST. This includes proposed tasks to change factor responses and
requirement statement scoring. After applying the change proposed within the
task, the task will automatically be sent back to HITRUST. If a proposed
change adds additional requirements to the assessment (e.g., factor change)
or additional required CAPs (e.g., certain scoring changes), the Assessed
Entity users with access to the assessment will be notified of the change via
email and MyCSF notifications. The notifications outline: whether a factor
response or requirement statement score was changed; the email address of the
individual who applied the proposed change; and whether there is a new
requirement statement or CAP to be addressed.
* Reject the Proposed Change: If the Assessed Entity does not agree with the
proposed change, the Assessed Entity may reject the proposed change. When
rejecting the proposed change, the Assessed Entity will be required to enter
a comment within the task to explain why the change was rejected. The task
will automatically be sent back to HITRUST.
When the proposed task has been either applied or rejected by the Assessed
Entity or the External Assessor, it will be automatically sent back to HITRUST.
HITRUST may close the task if it has been appropriately resolved or may leave a
comment in the task to provide additional explanation or answer a question and
send the task back to the External Assessor. If a proposed task has been
rejected and a different change needs to be proposed, HITRUST will create a new
proposed task. Additionally, if any new issues are identified during check-in or
QA, a new proposed task will be created.
The Assessed Entity and External Assessor should also be aware that the actions
taken to resolve a proposed task may generate additional requirement statements
or CAPs that must be addressed before QA is completed (for more information
refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA
2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows). When any
requirement statements or CAPs within the assessment require attention during
Check-in or QA, the Task Management page will display a banner to indicate that
there are requirement statements or CAPs requiring input or validation. The
banner contains a link to the Assessment Homepage where those requirement
statements and CAPs will be identified by the requirement statement response
status. The following scenarios are examples of when a requirement statement or
CAP may require attention during Check-In or QA:
* When a factor response updated through a proposed task, additional
requirement statements may be added to the assessment in the status Response
Needed for New Statement to allow the Assessed Entity to score the
requirement statement and then the External Assessor to review and link
documents.
* When a requirement statement score is lowered through a proposed task, new
required CAPs may be generated. Any requirement statements requiring CAPs
during QA will have a status of CAP Required to allow the Assessed Entity to
enter a CAP and then the External Assessor to review the CAP.
Notification of Check-in and QA Tasks
Throughout the Check-in and QA processes, the Assessed Entity and External
Assessors assigned to the assessment will receive email and MyCSF notifications
each time that the assessment changes phase. Those notifications include
information related to tasks and other open items. For more information see HAA
2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.
Assessed Entities and External Assessors will also receive two summary emails
for assessments that are undergoing Check-In and QA. The two additional email
notifications are:
* Open Item Summary: A summary of all open items (tasks, requirement
statements, and PQIs) assigned to the Assessed Entity, External Assessor, and
HITRUST for assessments that have been submitted to HITRUST and are
undergoing check-in or QA. This email will be received weekly by default.
However, users have the option to set their email preferences to receive it
daily.
* New Item Summary: A summary of all new items (tasks, requirement statements,
and PQIs) assigned to you for assessments that have been submitted to HITRUST
and are undergoing check-in or QA. This email will be received daily by
default. However, users have the option to set their email preferences to
receive it hourly, daily, weekly, or never.
For instructions on configuring the frequency of these summary emails please see
Summary Email Preferences.
Implementation
HITRUST CSF Validated Assessments
Tasks will be utilized during the Check-In and QA Reviews for all Validated
Assessments created on or after February 15, 2022, as well as all existing
Validated Assessments meeting all the following criteria on February 15, 2022:
* Assessment has not previously been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
* No assessment domains have been submitted to the External Assessor for review
HITRUST CSF Interim and Bridge Assessments
Tasks will be utilized during the Check-In and QA Reviews for all Interim and
Bridge Assessments created on or after February 15, 2022. Interim and Bridge
assessments created prior to February 15, 2022, will not be affected.
HITRUST CSF Readiness Assessments
Tasks will be utilized during the Check-In Review for all Readiness Assessments
created on or after February 15, 2022, as well as all existing Readiness
Assessments meeting all the following criteria on February 15, 2022:
* Assessment has never been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
Additional Resources
A video walk-through of the process for responding to tasks is available here.
Save as PDF
HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
November 4, 2021
Advisory Type
Assurance Change
Overview
New webforms are being introduced into MyCSF assessments as part of a larger
suite of enhancements to the MyCSF platform. These enhancements are being
announced collectively in a series of five Assurance Advisories. These Assurance
Advisories should be reviewed in the following order as the concepts build upon
each other:
* HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
* HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
* HAA 2021-009: HITRUST MyCSF Enhancements – Webforms</a.
* HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications</a.
* HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
The new webforms give HITRUST Assessed Entities and their HITRUST Authorized
External Assessor Organizations the ability to enter organization and scope
information directly into MyCSF; electronically sign key documents; and easily
request draft report revisions.
Benefits of these newly added webforms:
* Streamlines MyCSF data entry to prevent redundancy and clarify assessment
scope.
* Eliminates risk of uploading incomplete offline documents and unreadable
scanned images.
* Introduces new quality check automation and tool tips that provide real time
feedback to help avoid common scoping issues.
* Streamlines presentation of scope in a tabular format inclusive of in-scope
platforms and facilities.
* Clarifies association between platforms and their residing facilities.
* Simplifies identification of relevant third-party service providers.
* Introduces ability for Assessed Entities to specify draft report revisions
and clearly track HITRUST responses to revision requests.
Summary of Changes
The introduction of webforms eliminates the need for the Assessed Entity and
External Assessor to populate and upload the following offline templates:
Organizational Overview & Scope document, Management Representation Letter,
Validated Report Agreement, and QA Checklist.
The Organizational Overview and Scope document will no longer be utilized. The
organization and scoping information previously included within the
Organizational Overview and Scope document will now be entered into MyCSF via
webforms as follows:
Legacy Organizational Overview & Scope Document Sections Webform Organization
and Industry Segment Overview
Overview of the Security Organization
Organization Information Primary Systems
Outsourced Services
Scope Overview
Scope Description
Scope of the Assessment Third-Party Assessments Audits and Assessments Utilized
--------------------------------------------------------------------------------
The Management Representation Letter, Validated Report Agreement, and QA
Checklist are integrated into MyCSF, providing the Assessed Entity and External
Assessor the ability to sign the documents electronically.
Additionally, the draft report revision request form has been updated to include
new input fields that allow the Assessed Entity to clearly identify each
revision request.
Organization Information Webform
The Organization Information section for HITRUST CSF Validated and Readiness
assessments has been redesigned to serve as the primary location for entering
background information about the Assessed Entity and their security
organization, as well as their contact information and mailing address.
To prevent redundancy, the Organization/Company Background and Overview of the
Security Organization (previously provided in both MyCSF and the offline
Organizational Overview and Scope document) will now be provided only through
completion of the Organizational Information webform in MyCSF. The Organization
Information webform contains guidance and tips to aid the Assessed Entity in
providing appropriate content for the Organization/Company Background and
Overview of the Security Organization fields.
For more information, see the instructions for completing the Organization
Information webform in Pre-Assessment Webforms. To view an example of the
Organization Information webform in the HITRUST CSF Validated and Readiness
Reports, see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report
Format Changes.
Scope of the Assessment Webform
For HITRUST CSF Validated and Readiness assessments, the new Scope of the
Assessment section of MyCSF streamlines the existing Systems and Facilities
tables into a single webform that is now required to be completed by the
Assessed Entity. The webform also includes a section for identifying outsourced
service providers in tabular format, which replaces the free text field labeled
“List any IT or security services outsourced and the third party(ies) involved”
which was previously included on the Organization Information page.
Prior to the introduction of webforms, the Assessed Entity was required to
identify the in-scope systems, facilities, and outsourced services within the
offline Organizational Overview and Scope document, in addition to (optionally)
identifying the in scope systems and facilities within the Systems and
Facilities table in MyCSF. For Validated and Readiness Assessments with webforms
enabled, the offline Organizational Overview and Scope document will be retired
and the new Scope of the Assessment webform will become the primary location for
defining the platforms/systems, facilities, and services outsourced for the
in-scope environment.
For more information, see the instructions for completing the Scope of the
Assessment webform in Pre-Assessment Webforms. To view an example of the Scope
of the Assessment webform in the HITRUST CSF Validated and Readiness Reports,
see HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format
Changes.
QA Checklist Webform
The QA Checklist for HITRUST CSF Validated Assessments (previously manually
signed by the External Assessor’s Engagement Executive and QA Reviewer) has been
digitally integrated into MyCSF.
Prior to signing the QA Checklist webform, the Engagement Executive and QA
Reviewer must be assigned by an External Assessor via a drop-down menu on the
assessment’s Name & Security page. Each drop-down will contain a list of all
External Assessors with access to the assessment. The user making the
assignments must select an individual holding a CCSFP certification for
Engagement Executive and an individual holding a CHQP certification for QA
Reviewer.
The QA Checklist webform introduces several business rules that eliminate
incomplete submissions and errors, and reduces the risk of uploading unreadable
scanned images.
* To ensure that the correct individuals sign each QA Checklist webform item,
only assigned Engagement Executives and QA Reviewers can sign the QA
Checklist webform. Further, the Engagement Executive and QA Reviewer can only
sign those items on the QA Checklist that apply to their role.
* MyCSF restricts the ability to sign off on the QA Checklist webform until the
Test Plan has been uploaded and the External Assessor Time Sheet has been
completed.
* MyCSF prevents completion of the assessment’s Performing Validation phase
until each item on the QA Checklist webform has been verified by the
appropriate individual. For visibility, all External Assessors with access to
the assessment will have the ability to view the QA Checklist webform.
Audits and Assessments Utilized Webform
The Audits and Assessments Utilized webform is a new, required MyCSF webform for
HITRUST CSF Validated Assessments. The Audits and Assessments Utilized webform
is completed by the Assessed Entity and External Assessor to document reliance
placed on the work of others through either the usage of the external
inheritance feature within MyCSF or reliance on third-party attestation reports
in support of the validation procedures performed by the External Assessor. This
new webform replaces the Third-Party Assessment section of the offline
Organizational Overview and Scope document.
The Audits and Assessments Utilized webform should be used to identify where the
External Assessor relied upon a third-party attestation report or used external
inheritance during the assessment. For example:
* Scenario A: If an in-scope platform is hosted by a public cloud provider and
the External Assessor used external inheritance on certain physical security
requirements that were the responsibility of the cloud service provider. the
cloud service provider’s inherited HITRUST CSF assessment automatically will
be identified in this webform.
* Scenario B: If a relevant managed IT services provider’s third-party
attestation report (e.g., SOC 2 Type II) is relied upon by the external
assessor to reflect the service provider’s performance of one or more HITRUST
CSF requirements, the managed IT services provider’s third-party attestation
report should be described in this webform.
* Scenario C: If the External Assessor directly tests certain requirements
owned by the assessed entity’s colocation provider instead of using external
inheritance or reliance on a third-party-issued attestation report, that
colocation provider would not need to be discussed in the Audit and
Assessments Utilized webform (as no third-party audit or assessment report
associated with the colocation provider was used). However, the colocation
provider would need to be identified in the Organization Information webform
described above.
The two possible utilization approaches that determine how the Audits and
Assessments Utilized webform is populated are Inheritance and Reliance.
* Inheritance: When external inheritance is applied to a requirement statement
by the Assessed Entity, MyCSF automatically adds the associated HITRUST CSF
assessment that was externally inherited and populates that HITRUST CSF
assessment’s details into the Audits and Assessments Utilized webform
(including the assessment name, type, report date, and assessment domains for
which external inheritance was utilized). The External Assessor will be
required to complete the assessed organization name field and map the
inherited HITRUST CSF assessment to related in-scope platforms and facilities
within the Audits and Assessments Utilized webform.
* Reliance: For any third-party attestation reports being relied upon, the
External Assessor or Assessed Entity (depending on who uploaded the document)
must tag the report within the Documents repository or within the requirement
statement (if uploading the document within a particular requirement
statement) by checking the box labeled, “Is this an attestation report issued
by a third party?” After tagging the document as an attestation report issued
by a third party, the External Assessor or Assessed Entity populate the
various report details, including assessed organization, report type, and
report dates. The External Assessor or Assessed Entity must then map the
utilized third-party attestation report to the related in-scope platforms and
facilities within the Audits and Assessments Utilized webform.
If the offline assessment template is utilized, the External Assessor or
Assessed Entity may tag documents as attestation reports issued by a third party
by selecting “Yes” in the “Third Party Report?” column within the Documents tab
of the offline assessment workbook. After uploading the offline assessment, the
External Assessor or Assessed Entity must enter the assessed organization,
report type, and report dates within the Audits and Assessments Utilized
webform. Finally, the External Assessor or Assessed Entity must map the utilized
third-party attestation report to the in-scope Platforms and Facilities that are
supported by the relied-upon assessment within the Audits and Assessments
Utilized webform.
For more detailed instructions, see Audits and Assessments Utilized Webform. To
view an example of the Audits and Assessments Utilized webform in the HITRUST
CSF Validated and Readiness Reports, see HAA 2021-011: HITRUST MyCSF
Enhancements – HITRUST CSF Report Format Changes.
Management Representation Letter Webform
The Management Representation Letter (Rep Letter) for HITRUST CSF Validated and
Readiness Assessments (previously signed offline by the Assessed Entity and
manually uploaded to MyCSF) will now be completed through MyCSF using an
electronic signature workflow.
The Rep Letter webform in MyCSF is completed by the Assessed Entity after the
External Assessor team’s fieldwork period has ended and the External Assessor
Timesheet has been completed. The Assessed Entity completes the Rep Letter
webform by:
* Setting the Rep Letter date on or within two weeks following the end date of
the External Assessor’s fieldwork period on the External Assessor Time Sheet.
* Entering the name, job title, and email address of the individual who will
sign the Rep Letter.
* Uploading the organization’s logo.
Once the webform is complete, a request to electronically sign the Rep Letter is
sent to the designated management representative for signature via electronic
signature workflow. The signer of the Rep Letter may be any designated
individual from the Assessed Entity’s organization and is not required to have a
MyCSF account. Once signed, the Rep Letter will automatically be loaded into
MyCSF and emailed to the individual who signed it.
Validated Report Agreement Webform
The Validated Report Agreement (VRA) for HITRUST CSF Validated Assessments
(previously signed offline by the Assessed Entity and manually uploaded to
MyCSF) will now be completed through MyCSF using an electronic signature
workflow.
The VRA webform can be completed by the Assessed Entity at any time, and in any
phase, prior to submitting the assessment to HITRUST. The Assessed Entity
completes the VRA webform by:
* Entering the name, job title, and email address of the individual who will
sign the VRA.
* Entering the address of the organization.
Once the webform is populated with the required information, a request to
electronically sign the VRA is sent to the designated individual. The signer of
the VRA may be any designated individual from the Assessed Entity’s organization
and is not required to have a MyCSF account. After being signed by the Assessed
Entity, the VRA is automatically routed to HITRUST for electronic signature. The
Assessed Entity and External Assessor should allow up to one business day for
the VRA to be signed by HITRUST. The Assessed Entity may contact their HITRUST
Customer Success Manager or sales@hitrustalliance.net with any questions related
to signing of the VRA.
Once signed by both parties, the VRA automatically will be loaded into MyCSF
(within one hour) and emailed to the individuals who signed it. At that time, a
green checkmark will appear next to the link to the Validated Report Agreement
on the left navigation bar of MyCSF to indicate that the agreement has been
fully signed.
MyCSF requires that the VRA is signed by both parties — the Assessed Entity and
HITRUST — prior to the assessment being submitted to HITRUST. For that reason,
ensure that the VRA is sent for signature with enough time for both parties to
sign the agreement prior to the assessment’s planned submission date.
Draft Report Revision Request Webform
The process to submit and manage draft report revision requests for HITRUST CSF
Validated and Readiness Assessments has been transformed into an interactive
process using webforms. The updated Revision Request webform includes new input
fields that allow the Assessed Entity to clearly identify each revision request.
For each revision request, the Assessed Entity must indicate:
* Location of the requested revision identified by the report, section, and
page number
* Current text present in the report to be revised
* Proposed text for the revision
After adding all revision requests to the webform, the Assessed Entity submits
the requests to HITRUST. As the HTRUST QA Analyst reviews each revision request,
the status of each request will be identified as Not Started, Completed, or Not
Accepted. For any requests Not Accepted by HITRUST, the QA Analyst will provide
an explanation within the “Rationale” section of the webform.
Once HITRUST addresses all revision requests, the Assessed Entity is notified
and may either request additional revisions or approve the draft report via the
“Approve HITRUST CSF Draft Report” button. The approval process in MyCSF has not
changed.
For more detailed instructions, see Draft Report Revision Requests.
Implementation
HITRUST CSF Validated Assessments
All updates discussed above will be automatically enabled for all Validated
Assessments created on or after February 15, 2022, as well as all existing
Validated Assessments meeting all of the following criteria on February 15,
2022:
* Assessment has not previously been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
* No Assessment Domains have been submitted to the External Assessor for review
HITRUST CSF Readiness Assessments
Updates to the Organization Information, Scope of the Assessment, Representation
Letter, and Draft Report Revision Requests will be automatically enabled for all
Readiness Assessments created on or after February 15, 2022, as well as all
existing Readiness Assessments meeting all of the following criteria on February
15, 2022:
* Assessment has never been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
HITRUST CSF Interim and Bridge Assessments
The new webforms do not impact Interim and Bridge assessments.
Additional Resources
FAQs: Webforms
Pre-Assessment Webforms
Audits and Assessments Utilized Webform
Draft Report Revision Requests
Save as PDF
HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
November 4, 2021
Advisory Type
Assurance Change
Overview
This enhancement to MyCSF introduces several status dashboards to provide
transparency regarding assessment statuses, open action items and their
ownership, and next steps in the assessment workflow. These dashboards include:
* Kanban View: A Kanban-style board that displays HITRUST CSF Validated
Assessments as they move through each phase of the Validated Assessment
Workflow. The board includes key details of each Validated Assessment,
including:
* Colored, circle badges depicting responsible parties for action items
* Summary of open items per organization
* Time elapsed in current phase
* HITRUST-assigned point of contact
* Matrix View A spreadsheet-style view that displays the date the HITRUST CSF
Validated Assessment has entered each phase of the Validated Assessment
Workflow, as well as the number of days the assessment has been in each
phase.
* Assessment Details View: A dashboard of assessment metadata and status
information, including:
* Key dates along the assessment timeline
* Open items assigned to the Assessed Entity, External Assessor, and HITRUST
* Assessment scope
Status dashboards are being introduced as part of a larger suite of enhancements
to the MyCSF platform. These enhancements are being announced collectively in a
series of five Assurance Advisories. These Assurance Advisories should be
reviewed in the following order as the concepts introduced in each Assurance
Advisory build upon each other:
* HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
* HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
* HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
* HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
* HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
Kanban View
The Kanban View, which can be accessed from the ‘Views’ page of MyCSF, visually
depicts HITRUST CSF Validated Assessments as they move through the phases of the
new Assessment Workflow outlined in HAA 2021-007: HITRUST MyCSF Enhancements –
New Assessment Workflows. The Kanban View contains a column for each phase of
the Validated Assessment Workflow, and each accessible Validated Assessment is
displayed as a card. As the assessment card moves through each phase of the
workflow, the avatar at the top-right corner of the card corresponds to the
color-coded group(s) who own the open action items required to be completed
prior to moving to the next phase. Those icons are labeled as follows:
* AE: Assessed Entity (blue avatar)
* EA: External Assessor (purple avatar)
* HT: HITRUST (red avatar)
Assessed Entities and External Assessors may customize the Kanban View by
configuring the data points and icons shown on their assessment’s cards. The
available data points and icons include:
* Organization Name
* Assessment Name
* Type of Assessment
* External Assessor
* Days in Current Phase
* HITRUST QA Analyst
* Open Action Items
* Reservation Status
After configuring the data points as desired, Assessed Entities and External
Assessors may save their customized views for easy access.
By default, the Kanban View will display all Validated Assessments assigned to
the user. The view can be filtered to display a single assessment by searching
for the Assessment Name. The view can also be filtered by the following:
* Organization Name
* External Assessor
* HITRUST QA Analyst
In addition to displaying Validated Assessments that are utilizing the new
Validated Assessment Workflow outlined in HAA 2021-007: HITRUST MyCSF
Enhancements – New Assessment Workflows, the Kanban View may also be toggled to
show the legacy workflow states and the Validated Assessments utilizing the
legacy workflow.
Matrix View
The Matrix View, accessed from the ‘Views’ page of MyCSF, is a spreadsheet-style
view of accessible HITRUST CSF Validated Assessments. The Matrix View is
accessed within MyCSF or downloaded as a ‘.CSV’ file. The columns of the Matrix
View show dates the Validated Assessment has entered each phase of the new
Assessment Workflow and the number of days the assessment has been in each
phase.
By default, the Matrix View will display all Validated Assessments accessible to
the user. The view can be filtered to display a single assessment by searching
for the Assessment Name. Similarly to the Kanban View, the Matrix View can be
toggled to show Validated Assessments utilizing the Legacy Assessment Workflow.
Assessment Details Page
Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment has an
Assessment Details Page accessed by clicking the assessment name within any
assessment, or by clicking the assessment name on the Kanban View for Validated
Assessments. The Assessment Details page is a dedicated page that summarizes
information about the assessment including:
* Assessment Data: Organization Name, Assessment Name, Submission Date, etc.
* Assessment Scope: In-Scope Systems, Facilities and Outsourced Services
(Validated and Readiness Assessments only)
* Open Items: Open Tasks, Requirement Statements, and PQIs broken down by owner
(Assessed Entity, External Assessor, or HITRUST)
* Assessment Timeline: Timeline displaying the completed phases, current phase,
and upcoming phases in the Assessment Workflow
* Days in QA: The number of days the assessment spent with each party (Assessed
Entity, External Assessor, and HITRUST) during the QA phases
Implementation
Assessed Entities and External Assessors will have access to view all HITRUST
CSF Validated Assessments on the Kanban View and Matrix View starting on
February 15, 2022.
Effective immediately, all HITRUST CSF Validated, Interim, Bridge, and Readiness
Assessments have an Assessment Details Page.
Additional Resources
A video walk-through of each dashboard is available here.
Save as PDF
HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
November 4, 2021
Advisory Type
Assurance Change
Overview
A new Assessment Workflow is being introduced as part of a larger suite of
enhancements to the MyCSF platform. These enhancements are being announced
collectively in a series of five Assurance Advisories. These Assurance
Advisories should be reviewed in the following order as the concepts introduced
in each Assurance Advisory build upon each other:
* HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows
* HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards
* HAA 2021-009: HITRUST MyCSF Enhancements – Webforms
* HAA 2021-010: HITRUST MyCSF Enhancements –Tasks and Notifications
* HAA 2021-011: HITRUST MyCSF Enhancements – HITRUST CSF Report Format Changes
The new Assessment Workflows for HITRUST CSF Validated, Interim, Bridge, and
Readiness Assessments replace the legacy assessment “states” with new “phases”
that are designed to:
* Clarify the steps required to complete assessments and obtain final reports,
interim letters, and bridge certificates.
* Clearly define ownership of each phase of an assessment.
* Provide improved transparency into the status of an assessment.
* Reduce reversions of the assessment during the workflow through the
resequencing of phases.
* Standardize the phase names across HITRUST CSF Validated, Readiness, Interim,
and Bridge assessment workflows.
New HITRUST CSF Validated Assessment Workflow
The new Assessment Workflow for HITRUST CSF Validated Assessments is comprised
of 16 workflow phases. The diagram below displays the 16 workflow phases,
including the primary owner(s) of each phase, as well as a comparison to the
legacy workflow states. As shown in the diagram below, each phase maps to a
legacy workflow state. However, the phases are more granularly defined to
increase the transparency regarding assessment status and the remaining items
needed to reach the next phase. The phases do not add steps to the process, but
rather clarify the steps that should be performed by each party as part of the
assessment process.
Throughout the process of completing a Validated Assessment, the Assessed Entity
and External Assessor may view the status of the assessment at any time on a
Kanban-style dashboard which tracks the Validated Assessment as it moves through
each phase of the workflow. HAA 2021-008: HITRUST MyCSF Enhancements – Status
Dashboards describes several status dashboards being introduced as part of this
suite of enhancements.
The table below summarizes each phase of the workflow. The Summary of Key
Changes column highlights certain changes but is not a comprehensive list of
changes. For a detailed description of each phase and the comprehensive list of
changes see New Validated Assessment Workflow and Notifications or click on the
phase name within the table.
# Phase Name Description Summary of Key Changes 1 Answering Pre-Assessment The
Assessed Entity is responsible for completing each pre-assessment section: Name
& Security, Organization Information, Assessment Options, Scope of the
Assessment, and Factors.
* The offline Organizational Overview and Scope document will be retired. (HAA
2021-009)
* The redesigned Organization Information webform and new Scope of the
Assessment webform will serve as the primary location for capturing
background information about the Assessed Entity and their security
organization and for defining the platforms/systems, facilities, and services
outsourced for the in-scope environment. (Pre-Assessment Webforms)
2 Answering Assessment The Assessed Entity scores their assessment and addresses
any triggered potential quality issues (PQIs). The Assessed Entity should also
make a QA Reservation and complete the Validated Report Agreement webform. The
Validated Report Agreement will now be completed through MyCSF using an
electronic signature workflow. (HAA 2021-009) 3 Performing Validation The
External Assessor reviews and approves each pre-assessment section, reviews
requirement statement scoring, links relevant documentation, and addresses any
triggered potential quality issues (PQIs). The External Assessor also completes
the Test Plan, Audits and Assessments Utilized Webform, External Assessor Time
Sheet and the QA Checklist.
* The External Assessor will now be required to review and approve each
pre-assessment section prior to performing validation of the Assessed
Entity’s scoring of the assessment. (Pre-Assessment Webforms)
* The External Assessor will now assign their Engagement Executive and QA
Reviewer on the assessment’s Name & Security page. (HAA 2021-009)
* The QA Checklist that was previously manually signed by the External
Assessor’s Engagement Executive and QA Reviewer has been digitally integrated
into MyCSF. (HAA 2021-009)
* The Audits and Assessments Utilized webform will be used to document reliance
placed on the work of others, through either the usage of the external
inheritance feature within MyCSF or reliance on third-party attestation
reports in support of the validation procedures performed by the External
Assessor. (Audits & Assessments Utilized Webform)
4 Inputting CAPs and Signing Rep Letter The Assessed Entity enters all required
CAPs and signs the Management Representation Letter.
* The Assessed Entity will now enter the required CAPs prior to the submission
of the assessment to HITRUST. (HITRUST CSF Validated Assessment
Pre-Submission Timeline)
* The Management Representation Letter will now be completed through MyCSF
using an electronic signature workflow. (HAA 2021-009)
5 Reviewing CAPs The External Assessor reviews the required CAP(s) for
specificity, clarity, spelling, grammar and the ability of the Assessed Entity
to demonstrate progress against the CAP. The External Assessor will now be
required to review and approve all required CAPs prior to the submission of the
assessment to HITRUST. (CAP Review) 6 Performing Check-In HITRUST performs
automated QA checks and a high-level review of the assessment and accompanying
required documents and webforms. The new workflow phases of Performing Check-In,
Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced
to provide transparency into the check-in process that previously occurred
within the legacy Assessment Submitted to HITRUST state. 7 Addressing Check-In
Tasks The Assessed Entity and External Assessor address the tasks opened by
HITRUST during check-in. If HITRUST’s check-in review identifies a small number
of potential issues, rather than reverting the assessment back to the External
Assessor, HITRUST will open tasks and the assessment will enter the Addressing
Check-In Tasks phase. (HAA 2021-010) 8 Reviewing Pending Check-In Tasks HITRUST
reviews the tasks addressed by the Assessed Entity and External Assessor.
HITRUST closes all tasks that have been resolved by the Assessed Entity and
External Assessor and sends any tasks requiring additional attention back to the
External Assessor with additional comments or instructions. (HAA 2021-010) 9
Pending Quality Assurance The assessment is awaiting the HITRUST QA review to
begin during the reserved QA block. The Pending Quality Assurance phase is
introduced to provide transparency into the period between the assessment being
accepted by HITRUST and the QA review starting during the reserved QA block. 10
Peforming QA The QA Analyst reviews the Pre-Assessment, Required Documents and
Webforms, Core QA, Not Applicable Rationales, Measured and Managed Scores, CAPs,
and Overridden PQIs. Over the normal course of QA, all QA questions will be sent
to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating
the need for the QA Analyst to send some QA questions through email or offline
documents. (HAA 2021-010) 11 Addressing QA Tasks The Assessed Entity and
External Assessor address the tasks opened by HITRUST during QA.
* The Assessed Entity and External Assessor address HITRUST’s QA questions
through tasks. (HAA 2021-010)
* If the action taken to address a task adds additional requirement statements
or required CAPs to the assessment, the requirement statements must be scored
or the CAPs entered by the Assessed Entity and validated by the External
Assessor during QA. (HAA 2021-010)
12 Reviewing Pending QA Tasks The QA Analyst reviews the tasks addressed by the
Assessed Entity and External Assessor. HITRUST closes all tasks that have been
resolved by the Assessed Entity and External Assessor and sends any tasks
requiring additional attention back to the External Assessor with additional
comments or instructions. (HAA 2021-010) 13 Preparing and Reviewing Deliverables
HITRUST prepares and reviews the draft reports. The HITRUST CSF Validated Report
format has been updated to streamline the presentation of information, more
clearly present assessment scope, and accommodate changes to format
of organization and scoping information webforms. (HAA 2021-011) 14 Reviewing
Draft Deliverables The Assessed Entity reviews the draft reports. An updated
Revision Request webform includes new input fields which allow the Assessed
Entity to clearly identify each revision request. (Draft Report Revision
Requests) 15 Revising Draft HITRUST either processes the Assessed Entity’s
revision requests or prepares the final reports As the QA Analyst reviews each
revision request, the status of each request is identified as Not Started,
Completed, or Not Accepted by HITRUST. For any requests Not Accepted by HITRUST,
the QA Analyst provides an explanation within the “Rationale” section of the
webform. (HAA 2021-009) 16 Complete The Assessed Entity and External Assessor
may access the final reports. No changes; the Complete phase is equivalent to
the legacy Final Report Posted state.
--------------------------------------------------------------------------------
New HITRUST CSF Interim and Bridge Assessment Workflow
The new assessment workflow for HITRUST CSF Interim and Bridge Assessments
features a subset of the phases present in the workflow observed on HITRUST CSF
Validated Assessments. The diagram below displays the new workflow for Interim
and Bridge assessments, including the primary owner(s) of each phase, as well as
a comparison to the legacy workflow states.
The table below summarizes each phase of the workflow. For a detailed
description of each phase, see New Interim and Bridge Assessment Workflow and
Notifications or click the phase name within the table.
# Phase Name Description Summary of Key Changes 1 Performing Validation The
External Assessor reviews requirement statement scoring, links relevant
documentation, and addresses any triggered potential quality issues (PQIs). No
changes; the Performing Validation phase is equivalent to the legacy Undergoing
Interim and Undergoing Bridge Assessment phases. 2 Performing Check-in HITRUST
performs automated QA checks and a high-level review of the assessment. The new
workflow phases of Performing Check-In, Addressing Check-in Tasks, and Reviewing
Pending Check-In Tasks are introduced to provide transparency into the check-in
process that previously occurred within the legacy Interim Submitted and Bridge
Assessment Submitted states. (HAA 2021-010) 3 Addressing Check-In Tasks The
Assessed Entity and External Assessor address the tasks opened by HITRUST during
check-in. If questions arise during the check-in review, HITRUST will open
Check-In Tasks within the assessment for the External Assessor and/or Assessed
Entity to address prior to the assessment being accepted by HITRUST. (HAA
2021-010) 4 Reviewing Pending Check-In Tasks HITRUST reviews the tasks addressed
by the Assessed Entity and External Assessor. HITRUST closes all tasks that have
been resolved by the Assessed Entity and External Assessor and sends any tasks
requiring additional attention back to the External Assessor with additional
comments or instructions. (HAA 2021-010) 5 Pending Quality Assurance The
assessment is awaiting the HITRUST QA review to begin. The Pending Quality
Assurance phase is introduced to provide transparency into the period between
the assessment being accepted by HITRUST and the QA review being completed. 6
Performing QA The QA Analyst performs the QA review of the assessment. Over the
normal course of QA, all QA questions will be sent to the External Assessor and
Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst
to send some QA questions through email or offline documents. (HAA 2021-010) 7
Addressing QA Tasks The Assessed Entity and External Assessor address the tasks
opened by HITRUST during QA. The Assessed Entity and External Assessor address
HITRUST’s QA questions through tasks. (HAA 2021-010) 8 Reviewing Pending QA
Tasks The QA Analyst reviews the tasks addressed by the Assessed Entity and
External Assessor. HITRUST closes all tasks that have been resolved by the
Assessed Entity and External Assessor and sends any tasks requiring additional
attention back to the External Assessor with additional comments or
instructions. (HAA 2021-010) 9 Preparing and Reviewing Deliverables HITRUST
prepares and reviews the Interim Letter or Bridge Certificate. No changes; the
Preparing and Reviewing Deliverables phase is equivalent to the legacy Interim
Review Complete and Bridge Review Complete phases. 10 Complete The Assessed
Entity and External Assessor may access the Interim Letter or Bridge
Certificate. No changes; the Complete phase is equivalent to the legacy Interim
Report Posted and Bridge Certificate Posted states.
--------------------------------------------------------------------------------
New Readiness Assessment Workflow
The new assessment workflow for HITRUST CSF Readiness Assessments submitted for
reporting features a subset of the phases present in the workflow observed on
HITRUST CSF Validated Assessments. The diagram below displays the new workflow
for Readiness assessments, including the primary owner of each phase, as well as
a comparison to the legacy workflow states.
The table below summarizes each phase of the workflow. For a detailed
description of each phase see New Readiness Assessment Workflow and
Notifications or click the phase name within the table.
# Phase Name Description Summary of Key Changes 1 Answering Pre-Assessment The
Assessed Entity is responsible for completing each pre-assessment section: Name
& Security, Organization Information, Assessment Options, Scope of the
Assessment, and Factors. The redesigned Organization Information webform and new
Scope of the Assessment webform will serve as the primary location for capturing
background information about the Assessed Entity and their security organization
and for defining the platforms/systems, facilities, and services outsourced for
the in-scope environment. (Pre-Assessment Webforms) 2 Answering Assessment The
Assessed Entity scores their assessment and addresses any triggered potential
quality issues (PQIs). The Assessed Entity should also make a QA Reservation and
complete the Validated Report Agreement webform. The Management Representation
Letter will now be completed through MyCSF using an electronic signature
workflow (HAA 2021-009) 3 Performing Check-In HITRUST reviews the Management
Representation Letter. The new workflow phases of Performing Check-In,
Addressing Check-in Tasks, and Reviewing Pending Check-In Tasks are introduced
to provide transparency into the check-in process that previously occurred
within the legacy Assessment Submitted to HITRUST state. 4 Addressing Check-In
Tasks The Assessed Entity addresses the task opened by HITRUST during check-in.
If HITRUST’s check-in review identifies an issue with the Management
Representation Letter, HITRUST will open a task and the assessment will enter
the Addressing Check-In Tasks phase. (HAA 2021-010) 5 Reviewing Pending Check-In
Tasks HITRUST reviews the task addressed by the Assessed Entity. HITRUST closes
the task if it has been resolved. If the task requires additional attention,
HITRUST sends the task back to the Assessed Entity with comments or
instructions, and the assessment returns to the Addressing Pending Check-In
Tasks phase. (HAA 2021-010) 6 Preparing and Reviewing Deliverables HITRUST
prepares and reviews the draft report. The HITRUST CSF Validated Report format
has been updated to streamline the presentation of information. (HAA 2021-011) 7
Reviewing Draft Deliverables The Assessed Entity reviews the draft report. An
updated Revision Request webform includes new input fields which allow the
Assessed Entity to clearly identify each revision request. (Draft Report
Revision Requests) 8 Revising Draft HITRUST either processes the Assessed
Entity’s revision requests or prepares the final report. As the QA Analyst
reviews each revision request, the status of each request is identified as Not
Started, Completed, or Not Accepted by HITRUST. For any requests Not Accepted by
HITRUST, the QA Analyst provides an explanation within the “Rationale” section
of the webform. (HAA 2021-009) 9 Complete The Assessed Entity may access the
final report. No changes; the Complete phase is equivalent to the legacy Final
Report Posted state.
--------------------------------------------------------------------------------
Implementation
HITRUST CSF Validated Assessments
This suite of enhancements to MyCSF will be implemented automatically for all
Validated Assessments created on or after February 15, 2022, as well as all
existing Validated Assessments that meet all of the following criteria on
February 15, 2022:
* The assessment has not previously been submitted to HITRUST
* The assessment is in the Not Started or Answering Assessment state
* No assessment domains have been submitted to the External Assessor for review
HITRUST CSF Interim and Bridge Assessments
This suite of enhancements to MyCSF will be implemented automatically for all
Interim and Bridge Assessments created on or after February 15, 2022. Interim
and Bridge Assessments created prior to February 15, 2022, will not be affected.
HITRUST CSF Readiness Assessments
This suite of enhancements to MyCSF will be implemented automatically for all
Readiness Assessments created on or after February 15, 2022, as well as all
existing Readiness Assessments that meet all of the following criteria on
February 15, 2022:
* Assessment has never been submitted to HITRUST
* Assessment is in the Not Started or Answering Assessment state
Additonal Resources
FAQs: New Assessment Workflows
New Validated Assessment Workflow and Notifications
New Interim and Bridge Assessment Workflows and Notifications
New Readiness Assessment Workflow and Notifications
Save as PDF
HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes including CSF Version
Upgrades
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
October 19, 2021
Advisory Type
Assurance Change
Overview
On or before December 4, 2021, HITRUST will introduce a new feature in MyCSF to
allow Assessed Entities to preview the effects of upgrading the CSF version or
making any other changes which impact the composition of a HITRUST CSF Validated
or Readiness Assessment before the change is made.
Update: This feature is now available.
CSF Version Upgrade for a HITRUST CSF Validated or Readiness Assessment
Consistent with the CSF Versioning Policy announced in HAA 2021-005, all new
versions of the HITRUST CSF will be displayed in MyCSF using the versioning
syntax of v[Major].[Minor].[Errata]. In order to provide further transparency
into the updates introduced in each new major, minor, and errata version of the
CSF, MyCSF will allow Assessed Entities to preview the effects of upgrading
their assessment to a new CSF version. The MyCSF preview functionality provides
a high-level summary and a detailed report of all modifications that would
result from upgrading the CSF version utilized for a particular assessment.
The Assessed Entity may preview and upgrade the CSF version at any time while
the assessment is in the Answering Assessment state prior to any assessment
domains being submitted to the External Assessor for validation.
If any new major, minor, or errata versions of the CSF are available, MyCSF
displays the upgrade options to the Assessed Entity upon accessing any of the
following pages:
* Organization Information
* Assessment Options
* Systems
* Facilities
* Default Scoring Profile
* Factors
The upgrade options could include the following based upon the version of the
CSF that the assessment currently utilizes:
* The most recently released errata version for the same minor CSF version that
the assessment is currently utilizing (Example: v9.5.0 to v9.5.1)
* The most recently released minor version for the same major CSF version that
the assessment is currently utilizing (Example: v9.4 to v9.5.1)
* The most recently released major version of the CSF (Example: v8 to v9.5.1)
The Assessed Entity is presented with the option to preview the differences
between their current assessment and the assessment that would be created upon
upgrading to the version of the library selected by the Assessed Entity. MyCSF
displays a high-level summary of the differences and the Assessed Entity is
presented with the option to download a detailed report of all modifications to
the assessment including, but not limited to:
* Addition, Removal, or Modification of a Requirement Statement
* Modification of a Requirement Statement’s Illustrative Procedure
* Factor Added or Removed from a Requirement Statement
* Addition or Removal of an Authoritative Source Mapping for a Requirement
Statement
* Modification of the Control Level Implementation of a Requirement Statement
* Modification of a Requirement Statement’s Control Reference, Control
Objective, and / or Control Category
* Modification of a Requirement Statement’s Assessment Domain
After previewing the changes, the Assessed Entity has the option to either
proceed with updating the CSF Version or to not apply the update.
Previewing a change to the composition of a HITRUST CSF Validated or Readiness
Assessment
The preview functionality described above is also available at any time that the
Assessed Entity attempts to make a change within MyCSF which will result in a
modification to the composition of their HITRUST CSF Validated or Readiness
Assessment. Examples of these changes include:
* Changing a Factor response
* Changing the following options on the Assessment Options page
* Would you like only the controls required for certification or ALL CSF
security controls?
* Include privacy controls?
When making such a change to the assessment, MyCSF displays a high-level summary
of the differences and the Assessed Entity is presented with the option to
download a detailed report of all modifications to the assessment including, but
not limited to:
* Addition, Removal, or Modification of a Requirement Statement
* Modification of a Requirement Statement’s Illustrative Procedure
* Factor Added or Removed from a Requirement Statement
* Addition or Removal of an Authoritative Source Mapping for a Requirement
Statement
* Modification of the Control Level Implementation of a Requirement Statement
* Modification of a Requirement Statement’s Control Reference, Control
Objective, and / or Control Category
* Modification of a Requirement Statement’s Assessment Domain
After previewing the changes, the Assessed Entity has the option to either
proceed with making the previewed changes or to not apply them.
Implementation
The CSF version upgrade and preview functionality described above will be
implemented for all HITRUST CSF Validated and Readiness Assessments on or before
December 4, 2021.
Update: This feature is now available.
Save as PDF
HAA 2021-005: CSF Versioning Policy
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
October 19, 2021
Advisory Type
Assurance Change
Summary
To provide further transparency to the HITRUST Community a versioning policy for
the HITRUST CSF is being introduced. The policy defines the criteria for updates
to the HITRUST CSF and corresponding communications that can be expected from
HITRUST.
Versioning Policy
All CSF versions will now observe the following syntax:
v[Major].[Minor].[Errata]
In support of the syntax HITRUST will observe the following definitions:
Major Release (Example: v8.0.0, v9.0.0, v10.0.0):
* Changes to CSF structure including:
* Adding, removing, or material changes to the Categories, Objectives, or
Control References and corresponding descriptions
* Updates to the taxonomy of the CSF
* An Assurance Advisory will be published to announce the change
Minor Release (Example: v9.1.0, v9.2.0, v10.1.0):
* Material changes to the CSF and related information in the platform
including:
* Changing the Control References required for certification or inclusion of
Requirement Statements in an assessment
* Adding, removing, or material changes to a Requirement Statement and/or
Implementation Requirements
* Adding, removing, or changes to Authoritative Sources, related
Regulatory/Compliance Factors or mappings
* Updates which result in a Requirement Statement moving to a different
Control Reference, Domain, or Level
* Material changes to Illustrative Procedures
* Adding or removing General, Geographic, Organizational, or Technical
Factors and/or related operational functionality
* An Assurance Advisory will be published to announce the change
Errata Release (Example: v9.1.2, v9.1.3, v10.0.1):
* Immaterial changes to the CSF and related information in the platform
including:
* Minor updates to CSF categorization vernacular (no material impact)
* Changes to the Factor Type designation or Topics
* Immaterial changes to a Requirement Statement and/or Implementation
Requirements
* Updates which do not result in a Requirement Statement moving to a
different Control Reference, Domain, or Level
* Immaterial changes to the Illustrative Procedures
* Spelling, punctuation, grammatical, typos or stylistic corrections
* Adding, removing, or changes to Community Supplemental Requirements and
related information in the platform, related Regulatory/Compliance Factors or
mappings*
* An Assurance Advisory will not be published to announce the change. The new
release will be available within MyCSF as an optional update to certain
existing assessments and used as the default version for any newly created
assessments after the release.
* Due to the nature of Community Supplemental Requirements, modifications do not
rise to the level of a minor release, which necessitates an
advisory/announcement to all HITRUST users.
Implementation and Timeline
Versioning of the HITRUST CSF
Effective as of the release of v9.5.0 all versions of the HITRUST CSF will
observe the versioning syntax of v[Major].[Minor].[Errata] and CSF Versioning
Policy.
MyCSF
Starting with v9.5.0, all CSF Library versions within MyCSF are displayed using
the versioning syntax of v[Major].[Minor].[Errata]. Previous CSF Library
versions will only display the major and minor release.
Additional Information
See HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes including CSF
Version Upgrades for related MyCSF enhancements. For additional questions please
contact our Support team.
Save as PDF
HAA 2021-004: MyCSF Enhancements for v9.x and later CSF versions
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
June 7, 2021
Advisory Type
Assurance Change
Overview
HITRUST continually evaluates necessary changes in MyCSF based on community
feedback and internal review. Through this review, HITRUST has identified
enhancements to improve the overall assessment process. HITRUST is making the
corresponding enhancements to the MyCSF platform which will apply to assessments
utilizing HITRUST CSF versions 9.x and later.
Measured and Managed Maturity Level Options
Description
Within HITRUST CSF Validated assessments, scoring of the Measured and Managed
maturity levels is not required. If included in the assessment, scoring of the
Measured and Managed levels also subjects the assessment to additional QA checks
resulting in additional processing time. As a result, HITRUST will update MyCSF
to provide Assessed Entities with the ability to optionally remove these levels
from their assessments if they do not plan on scoring them. The optional removal
of these maturity levels from the assessment should help prevent accidental
scoring and streamline data entry into MyCSF.
Implementation
Effective immediately, any newly created HITRUST CSF Validated assessment will
require the Assessed Entity to select whether Measured and Managed maturity
levels will be evaluated when configuring the assessment. The configuration
option will appear within the “Assessment Options” menu and will ask “Will you
be scoring Measured and Managed?”.
If “Yes” is selected then the Measured and Managed maturity levels will be
included within each requirement statement for scoring.
If “No” is selected the Measured and Managed maturity levels will not be
available for scoring. When downloading an offline assessment, the Measured and
Managed maturity levels will remain in the downloaded Excel file. However, upon
uploading the offline assessment, no Measured or Managed scores will be
reflected in MyCSF if the option to score these levels was not selected in the
“Assessment Options” menu.
Measured Level Independent and Operational Selections
Description
When evidence is attached to a requirement statement supporting a score in the
Measured maturity level, the Subscriber must select whether the evidence is
related to an “Operational” or “Independent” measure. To simplify the evidence
attachment process, this selection will no longer be needed within MyCSF. The
Subscriber will only need to select that the evidence applies to the Measured
maturity level. It is still expected that the External Assessor will document
within the testing results whether the measure was scored as “Operational” or
“Independent”.
Implementation
Effective June 24, 2021, any newly created HITRUST CSF assessment will no longer
display an option to select whether the evaluated measurement is “Independent”
or “Operational”.
For offline assessments, the column in the “Requirement-Document Mapping” tab
labeled “Measured: Operational or Independent?” will be renamed to “Maturity
Measured Related?” with the only valid responses as “True” or “False”.
For existing assessments that have not previously been submitted to HITRUST for
processing, this can be enabled upon request. To do so please email Support
requesting the disablement of the Operational and Independent checkboxes for the
Measured maturity level and include the following information:
* Organization Name as it appears in MyCSF
* Assessment Name as it appears in MyCSF
Scoping Factor Edit Checks
Description
HITRUST CSF assessments will include additional edit checks on the CSF version
9.x scoping factors listed below to avoid inconsistent responses.
* Is the system(s) accessible from the Internet?
* Does the system allow users to access the scoped environment from an external
network that is not controlled by the organization?
* Is any aspect of the scoped environment hosted on the cloud?
The inconsistent answers were required to be changed during HITRUST’s QA which
added additional processing time to certain assessments. This change is being
made to avoid the possibility of inconsistent responses to these factors.
Implementation
HITRUST CSF assessments created on or after June 24, 2021 will include
additional edit checks for the scoping factors listed below to avoid
inconsistent responses. The rules will be applied to the following scoping
factor questions:
Number Scoping Factor Question Responses 1 Is the system(s) accessible from the
Internet? If “Yes”, then #2 will automatically be answered as “Yes” 2 Does the
system allow users to access the scoped environment from an external network
that is not controlled by the organization? If “Yes”, then #1 will automatically
be answered as “Yes” 3 Is any aspect of the scoped environment hosted on the
cloud? If “Yes”, then #1 and #2 will automatically be answered as “Yes”
When the system enforces the rule, the correct answer will be automatically
populated and a message in MyCSF will inform the user that this rule was
applied.
For any existing assessments where the three identified scoping factors were
previously answered the new rules will not be applied; unless one or more of the
three identified scoping factor responses were updated at which point the new
rules would be applied.
Additional Resources
Click here for a list of anticipated questions and answers.
Save as PDF
HAA 2021-003: CAP Identification Changes
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
June 7, 2021
Advisory Type
Assurance Change
Overview
HITRUST assessments for CSF versions 9.x and later will no longer create CAPs
for gaps that only exist at the Policy and/or Procedure maturity levels. This
change is being made to continue HITRUST’s emphasis towards the Implemented
maturity level, as described in HITRUST Assurance Advisory 2021-002, without
compromising the integrity or Rely-Ability of the HITRUST CSF Certification.
Implementation and Timeline
HITRUST will not create a required CAP for a gap identified in the Policy and/or
Procedure maturity level if there is not a gap at the Implemented maturity
level. This change will be applied to start on June 24, 2021, as follows:
HITRUST CSF Validated Assessments
For any existing HITRUST CSF Validated Assessment, Table 1 summarizes how the
change will be applied by HITRUST MyCSF state. For any HITRUST CSF Validated
Assessments participating in the Assurance Enhancements Beta Program, you will
receive an alternate communication to describe how the change will be applied to
your participating assessments.
Table 1
MyCSF State Application of the Change and Notification Not Started
Answering Assessment
Assessment Submitted to HITRUST
Undergoing QA
Awaiting External Assessor Response to QA
External Assessor Response Received
Undergoing Compliance Review
Compliance Review Complete MyCSF will automatically apply the change to the
assessment. When the draft reports are posted, CAPs will be generated such that
a required CAP will not be created if gaps only exist at the Policy and/or
Procedure maturity levels. Draft Report Posted – Awaiting CAP Responses
Draft Report Posted – CAPs Complete
* The assigned QA Analyst will manually apply the change to the assessment.
* A notification of any CAPs that were moved to gaps will be sent to the
Assessed Entity, External Assessor, and assigned QA Analyst.
* The assessment will be returned to the Compliance Review Complete state and
the assigned QA Analyst will post a revised draft report to MyCSF.
Final Report Posted No changes will be applied to MyCSF by default.
Please see the Reissuing Reports section of this Advisory for more information.
HITRUST CSF Readiness Reports
All HITRUST CSF Readiness Assessments created on or after June 24, 2021 will
automatically be configured to not create a required CAP if gaps only exist at
the Policy and/or Procedure maturity levels.
For any existing HITRUST CSF Readiness Assessment, Table 2 summarizes how the
change will be applied by MyCSF state.
Table 2
MyCSF State Application of the Change and Notification Not Started
Answering Assessment
Assessment Submitted to HITRUST
* MyCSF will automatically apply the change to the assessment.
Draft Report Posted
* MyCSF will automatically apply the change to the assessment.
* The assessment will be returned to the Assessment Submitted to HITRUST state
and the assigned HITRUST Analyst will post a revised Draft Report to MyCSF.
Final Report Posted No changes will be applied to MyCSF by default.
Please see the Reissuing Reports section of this Advisory for more information.
Reissuing Reports
Assessed Entities who are interested in optionally having a Final Report
reissued to reflect this change must meet both of the following criteria in
order to qualify:
* Have a recently issued Final Report (that used the prior CAP logic), which is
defined as follows:
* For HITRUST CSF Validated Assessment reports: An active certification in
the ‘Final Report Posted’ state within MyCSF
* For HITRUST CSF Readiness reports: A report dated no earlier than June 24,
2020
* Currently be an active MyCSF subscriber with access to the completed
assessment (assessment cannot be archived).
Assessed Entities who purchased only the HITRUST CSF Readiness or Validated
Assessment report without subscribing to MyCSF are ineligible to have their
report reissued.
Qualified and interested Assessed Entities should contact their Customer Success
Manager to obtain pricing information and initiate the reissuance process.
For Assessed Entities who do have their final report reissued, the following
actions will be taken:
* * Upon initiation of the reissuance process:
* For HITRUST CSF Validated Assessments, the existing certified assessment
within MyCSF will be decertified and the existing HITRUST CSF Validated
Assessment report will be considered invalid.
* For HITRUST CSF Readiness Assessments, no action will be taken.
* For both HITRUST CSF Validated and Readiness Assessments, a clone of the
original assessment will automatically be made and put into a state of
‘Draft Report Posted – CAPs Complete’ for HITRUST CSF Validated Assessments
or a state of ‘Assessment Submitted to HITRUST’ for HITRUST CSF Readiness
Assessments. Upon creation of the clone, the original assessment will be
automatically archived.
* A QA analyst will post the revised final report to MyCSF to the cloned
assessment.
* For HITRUST CSF Validated Assessments:
* The cloned assessment will be marked as certified using the date from the
original assessment, so this change does not alter or extend the date of
certification.
* If applicable, the previously completed Interim Assessment will be linked
to the cloned assessment.
Impact on Interim Assessments for Reissued HITRUST CSF Validated Assessments
For Assessed Entities who choose to optionally reissue a HITRUST CSF Validated
Assessment report, there could potentially be an impact on their Interim
Assessment. To understand the potential impact on their Interim Assessment,
Assessed Entities and their External Assessors should review the following
scenarios.
Scenario 1 – The Interim Assessment has not been generated by MyCSF
The Interim Assessment will be automatically generated based upon the new cloned
Validated Assessment.
Scenario 2 – The Interim Assessment has been generated by MyCSF but has not been
submitted to HITRUST
Upon initiating the reissuance process, the existing Interim Assessment will be
refreshed to remove any requirements that were CAPs but have been moved to gaps
based upon the change in CSF Validated Assessment and maintain at least one
requirement per domain within the Interim Assessment.
Scenario 3 – The Interim Assessment has been submitted to HITRUST, but the
Interim Letter has not been posted
No changes will be applied to the Interim Assessment. HITRUST will link the
existing Interim Assessment to the cloned Validated Assessment.
Scenario 4 – The Interim Assessment has already been completed
No changes will be applied to the Interim Assessment. HITRUST will link the
existing Interim Assessment to the cloned Validated Assessment.
Additional Resources
Click here for a list of anticipated questions and answers.
Save as PDF
HAA 2021-002: HITRUST CSF Validated Assessment Enhancements
Impacted Policy/Program Name
CSF Assurance Program
Date
June 7, 2021
Advisory Type
Assurance Quality
Overview
HITRUST recognizes that implementation of a control is a key element that
contributes to a mature and robust control environment. As such, HITRUST will be
updating the scoring rubric to further emphasize the Implemented maturity level.
In anticipation of the update to the scoring rubric and prior to the release of
version 10 of the HITRUST CSF, enhancements are being implemented for current
version 9 (v9.x) assessments which are intended to both streamline the
assessment process and increase attention on the Implemented maturity level.
Policy and Procedure Incubation Period
Description
The minimum number of days that a remediated or newly implemented policy or
procedure must be in place is reduced from 90 days to 60 days. This does not
impact the minimum number of days that a control must be in operation when
scoring the Implemented, Measured, or Managed maturity levels, which will remain
at 90 days.
Implementation
The change in the incubation period for the Policy and Procedure maturity levels
is effective immediately. Implementation of the revision will be as follows:
* For assessments that have not yet been submitted to HITRUST, Policies and
Procedures that have been in place for a minimum of 60 days can be scored as
Fully Compliant, assuming they meet all other aspects of strength and
coverage as dictated by the scoring rubric and other HITRUST requirements.
* For assessments that have been submitted to HITRUST for the performance of
Quality Assurance (QA) procedures but do not yet have a Draft Report, the
assigned analyst will evaluate the Policy and Procedure maturity levels for
any selected requirements against the revised 60-day requirement. Please be
aware that the analyst will not return the assessment to allow for rescoring
of any requirements not selected for QA procedures based upon the revised
incubation period.
* For assessments that have a Draft Report posted but have not yet been
finalized or have a Final Report posted, no changes will be made based upon
the revised incubation period.
Policy and Procedure Level Scoring
Description
In anticipation of a new scoring rubric that includes enhancements to simplify
the scoring of the policy and procedure maturity levels, HITRUST is modifying
scoring requirements for the Policy and Procedure maturity levels in the current
rubric. Through simplifying the assessment process for Policy and Procedure
maturity levels, HITRUST intends to increase the focus on the Implemented
maturity level.
Implementation
Effective immediately, enforcement of the following requirements are being
modified:
Maturity Level Current Strength Criteria Revised Strength Criteria Scoring
Considerations Policy i. Demonstrably approved by management,
ii. Demonstrably communicated to stakeholders in the organization and members of
the workforce, and
iii. Clearly communicates management’s expectations of the control(s) operation
(e.g., using “shall”, “will”, or “must” statements).
A documented policy must specify the mandatory nature of the control requirement
in a written format which could reside in a document identified as a policy,
standard, directive, handbook, etc.
* A policy at the Assessed Entity that meets the Revised Strength Criteria for
Policy will be at Tier 4 strength in the scoring rubric and would need to be
evaluated for coverage to determine the final score.
* A policy at the Assessed Entity that does not meet the Revised Strength
Criteria for Policy will be at either Tier 1 or Tier 0 strength in the
scoring rubric based on whether the current criteria for an undocumented
policy has been met.
Coverage would still need to be evaluated to determine the final score, and
the scoring considerations for this criteria remain unchanged.
Procedure i. Demonstrably approved by management,
ii. Demonstrably communicated to stakeholders,
iii. Outlines stakeholder responsibilities, and
iv. Discusses operational aspects such as how, when, who, and on what the
action/control/requirement is to be performed.
A documented procedure must address the operational aspects of how to perform
the requirement. The procedure should be at a sufficient level of detail to
enable a knowledgeable and qualified individual to perform the requirement.
* A procedure at the Assessed Entity that meets the Revised Strength Criteria
for Procedure will be at Tier 4 strength in the scoring rubric and would need
to be evaluated for coverage to determine the final score.
* A procedure at the Assessed Entity that does not meet the Revised Strength
Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the
scoring rubric based on whether the current criteria for an undocumented
procedure has been met.
Coverage would still need to be evaluated to determine the final score, and
the scoring considerations for this criteria remain unchanged.
To further clarify this change, please see the examples outlined here.
For validated assessments that are currently undergoing QA procedures, the
analyst will utilize the Revised Strength Criteria when evaluating the Policy
and Procedure maturity levels for the sampled requirement statements. Please be
aware that the analyst will not return the assessment to allow for rescoring of
any requirements which were not selected for QA procedures.
HITRUST CSF Certification Letter Issuance
Description
HITRUST issues a CSF Certification Letter for validated assessments which meet
the certification threshold. The certification letter currently includes the
Assessed Entity’s organization overview and scope information. An additional
stand-alone certification letter will now be released that does not include the
Assessed Entity’s assessment scope information. This letter is being issued to
allow Assessed Entities the flexibility to provide the correct level of detail
they wish to share regarding their environment.
Implementation
Effective immediately, HITRUST will begin issuing two versions of the
certification letter for validated assessments that meet the certification
threshold. Below is a breakdown of the information presented in each letter:
Content CSF Certification Letter with Scope Stand-alone Certification Letter
Signed Certification Letter from HITRUST ✓ ✓* Assessment Context ✓ Scope of
Systems in the Assessment ✓
*Stand-alone certification letter also references that a copy of the
certification letter with scope information is available.
Additional Resources
Click here for a list of anticipated questions and answers.
Save as PDF
HAA 2021-001: Reservation System for Scheduling HITRUST Quality Assurance for
HITRUST CSF Validated Assessments
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
April 15, 2021
Advisory Type
Assurance Change
Policy/Program Change Details
Summary
On July 1, 2021, HITRUST will enable a Reservation System within the HITRUST
MyCSF platform, requiring Assessed Entities to schedule the start of quality
assurance (QA) procedures for HITRUST CSF Validated Assessments. The Reservation
System is designed to:
* Eliminate the uncertainty around when HITRUST’s QA procedures will begin,
* Allow Assessed Entities and their HITRUST Authorized External Assessor
Organizations to schedule resources to respond to HITRUST’s QA feedback, and
* Provide the opportunity for QA to occur closer to the submission date.
Key Considerations
Making a Reservation
* All Assessed Entities will be required to make a reservation prior to
submission of their HITRUST CSF Validated Assessment. The reservation can be
made any time prior to submission; however, HITRUST encourages Assessed
Entities to make their reservations as early as possible. The Reservation
System will allow reservations up to one year in advance.
* A Validated Assessment Report Credit is required to make a reservation. If
you do not have a Validated Assessment Report Credit, you will receive a
prompt to contact your Customer Success Manager in order to purchase a
Validated Assessment Report Credit.
* The submission date of the assessment to HITRUST must be entered into MyCSF
as part of the reservation process. Assessed Entities should work carefully
with their HITRUST Authorized External Assessor Organizations to plan their
submission date as this is the deadline to submit the assessment to HITRUST.
Failure to submit the assessment by the submission date will result in
cancellation of the reservation, and a new reservation will need to be made.
* Reservation slots occur within QA Blocks. QA Blocks are one-week periods
where HITRUST will begin QA procedures. Each QA Block contains a set number
of reservations that are possible, with MyCSF displaying the QA Blocks that
are available to reserve.
* By the end of the QA Block, HITRUST will have begun QA procedures on the
assessment. For assessments in the normal QA workflow, organizations should
typically expect to hear from HITRUST within seven to ten business after the
end of the QA Block. Failure to hear from HITRUST during the week of your
scheduled QA Block does not indicate that QA has not started.
* Prior to booking a reservation, Assessed Entities will need to acknowledge
the Cancellation Policy. The Cancellation Policy outlines the date by which
the Assessed Entity can make a modification or cancel the reservation without
incurring a fee.
Expedited Reservations
HITRUST also offers expedited reservations. Expedited reservations offer access
to QA Blocks that may otherwise be at capacity and also includes priority
processing of the assessment. Available expedited reservations will be shown
within certain QA Blocks. To purchase an expedited reservation, the Assessed
Entity will need to contact their Customer Success Manager.
Starting your Reservation
After submitting a Validated Assessment to HITRUST, the Assessed Entity will
typically receive confirmation that your assessment was accepted by HITRUST. If
the assessment was returned by HITRUST, the Assessed Entity and HITRUST
Authorized External Assessor Organization should work together to remediate the
assessment and resubmit. If the assessment is not resubmitted and accepted by
HITRUST prior to the start of the QA Block, the reservation will be canceled. In
order to ensure acceptance of an assessment prior to the start of the QA Block,
HITRUST reminds Assessed Entities and External Assessors that they can submit in
advance of the ‘Submission Date’ defined in their reservation.
Implementation and Timeline
For any Validated Assessments submitted to HITRUST for processing on or before
June 30, 2021, HITRUST will continue to process assessments on a first-come,
first-served basis with a priority for Assessed Entities that purchased
expedited processing.
On July 1, 2021, the reservation system will be enabled for all HITRUST CSF
Validated Assessments that have not previously been submitted to HITRUST. A
reservation will be required to be made prior to submission to HITRUST.
Additional Information
A walk-through of the process within MyCSF can be found here, along with
anticipated questions and responses.
Save as PDF
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2020 (CLICK TO EXPAND)
HAA 2020-005: Enhancing Assurance Advisories
Impacted Policy/Program Name: CSF Assurance Program
Date: July 14, 2020
Advisory Type: Assurance Program Communications
Policy/Program Change Details
HITRUST “CSF Implementation & Assurance Implementation Bulletins” will now be
referred to simply as “Assurance Advisories” and will classified into two
distinct categories: “Assurance Change Advisories” and “Assurance Quality
Advisories.”
“Assurance Change Advisories” will be used to communicate:
* Enhancements to the MyCSF platform which significantly impact the Assurance
program.
* Significant modifications to the assessment methodology and assurance program
requirements, such as modified assessment documentation requirements.
* Introduction of a new component of the assessment methodology or a program
requirement.
“Assurance Quality Advisories” will be used for:
* Clarifying existing assessment methodology components, assurance program
requirements, and expectations of assessors and assessed entities based on
HITRUST’s experience in performing quality assurance reviews of assessment
submissions.
* Highlighting new, emerging, or otherwise noteworthy circumstances that may
affect how assessments are conducted under the existing assessment
methodology and assurance program requirements.
All advisories will continue to provide a timeline for implementation by both
assessed entities and External Assessors.
Rationale
Categorizing advisories by type will provide additional clarity around changes
to the Assurance program which impact assessed entities and External Assessors.
Furthermore, the creation of “Assurance Quality Advisories” provides a new
vehicle to share guidance and clarification regarding existing assessment
methodologies and program requirements to the HITRUST community.
Timetable for implementation
Effective for all subsequent Advisories.
HAA 2020-004: HITRUST CSF Bridge Assessments
Impacted Policy/Program Name
HITRUST CSF Assurance Program
Date
April 15, 2020
Summary
HITRUST recognizes the challenges that assessed entities may be facing in
completing their HITRUST CSF Validated Assessments and the subsequent possible
impact of not maintaining HITRUST CSF Certification. The HITRUST CSF® Assurance
Program, upon which certification is based, incorporates a number of mechanisms
to ensure the assurances provided by a HITRUST CSF Validated Report are
‘rely-able’ when the report is issued, and remain ‘rely-able’ up until the time
a report expires. Therefore, given the extent of degradation in the level of
assurance over time, HITRUST is unable to extend the validity of a HITRUST CSF
Certification past its two-year anniversary date.
HITRUST also recognizes that any solution addressing these challenges must
maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal
additional costs and duplication of effort, and provide a reasonable level of
assurance for anyone seeking to rely upon it.
The HITRUST CSF Bridge Assessment provides an interim solution to assist
organizations in addressing these challenges, allowing assessed entities to
demonstrate a continued level of control effectiveness and assert continued
progress towards the next HITRUST CSF Validated Assessment.
Limitations of Forward-Looking Certifications
HITRUST’s forward-looking HITRUST CSF Certification provides value by providing
appropriate assurance that an assessed entity’s scoped control environment will
operate as intended over a specific period of time. As control environments and
threats inevitably change over time, the assurances gained by an assessment will
also lessen over time. This degradation of assurance is anticipated and factored
into the HITRUST CSF Assurance Program’s assessment and quality assurance
methodologies and underlying risk analysis model. The interim assessment,
performed at the one-year anniversary of HITRUST CSF Certification, is designed
to help ensure the assurances provided by certification can be reasonably relied
upon through its second year up until the point of expiration. A new HITRUST CSF
Validated Assessment must then be performed in order to provide reasonable
assurances for another two years.
As a result, HITRUST cannot reasonably extend HITRUST CSF Certification past its
two-year anniversary date and still provide the ‘rely-ability’ fundamental to
the HITRUST CSF Assurance Program. HITRUST CSF Certifications aren’t alone in
this regard; few—if any—other forward-looking information assurance mechanisms
can be extended for periods greater than two years while still offering the
meaningful assurances that stakeholders now expect.
HITRUST CSF Bridge Assessment
HITRUST has subsequently developed an approach that may be useful to some
stakeholders under extraordinary circumstances in which a HITRUST CSF
Certification holder is unable to complete their next HITRUST CSF Validated
Assessment prior to the expiration of their existing HITRUST CSF Certification.
A HITRUST CSF Bridge Assessment allows HITRUST CSF Certification holders to
demonstrate a continued level of control effectiveness while making progress
towards their next HITRUST CSF Validated Assessment.
To mitigate the excessive degradation in assurance that occurs at the end of a
HITRUST CSF Certification period, 19 requirement statements will be randomly
selected by the HITRUST MyCSF® platform from the entity’s previous validated
assessment to serve as a HITRUST CSF Bridge Assessment. A HITRUST Authorized
External Assessor will then test these requirement statements to confirm their
maturity did not degrade since the previous assessment. This testing will be
reviewed in an expedited manner by HITRUST and—barring indications of control
degradation, significant changes in the environment, or significant QA
issues—HITRUST will issue a HITRUST CSF Bridge Certificate. Once awarded this
certificate, the assessed entity will have 90 days from the expiration date of
the previous HITRUST CSF Certification to submit a completed validated
assessment to HITRUST.
Important considerations related to HITRUST CSF Bridge Assessments:
* A HITRUST CSF Bridge Assessment object can be created MyCSF at any time in
the 60 days prior to the existing HITRUST CSF Certification’s expiration
through 30 days after the expiration date of the HITRUST CSF Certification.
* A HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more
than 30 days before and up to 30 days after the expiration date of the
HITRUST CSF Certification.
* The testing performed in the HITRUST CSF Bridge Assessment does not need to
be performed again in the delayed validated assessment. In other words,
HITRUST will not require re-testing of these 19 requirement statements.
* HITRUST CSF Bridge Assessment submissions from HIEs, HINs, and healthcare
providers will be prioritized for QA until further notice.
* HITRUST’s anticipated processing time for a HITRUST CSF Bridge Assessment
submission is two-three weeks.
HITRUST CSF Bridge Certificate
A HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate
issued by HITRUST that is valid for 90 days from the expiration date of the
organization’s previous HITRUST CSF Certification. A HITRUST CSF Bridge
Certificate adds value in providing a minimal but reasonable level of assurance
that the entity’s scoped control environment is unlikely to have degraded
materially since the last validated assessment and by indicating that the entity
has committed to obtaining a HITRUST CSF Validated Report in the next 90 days.
Other important considerations related to HITRUST CSF Bridge Certificates:
* A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF
Validated Report with Certification as it does not provide an equivalent
level of assurance.
* A HITRUST CSF Bridge Certificate is also not an extension to an existing
HITRUST CSF Certification (which still expires on the two-year certification
anniversary).
* The 90 days covered by the HITRUST CSF Bridge Certificate are deducted from
the new HITRUST CSF Certification’s two-year validity period.
Qualification Requirements
To qualify for this, assessed entities:
* Must have an active HITRUST CSF Validated Report with Certification,
* Are likely to miss their validated assessment submission due-date, and
* Haven’t missed that due date by greater than 30 days.
Not all entities holding an active HITRUST CSF Certification will need to
perform a HITRUST CSF Bridge Assessment, as a HITRUST CSF Bridge Certificate is
designed for missed due date scenarios due to an extant emergency or crisis,
such as the current COVID-19 pandemic. For entities facing such a scenario, a
HITRUST CSF Bridge Certificate may afford necessary additional time. However,
entities should not assume that HITRUST CSF Bridge Certificates will be
universally accepted by business partners and regulators demanding continuous
HITRUST CSF Certification status. Entities should consult with their
stakeholders and relying parties to determine if a HITRUST CSF Bridge
Certificate will be accepted while they await receipt of a new HITRUST CSF
Validated Report with Certification.
Timeline
HITRUST CSF Bridge Assessments will be available starting April 15, 2020. While
HITRUST reserves the right to terminate this option without notice, we intend to
make these assessments available through the calendar year 2020.
Organizations interested in undergoing a HITRUST CSF Bridge Assessment should
contact their HITRUST Customer Success Manager and a HITRUST Authorized External
Assessor.
More Information
Please see the HITRUST CSF Bridge Assessment Overview Deck for more information.
11/18/2020 Update: HITRUST has determined that the bridge assessment option will
remain available until further notice. If this option is terminated, an advisory
on the removal of this option will be communicated.
HAA 2020-003: Assessment Scoping Factor Enhancements Designed to Reduce the
Effort Associated with and Increase the Accuracy of CSF Assessments
Impacted Policy/Program Name
CSF Assurance Program
Date
March 30, 2020
Advisory Type
MyCSF Functionality
Policy/Program Change Details
HITRUST is making the following changes to the assessment scoping factor
questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF
Readiness Assessments:
* Adding more than ten additional technical scoping factor questions to better
capture inherent risk factors present in the assessed environments and tailor
the HITRUST CSF requirements included in assessments accordingly.
* Re-wording the existing technical scoping factor “Is the system(s) accessible
by a Third Party?” to further clarify the definition of a third party.
* Removing the “Are Mobile devices used in the environment?” technical scoping
factor.
* Adding additional HITRUST CSF requirements to existing technical scoping
factors.
* Adding additional information around certain factors as part of the help
page.
Additionally, MyCSF will now require an assessed entity to provide a documented
rationale for each technical scoping factor answered “No.” This rationale should
contain sufficient detail to allow the External Assessor and HITRUST QA to
evaluate the “No” answer. These rationales will also appear in the HITRUST CSF
Validated Assessment Report.
Rationale
The changes related to MyCSF’s assessment scoping factors will:
* Reduce the number of requirement statements that appear in the assessment
when a factor is marked as “No.”
* Reduce the amount of repetitive “This is not applicable because…” responses
that are currently documented during assessments and reflected in HITRUST CSF
assessment reports. Assessed entities will instead be asked to explain the
absence of inherent risk factors once rather than multiple times throughout
the assessment, thus reducing the level of effort required to complete and
review the assessment.
* Add clarity around the terminology used in assessment scoping factors.
Timetable for implementation
Effective for all new objects created on or after June 1, 2020.
6/1/20 Update:
* The changes described in this advisory are now live in MyCSF’s production
environment. Twelve newly added technical scoping factor questions (e.g.,
“Are hardware tokens used as an authentication method within the scoped
environment?”) have been introduced.
* These newly added scoping factor questions only serve to remove / filter
requirements from being included in an assessment and do not add any
requirements to the assessment. When determining which requirements to
include in an assessment object, MyCSF first uses all other scoping
information to identify the necessary requirements and THEN removes any
requirements associated with the twelve newly added scoping factor questions
when these questions are answered as “No”.
* All HITRUST CSF assessments benefit from these newly added questions. Instead
of having to explain why similar requirements aren’t applicable to the
assessment multiple times (at the requirement level), assessed entities now
need to explain that the associated risk factor doesn’t apply once (at the
scoping level). Because of this change, HITRUST anticipates the number of
requirements marked as Not Applicable on assessments to drop considerably. As
an added benefit, the speed by which HITRUST’s QA takes place will improve as
a result of us needing to review fewer requirements marked as Not Applicable.
* HITRUST has made these new scoping factor questions available on all
assessment objects, including those created before 6/1/20 so that they may
optionally benefit from these newly added scoping factor questions. By
default, the newly added questions default to a visible option of “Please
choose an option” which is treated by MyCSF as “Yes”. The net effect of
defaulting to a “Yes” value is the same as not having the scoping factors
present at all: Because these questions are only reductive (never additive),
no requirements are added or removed from any previously created assessment
object without action from the assessed entity.
* Organizations with previously created assessment objects who wish to take
advantage of these newly added scoping factors, and have not yet submitted
their assessment to HITRUST, are encouraged to visit the “Admin & Scoping >
Factors” page, answer the newly added scoping factor questions (providing the
required “No” explanations where necessary), and then press the “Refresh
Assessment” button. Requirements linked to any questions answered “No” will
then be removed from the assessment object.
* No action is required for Organizations with previously created assessment
objects who do not wish to take advantage of these newly added scoping factor
questions.
HAA 2020-002: Impact Of COVID-19 On Assessment Timelines
Date
March 16, 2020
Advisory
To help ensure the rely-ability of HITRUST CSF Validated Reports and
Certifications, assessors and assessed entities must observe several
requirements related to MyCSF access, training, assessments, reporting, and
control implementation timing. These timing requirements are outlined in the
HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program
Requirements, and the HITRUST CSF Assessment Methodology and include (but are
not limited to):
* External assessor’s validated assessment fieldwork window (maximum):
* 90 calendar days prior to the date of submission of the validated
assessment object to HITRUST.
* Minimum number of days that a remediated or newly implemented control must
operate prior to assessor testing:
* 90 calendar days past the control’s implementation or remediation.
* Maximum age of testing performed by an Internal Assessor being relied upon by
an External Assessor:
* 90 calendar days, as determined by comparing the External Assessor’s
fieldwork start date of the internal assessor’s fieldwork start date.
* Window during which HITRUST will accept grammatical changes to a draft
report:
* 30 calendar days from issuance of draft report.
* Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
* 30 calendar days from issuance of draft report.
* Interim assessment object submission due date:
* No later than the 1-year anniversary of the HITRUST CSF Certification
(based on the HITRUST CSF Validated Report’s date).
* Validated assessment object submission due date for re-certification efforts:
* No later than the 2-year anniversary of the HITRUST CSF Certification
(based on the organization’s previous HITRUST CSF Validated Report date).
* Duration of MyCSF access for report-only customers:
* 90 calendar days for validated assessments and 60 calendar days for interim
assessments.
* Validity window for the CCSFP certification:
* Three years, subject to remaining current with required training.
Practitioners are required to complete an online, annual refresher course
each of the two years following classroom component completion and attend
the full class again the third year to maintain the CCSFP certification.
The training is due no later than the end of the month that corresponds
with the certification’s original anniversary date.
* Validity window for the CHQP certification:
* Two years, and the full CHQP course and accompanying certification exam
must be retaken no later than the end of the month that corresponds with
the certification’s original anniversary date.
HITRUST acknowledges that the ability to consistently adhere to these
timing-related requirements may be affected by the ongoing spread of COVID-19.
While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is
not at this time issuing a blanket waiver for any timing requirements as doing
so goes against the overall integrity of the CSF Assurance Program and the
rely-ability of assessment reports.
However, HITRUST may issue discretionary, limited modifications or exceptions to
these timing requirements to organizations who request them. Such requests
should be sent in writing to HITRUST’s Compliance team at
compliance@hitrustalliance.net. All timing extension and modification requests
will be evaluated by HITRUST. Assessed entities and their assessors should not
assume that all requests will be approved. For those organizations that may be
delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF
assessment, we encourage you keep all stakeholders apprised of the status of
your HITRUST efforts.
HAA 2020-001: Waiver Of On-Site Requirement For Validated Assessments
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
March 5, 2020
Advisory Type
Assurance Program Methodology
In light of the recent spread of COVID-19, HITRUST encourages assessors to
exercise judgement when planning assessment-related travel. Given that HITRUST
assessments take place across the US as well as internationally, we acknowledge
that some HITRUST assessments will be affected more than others. Assessors
should work closely with their clients to adjust travel plans as deemed
necessary. To provide assessors added travel flexibility, HITRUST is waiving the
requirement that in-person / on-site validation procedures be performed at the
assessed entity’s facilities. This temporary waiver is effective immediately.
In situations where assessors choose to leverage alternative approaches such as
video conferencing to perform necessary walkthroughs and observations,
assessment documentation must clearly reflect the nature, timing, and extent of
the alternative approaches used.
We will continue to work closely with assessors to monitor the effectiveness of
alternative walkthrough and observation approaches and the ongoing necessity of
this waiver. An additional advisory will be posted at a later date to reinstate
the on-site fieldwork requirement.
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2019 (CLICK TO EXPAND)
HAA 2019-011: Relying On The Work Of Internal Assessors
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
September 11, 2019
Advisory Type
Assurance Program Methodology
Policy/Program Change Details
HITRUST will soon release updates to the CSF Assurance Program which allows
“External Assessors” (previously referred to as “HITRUST Authorized External
Assessors”) to place reliance on the work of “Internal Assessors”. This updated
guidance will be posted no later than October 17, 2019 as updates to the HITRUST
CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology
documents.
The new role of “Internal Assessor” aids in the CSF Assessment process by
performing in-house testing in advance of an External Assessors’ validated
assessment fieldwork. Internal Assessors are in-house, contracted, or outsourced
CCSFPs who are typically positioned within or engaged by an assessed entity’s
Internal Audit Department but could be positioned within or engaged by any
department meeting specific objectivity requirements, resource qualification
requirements, and approval by HITRUST (through a defined application process).
Rationale
This methodology update creates opportunities for greater assessment efficiency
and customer cost savings. This change is expected to bring several benefits to
External Assessors and assessed entities. For example:
* Assessed entities already performing robust pre-assessment testing in advance
of their HITRUST CSF Validated Assessment can expect lower overall HITRUST
CSF Assessment costs, as duplicate testing performed by their External
Assessors can be reduced.
* Internal personnel with deep knowledge of the organization’s internal
controls (in groups such as Internal Audit, Risk Management, and Compliance)
can now have a defined role in the overall HITRUST CSF Assessment process.
* Assessed entities and their External Assessors now have more flexibility in
fitting the HITRUST CSF assessment procedures into the assessed entity’s
broader compliance activities.
Timetable for Implementation
Effective upon recognition as Internal Assessor assigned to an organization.
HAA 2019-010: Updated Documentation Requirements For Relying On Third-Party
Reports
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
September 11, 2019
Advisory Type
Assurance Program Methodology
Policy/Program Change Details
HITRUST will soon release updated guidance for placing reliance on the results
of previously performed audits, assessments, and inspections. This updated
guidance will be posted no later than October 17, 2019 as updates to the HITRUST
CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology
documents.
HITRUST has historically afforded the following two approaches for “External
Assessors” (previously referred to as “HITRUST Authorized External Assessors”)
to rely on the results of previously performed control testing:
1. Inheritance of the results of other HITRUST CSF Assessments, and
2. Reliance on audit reports and certifications issued by third-party auditors
(such as SOC 2 Type II reports) that meet the requirements as established by
the CSF Assurance program.
These updates clarify these two options by specifying associated timing, scope,
and documentation requirements. External Assessors are encouraged to take
particular note of the following new requirements that must be observed when
placing reliance on a third-party audit report:
* Both the External Assessor and HITRUST Services Corp. must both be authorized
recipients of the third-party audit report. Reliance cannot be placed on
third-party audit reports for which neither HITRUST or the External Assessor
are authorized to receive.
* When designing a reliance strategy, the External Assessor must map the
applicable / scoped HITRUST CSF requirement statements to the controls /
requirements tested in the third-party audit. In the absence of this mapping,
the External Assessor cannot form a meaningful reliance strategy and lacks an
adequate, demonstrable basis for reliance on the third-party audit report. To
support HITRUST’s QA efforts, this mapping as well as the third-party audit
report must be made available to HITRUST.
Rationale
These methodology updates are expected to:
* Help highlight any over-reliance or unwarranted reliance on the work of other
auditors and External Assessors.
* Provide needed clarity and transparency around HITRUST’s expectations around
timing, scope, and documentation when reliance is placed on the work of
others.
Timetable for Implementation
Observance of these new reliance documentation requirements will be mandatory
for assessment objects submitted and accepted on or after December 31, 2019.
The term “Accepted” means that HITRUST has confirmed to the assessor that all
required documents were included in the submission. If documents are missing,
the submission is reverted back to the assessor for correction. Upon acceptance
of a submission, the assessment object is added to the Assurance team’s queue to
await full QA procedures. Average acceptance time of the submission process is
one to three business days.
HAA 2019-009: Updated Scoring Rubric
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
September 3, 2019
Advisory Type
Assurance Program Methodology
Policy/Program Change Details
HITRUST’s scoring rubric, which assists organizations and their assessors in
assessment scoring level determinations, has been overhauled. Key changes
include:
* Definitions for assessment terminology, assessment examples and guidance on
important concepts have been added.
* Scoring lookup tables have been created for each of the five levels of
HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured,
and Managed).
* Replacement of qualitative terms such as none, some, and all with
quantitative ranges.
* Removal of ambiguous terms such as “management action” and “ad hoc”.
Rationale
The rubric’s has been enhanced to bring improved usability, added clarity, and
better harmonization with the assessment guidance provided in HITRUST’s Risk
Analysis Guide.
Timetable for Implementation
The updated scoring rubric will be made available for download at
https://hitrustalliance.net/csf-assurance-related-programs/ on or before
September 20, 2019.
Observance of the new rubric will be mandatory for assessment objects submitted
and accepted on or after December 31, 2019. All validated assessments that are
in progress and intend to observe the old scoring rubric must be accepted by
HITRUST prior to December 31, 2019. Interim assessments performed after December
31, 2019 will observe the rubric in effect at time of performance of the
validated assessment.
The term “Accepted” means successful check-in of an object. Submission of a
validated assessment within MyCSF is the first step towards acceptance. After
submission, the Assurance team performs certain quality checks; should any of
these checks fail, the submission is reverted to the Assessor for remediation.
Average acceptance time of a submission to HITRUST is one to three business
days.
Since only validated assessments accepted prior to December 31, 2019 will be
QA’d by HITRUST in observance of the previous scoring rubric, it is strongly
recommended that Assessors work with their customers to ensure submissions in
MyCSF are made with enough time to allow for HITRUST acceptance.
HAA 2019-008: Automated Quality Checking Of HITRUST CSF Assessment Objects
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
September 3, 2019
Advisory Type
Quality
Policy/Program Change Details
An upcoming enhancement to MyCSF will introduce automated quality checking of
CSF assessment objects. Users of MyCSF will have the ability to run these checks
at any time prior to submission of the object to HITRUST; however, the checks
will be automatically run at each “hand off” of the assessment object, such as
when an assessed entity submits the object to their assessor and when the
assessor submits the object to HITRUST. Over 30 distinct quality checks will be
included in this upcoming MyCSF enhancement.
All potential issues identified will be presented with a description of the
issue, the flagged comment or scoring, recommendations on how to address, the
option to override / accept the issue and to provide an accompanying
explanation. All potential issues will need to be addressed or accepted (with
explanation) before the assessment can proceed to the next step.
Automated quality checks will be performed on validated assessments and
self-assessments. Interim assessments will not be subject to these automated
quality checks.
Rationale
This change is beneficial to the HITRUST CSF Assurance Program by:
* Increasing the consistency of the HITRUST CSF assessment reports, as these
checks are applied systematically to all validated and self-assessments in
the same manner.
* Increasing the quality of the output of HITRUST CSF assessments, as these
checks will be performed against 100% of the requirement statements included
in an assessment.
* Reducing the amount of time elapsing between submission of an assessment to
HITRUST and delivery of the draft report from HITRUST. Efficiencies are
gained during HITRUST’s Quality Assurance review of submissions, as certain
quality issues will be identified prior to submission of the validated
assessment object to HITRUST.
Note that these automated quality checks have been in use for several months
outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks
into MyCSF and earlier into the assessment lifecycle will not replace the QA
checks performed by HITRUST’s Assurance team against validated assessment
objects.
Timetable for Implementation
This change will go live in MyCSF on December 31, 2019.
HAA 2019-007: Updated PRISMA Attribute Weights
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
September 3, 2019
Advisory Type
Assurance Program Methodology
Policy/Program Change Details
The point values, or “weightings”, of the five levels of HITRUST’s PRISMA
maturity model are changing. The below graphic shows that the Policy weight is
being reduced to 15 points, the Procedure weight is being reduced to 20 points,
the Implemented weight is being increased to 40 points, the Measured weight is
being reduced to 10 points, and the Managed weight is being increased to 15
points.
Rationale
These updated weights better reflect the value that each maturity level brings
to an organization’s risk management stance. For example, the increased
weighting of the Implemented level (which is now worth double any other single
level) aligns to the priority that mature organizations place on the
implementation and operation of controls relative to other maturity levels.
Timetable for Implementation
The updated weights will be effective on all validated and self-assessment
objects created on or after December 31, 2019. Assessment objects created prior
to December 31, 2019 will continue to observe the current PRISMA attribute
weights. Interim assessments performed after December 31, 2019 will observe the
PRISMA weights in effect at time of performance of the original validated
assessment.
HAA 2019-006: Extension To The Qualification Requirement For Assessor Quality
Assurance (QA) Personnel
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
March 29, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform External Assessor organizations about an extension to
the qualification requirement for Assessor quality assurance (QA) personnel.
Assessor firm personnel who will perform the assessment QA review prior to
submission to HITRUST will be required to complete an online course and pass a
test to become a Certified HITRUST Quality Professional (CHQP). Only those
individuals holding an active Certified CSF Practitioner (CCSFP) certification
are eligible to become a CHQP. This course and test will be available online
starting in May 2019.
Assessor firms have until July 31, 2019 to have a minimum of two (2) resources
certified as CHQPs. All Validated Assessment submissions on or after August 1,
2019 will be required to have a QA review performed by a CHQP as evidenced by
sign-offs on the Assessor Quality Checklist. Submissions after August 1, 2019
without proper CHQP involvement will be rejected by HITRUST.
This advisory only applies to the timeline for compliance with the Assessor firm
QA reviewer qualification requirement. All other advisories will be enforced
according to the dates listed in the advisories.
Rationale
This change is to ensure that Assessor firm personnel performing QA in support
of HITRUST validated assessments understand the expectations of the role and can
demonstrate this understanding by passing the exam. In addition, it ensures that
all Engagement Executives have the required knowledge of the HITRUST CSF and
HITRUST Assurance Program requirements.
The extension is being granted to allow Assessor firms enough time to get their
resources trained after the course is made generally available by HITRUST.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
HAA 2019-005: Changes Related To Interim Reviews
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
January 15, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST CSF Certified Organizations and HITRUST
Assessor Organizations about changes to the interim review.
The Interim Review has been replaced with an Interim Assessment. The Interim
Assessment differs from what has been known as the Interim Review by requiring:
* Full testing of selected control requirements (INCREASED TESTING
REQUIREMENT);
* Rescoring of the tested control requirements (NEW);
* Full QA of testing by HITRUST (INCREASED LEVEL OF EFFORT); and
* For assess-only reports, full verification that recreated assessment matches
assessment used for issuing of the previous full report (NEW).
As a reminder and consistent with HITRUST Assurance Advisory 2017-01 issued in
August of 2017, Interim Assessments will be performed with the HITRUST MyCSF.
There will be an Interim Assessment processing fee of $2,900. The processing fee
will be waived for organizations that have an active subscription to the HITRUST
MyCSF.
Rationale
This change is to ensure the consistency and quality of work performed during an
Interim Assessment and increase the rigor and oversight by HITRUST; resulting in
an increase in assurance level provided by the Interim Assessment and support
for maintaining the HITRUST CSF Certification for the additional year.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For inquiries regarding this update, please contact us at
support@hitrustalliance.net.
HAA 2019-004: Changed To Further Ensure HITRUST Approved Assessor Quality And
Consistency
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
January 15, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST Authorized External Assessor Organizations
about changes to the qualification requirement for Engagement Executives and
Assessor Quality Assurance (QA) personnel. It also reiterates the role of the
Engagement Lead.
The first change is a requirement for both the Engagement Executive and the
Assessor QA reviewer to be CCSFPs. Prior to this change, the Engagement Lead and
either the Engagement Executive or the Quality Assurance Reviewer were required
to be CCSFPs.
The second change focuses on the Assessor personnel who perform QA reviews prior
to the submission of assessments to HITRUST. People in this role will be
required to complete an online course and pass a test to become a Certified
HITRUST Quality Professional (CHQP). This is in addition to the CCSFP
requirement. Communication will go out once the online course and exam are
available.
Attached to this advisory are additional details on the responsibilities of the
Engagement Executive, QA Reviewer and Engagement Lead.
Rationale
This change is to ensure that Engagement Executives understand the HITRUST CSF
Assurance Program and are able to perform an effective executive-level review.
The requirement for Assessor QA reviewers to complete an online course is to
ensure that reviewers understand the expectations of their role and can
demonstrate their understanding by passing the exam.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For inquiries regarding this update, please contact us at
support@hitrustalliance.net.
Attachments
Responsibilities of Engagement Executives, Quality Assurance Reviewers and
Engagement Leads
HAA 2019-003: Ensuring Clarity Of Scope Of An Assessment
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
January 15, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST Authorized External Assessor Organizations
about a change to the assurance process regarding the documentation of the scope
of the entity’s assessed environment.
HITRUST Authorized External Assessors must provide a verbose description of the
assessed environment that includes both systems/products and facilities. This
description must clearly define assessment boundaries. In addition to the
verbose description, there will be a summary table that must be provided that
would further clarify what is included and what is not included such that any
discrepancy can be clearly resolved through the definition. We have attached an
illustrative example to this advisory.
Rationale
This change is to ensure the clear communication of the environment that was
assessed to readers of HITRUST CSF Validated Assessment reports.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For inquiries regarding this update, please contact us at
support@hitrustalliance.net.
Attachments
Scope Definition & Guidance
HAA 2019-002: Change Regarding The Number Of Qualified HITRUST Certified CSF
Practitioner (CCSFP) Hours For HITRUST CSF Validated Assessments
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
January 15, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST Assessor Organizations about a change to the
assurance process regarding the number of qualified (CCSFP) hours required for
validated assessments.
HITRUST Certified CSF Practitioner (CCSFP) resources must comprise 50% of
assessment hours. This requirement is inclusive of QA hours.
Rationale
This change is to ensure the competency and quality of resources performing
validation work.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For inquiries regarding this update, please contact us at
support@hitrustalliance.net.
HAA 2019-001: Providing Direction For HITRUST Approved Assessor Organizations
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
January 15, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST Authorized External Assessor Organizations
about a change to the HITRUST CSF Assurance Program regarding the performance
and documentation of the testing of control requirements for assessments.
HITRUST Authorized External Assessors are required to submit the following
documentation with all validated assessments:
* Test Plan that covers testing of all required controls. It must meet the
minimum test plan requirements documented in the HITRUST CSF Assurance
Program Requirements.
* 100% of working papers. They must meet the minimum working paper requirements
documented in the HITRUST CSF Assurance Program Requirements. We have
attached a copy of the Assurance Program Documentation Requirements to this
advisory.
* HITRUST Authorized External Assessor Quality Checklist signed by the
Engagement Executive and Assessor QA Resource. The Quality Checklist can be
found in the HITRUST MyCSF and should always be downloaded from the HITRUST
MyCSF to ensure use of the latest version. We have also attached a copy to
this advisory.
Rationale
This change is to ensure the consistency and quality of assessment
documentation, ensure compliance with the HITRUST Assurance Program
requirements, and make the HITRUST QA process more efficient. The HITRUST
Authorized External Assessor’s QA process should identify and address most
issues prior to submission to HITRUST.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For inquiries regarding this update, please contact us at
support@hitrustalliance.net.
Attachments
HITRUST CSF Assurance Program Documentation Requirements
HITRUST Authorized External Assessor Quality Checklist
Archives 2017/2016
For more information, contact: support@hitrustalliance.net.
ASSURANCE ADVISORIES
HITRUST Assurance Advisories are communications that notify HITRUST Assurance
Program stakeholders of enhancements, changes, and/or provide additional
guidance regarding the HITRUST Assurance Program requirements and supporting
methodologies and tools. All Assurance Advisories contain important information
regarding adoption requirements, scope, and timing, which can impact HITRUST
Assurance Program stakeholders.
All HITRUST Assurance Program stakeholders should review each Assurance Advisory
to understand the potential impact on them.
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2021 (CLICK TO EXPAND)
HAA 2021-002: HITRUST CSF Validated Assessment Enhancements
Impacted Policy/Program Name
CSF Assurance Program
Date
June 7, 2021
Advisory Type
Assurance Quality
Overview
HITRUST recognizes that implementation of a control is a key element that
contributes to a mature and robust control environment. As such, HITRUST will be
updating the scoring rubric to further emphasize the Implemented maturity level.
In anticipation of the update to the scoring rubric and prior to the release of
version 10 of the HITRUST CSF, enhancements are being implemented for current
version 9 (v9.x) assessments which are intended to both streamline the
assessment process and increase attention on the Implemented maturity level.
Policy and Procedure Incubation Period
Description
The minimum number of days that a remediated or newly implemented policy or
procedure must be in place is reduced from 90 days to 60 days. This does not
impact the minimum number of days that a control must be in operation when
scoring the Implemented, Measured, or Managed maturity levels, which will remain
at 90 days.
Implementation
The change in the incubation period for the Policy and Procedure maturity levels
is effective immediately. Implementation of the revision will be as follows:
* For assessments that have not yet been submitted to HITRUST, Policies and
Procedures that have been in place for a minimum of 60 days can be scored as
Fully Compliant, assuming they meet all other aspects of strength and
coverage as dictated by the scoring rubric and other HITRUST requirements.
* For assessments that have been submitted to HITRUST for the performance of
Quality Assurance (QA) procedures but do not yet have a Draft Report, the
assigned analyst will evaluate the Policy and Procedure maturity levels for
any selected requirements against the revised 60-day requirement. Please be
aware that the analyst will not return the assessment to allow for rescoring
of any requirements not selected for QA procedures based upon the revised
incubation period.
* For assessments that have a Draft Report posted but have not yet been
finalized or have a Final Report posted, no changes will be made based upon
the revised incubation period.
Policy and Procedure Level Scoring
Description
In anticipation of a new scoring rubric that includes enhancements to simplify
the scoring of the policy and procedure maturity levels, HITRUST is modifying
scoring requirements for the Policy and Procedure maturity levels in the current
rubric. Through simplifying the assessment process for Policy and Procedure
maturity levels, HITRUST intends to increase the focus on the Implemented
maturity level.
Implementation
Effective immediately, enforcement of the following requirements are being
modified:
Maturity Level Current Strength Criteria Revised Strength Criteria Scoring
Considerations Policy i. Demonstrably approved by management,
ii. Demonstrably communicated to stakeholders in the organization and members of
the workforce, and
iii. Clearly communicates management’s expectations of the control(s) operation
(e.g., using “shall”, “will”, or “must” statements).
A documented policy must specify the mandatory nature of the control requirement
in a written format which could reside in a document identified as a policy,
standard, directive, handbook, etc.
* A policy at the Assessed Entity that meets the Revised Strength Criteria for
Policy will be at Tier 4 strength in the scoring rubric and would need to be
evaluated for coverage to determine the final score.
* A policy at the Assessed Entity that does not meet the Revised Strength
Criteria for Policy will be at either Tier 1 or Tier 0 strength in the
scoring rubric based on whether the current criteria for an undocumented
policy has been met.
Coverage would still need to be evaluated to determine the final score, and
the scoring considerations for this criteria remain unchanged.
Procedure i. Demonstrably approved by management,
ii. Demonstrably communicated to stakeholders,
iii. Outlines stakeholder responsibilities, and
iv. Discusses operational aspects such as how, when, who, and on what the
action/control/requirement is to be performed.
A documented procedure must address the operational aspects of how to perform
the requirement. The procedure should be at a sufficient level of detail to
enable a knowledgeable and qualified individual to perform the requirement.
* A procedure at the Assessed Entity that meets the Revised Strength Criteria
for Procedure will be at Tier 4 strength in the scoring rubric and would need
to be evaluated for coverage to determine the final score.
* A procedure at the Assessed Entity that does not meet the Revised Strength
Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the
scoring rubric based on whether the current criteria for an undocumented
procedure has been met.
Coverage would still need to be evaluated to determine the final score, and
the scoring considerations for this criteria remain unchanged.
To further clarify this change, please see the examples outlined here.
For validated assessments that are currently undergoing QA procedures, the
analyst will utilize the Revised Strength Criteria when evaluating the Policy
and Procedure maturity levels for the sampled requirement statements. Please be
aware that the analyst will not return the assessment to allow for rescoring of
any requirements which were not selected for QA procedures.
HITRUST CSF Certification Letter Issuance
Description
HITRUST issues a CSF Certification Letter for validated assessments which meet
the certification threshold. The certification letter currently includes the
Assessed Entity’s organization overview and scope information. An additional
stand-alone certification letter will now be released that does not include the
Assessed Entity’s assessment scope information. This letter is being issued to
allow Assessed Entities the flexibility to provide the correct level of detail
they wish to share regarding their environment.
Implementation
Effective immediately, HITRUST will begin issuing two versions of the
certification letter for validated assessments that meet the certification
threshold. Below is a breakdown of the information presented in each letter:
Content CSF Certification Letter with Scope Stand-alone Certification Letter
Signed Certification Letter from HITRUST ✓ ✓* Assessment Context ✓ Scope of
Systems in the Assessment ✓
*Stand-alone certification letter also references that a copy of the
certification letter with scope information is available.
Additional Resources
Click here for a list of anticipated questions and answers.
[/block_save_as_pdf_pdfcrowd]
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2020 (CLICK TO EXPAND)
HAA 2020-002: Impact Of COVID-19 On Assessment Timelines
Date
March 16, 2020
Advisory
To help ensure the rely-ability of HITRUST CSF Validated Reports and
Certifications, assessors and assessed entities must observe several
requirements related to MyCSF access, training, assessments, reporting, and
control implementation timing. These timing requirements are outlined in the
HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program
Requirements, and the HITRUST CSF Assessment Methodology and include (but are
not limited to):
* External assessor’s validated assessment fieldwork window (maximum):
* 90 calendar days prior to the date of submission of the validated
assessment object to HITRUST.
* Minimum number of days that a remediated or newly implemented control must
operate prior to assessor testing:
* 90 calendar days past the control’s implementation or remediation.
* Maximum age of testing performed by an Internal Assessor being relied upon by
an External Assessor:
* 90 calendar days, as determined by comparing the External Assessor’s
fieldwork start date of the internal assessor’s fieldwork start date.
* Window during which HITRUST will accept grammatical changes to a draft
report:
* 30 calendar days from issuance of draft report.
* Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
* 30 calendar days from issuance of draft report.
* Interim assessment object submission due date:
* No later than the 1-year anniversary of the HITRUST CSF Certification
(based on the HITRUST CSF Validated Report’s date).
* Validated assessment object submission due date for re-certification efforts:
* No later than the 2-year anniversary of the HITRUST CSF Certification
(based on the organization’s previous HITRUST CSF Validated Report date).
* Duration of MyCSF access for report-only customers:
* 90 calendar days for validated assessments and 60 calendar days for interim
assessments.
* Validity window for the CCSFP certification:
* Three years, subject to remaining current with required training.
Practitioners are required to complete an online, annual refresher course
each of the two years following classroom component completion and attend
the full class again the third year to maintain the CCSFP certification.
The training is due no later than the end of the month that corresponds
with the certification’s original anniversary date.
* Validity window for the CHQP certification:
* Two years, and the full CHQP course and accompanying certification exam
must be retaken no later than the end of the month that corresponds with
the certification’s original anniversary date.
HITRUST acknowledges that the ability to consistently adhere to these
timing-related requirements may be affected by the ongoing spread of COVID-19.
While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is
not at this time issuing a blanket waiver for any timing requirements as doing
so goes against the overall integrity of the CSF Assurance Program and the
rely-ability of assessment reports.
However, HITRUST may issue discretionary, limited modifications or exceptions to
these timing requirements to organizations who request them. Such requests
should be sent in writing to HITRUST’s Compliance team at
compliance@hitrustalliance.net. All timing extension and modification requests
will be evaluated by HITRUST. Assessed entities and their assessors should not
assume that all requests will be approved. For those organizations that may be
delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF
assessment, we encourage you keep all stakeholders apprised of the status of
your HITRUST efforts.
SUMMARY OF HITRUST ASSURANCE ADVISORIES 2019 (CLICK TO EXPAND)
HAA 2019-008: Automated Quality Checking Of HITRUST CSF Assessment Objects
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
September 3, 2019
Advisory Type
Quality
Policy/Program Change Details
An upcoming enhancement to MyCSF will introduce automated quality checking of
CSF assessment objects. Users of MyCSF will have the ability to run these checks
at any time prior to submission of the object to HITRUST; however, the checks
will be automatically run at each “hand off” of the assessment object, such as
when an assessed entity submits the object to their assessor and when the
assessor submits the object to HITRUST. Over 30 distinct quality checks will be
included in this upcoming MyCSF enhancement.
All potential issues identified will be presented with a description of the
issue, the flagged comment or scoring, recommendations on how to address, the
option to override / accept the issue and to provide an accompanying
explanation. All potential issues will need to be addressed or accepted (with
explanation) before the assessment can proceed to the next step.
Automated quality checks will be performed on validated assessments and
self-assessments. Interim assessments will not be subject to these automated
quality checks.
Rationale
This change is beneficial to the HITRUST CSF Assurance Program by:
* Increasing the consistency of the HITRUST CSF assessment reports, as these
checks are applied systematically to all validated and self-assessments in
the same manner.
* Increasing the quality of the output of HITRUST CSF assessments, as these
checks will be performed against 100% of the requirement statements included
in an assessment.
* Reducing the amount of time elapsing between submission of an assessment to
HITRUST and delivery of the draft report from HITRUST. Efficiencies are
gained during HITRUST’s Quality Assurance review of submissions, as certain
quality issues will be identified prior to submission of the validated
assessment object to HITRUST.
Note that these automated quality checks have been in use for several months
outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks
into MyCSF and earlier into the assessment lifecycle will not replace the QA
checks performed by HITRUST’s Assurance team against validated assessment
objects.
Timetable for Implementation
This change will go live in MyCSF on December 31, 2019.
HAA 2019-003: Ensuring Clarity Of Scope Of An Assessment
Impacted Policy/Program Name
HITRUST CSF® Assurance Program
Date
January 15, 2019
Advisory Type
Assurance Requirements
Policy/Program Change Details
This bulletin is to inform HITRUST Authorized External Assessor Organizations
about a change to the assurance process regarding the documentation of the scope
of the entity’s assessed environment.
HITRUST Authorized External Assessors must provide a verbose description of the
assessed environment that includes both systems/products and facilities. This
description must clearly define assessment boundaries. In addition to the
verbose description, there will be a summary table that must be provided that
would further clarify what is included and what is not included such that any
discrepancy can be clearly resolved through the definition. We have attached an
illustrative example to this advisory.
Rationale
This change is to ensure the clear communication of the environment that was
assessed to readers of HITRUST CSF Validated Assessment reports.
Timetable for Implementation
Effective for all validated assessments submitted on or after April 1, 2019.
For inquiries regarding this update, please contact us at
support@hitrustalliance.net.
Attachments
Scope Definition & Guidance
For more information, contact: support@hitrustalliance.net.
Archive
* HITRUST CSF
* HITRUST Academy
* Councils & Working Groups
* Video Library
* Newsroom
* Case Studies
* Privacy Notices
* Cookie Preferences
*
* Site Map
* Contact Us
* Careers
* Regulatory Assistance Center
* Website Terms of Use
Connect with us
*
*
*
Subscribe to our newsletter
SUBSCRIBE
Chat
© 2023 HITRUST Alliance
CHAT NOW
This is where you can start a live chat with a member of our team
Live Help Offline
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
SOCIAL MEDIA COOKIES
Social Media Cookies
These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be able
to use or see these sharing tools.
Cookies Details
BACK BUTTON PERFORMANCE COOKIES
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* VIEW COOKIES
* Name
cookie name
Confirm My Choices
Some functionality on this site requires your consent for cookies to work
properly.
I WANT MORE INFORMATION I CONSENT TO COOKIES
x
LOOKING FOR SOMETHING? HERE’S A FEW COMMON LINKS FOR EASY ACCESS.
* You can download the HITRUST CSF v8 here – free of charge.
* Do you want to become HITRUST CSF Certified? Learn how.
* Looking to register for the Certified CSF Practitioner Course?
* What’s the HITRUST MyCSF all about? View the video here.
* Do you need a CSF assessment report? Get started here.
* Learn how to approach a CSF Assessment.
* Check out the HITRUST News Room for the latest info.
CHAT NOW
This is where you can start a live chat with a member of our team
FAQs
Chat Now
Additional FAQ’s
Contact Us Options