How do the HITRUST Assurance Advisories Affect Your Program?

Three new HITRUST Assurance Advisories were released in June, ahead of the CSF v9.5 update.  Learn how the Assurance Advisories will impact the program stakeholders, affect scope and timing, and have an impact on your current and future HITRUST assessment.  

HITRUST Releases New Assurance Advisories 

Three new HITRUST Assurance Advisories were released on June 7, 2021, ahead of the CSF v9.5 update.  This was done with the objective to help both assessed entities and assessor firms save time and effort while preparing, submitting, and completing a HITRUST CSF Validated Assessment.  

HITRUST Assurance Advisories are communications that notify the HITRUST CSF Assurance Program stakeholders of any changes, additions, requirement guidance, supporting methodologies and new tools.  All Assurance Advisories will impact the program stakeholders and provide information regarding adoption, requirements, scope, timing and expected impact.  

HITRUST CSF Validated Assessment Enhancements 

In the HITRUST Assurance Quality Advisory (HAA 2021-002), the policy and procedures incubation period was reduced from 90 days to 60 days. This reduction means your organization can now submit an assessment faster as opposed to waiting an additional 30 days to make changes to a policy and procedure document before the auditor can test.  This will not change the 90-day period for a control to be in place to test the implemented, measured and managed maturity levels. This revised incubation period for policy and procedures goes into effect immediately but will only affect assessments not started and those in progress that have not yet received a draft report. If a draft or final report is issued, no changes can be made. 

There was also an update to the scoring rubric for policy and procedures maturity levels. The scoring requirement changes focus on the strength criteria while maintaining the coverage criteria.  This revised scoring rubric for policy and procedures goes into effect immediately but will only affect assessments not started and those in progress that have not yet received a draft report. If a draft or final report is issued, no changes can be made. 

In addition, HITRUST will begin issuing two versions of the CSF Certification Letter for Validated Assessments that meet certification requirements. In the past, HITRUST only issued one certification letter which included an organization’s overview and scope information and the assessment context, but effective immediately a second version of the letter will be issued which will not contain any scope information. The purpose of this additional letter is to give organizations the flexibility to provide the correct level of detail they wish to share externally regarding their environment. 

CAP Identification Changes 

The HITRUST Assurance Change Advisory (HAA 2021-003) dictates there will no longer be Corrective Action Plans (CAPs) for gaps that exist at the policy and procedure maturity levels if the implemented maturity for that requirement scores 100%. Note that if the implemented maturity scores less than 100% and there is a gap at the policy and procedure maturity levels, a CAP will be created for those policies and procedures. CAPs will continue to be generated for gaps at the implemented, measured, and managed maturity levels.  

MyCSF will automatically apply the change to any assessment (readiness or validated) not started and those in progress that have not yet received a draft report.  If a draft report (readiness or validated) has been issued, the assigned HITRUST QA analyst will manually apply the change to the assessment and will post a revised draft report to MyCSF.   

For an assessment with a reissued validated assessment final report, the interim assessment will be generated based on the newly cloned validated assessment with no CAPs for the policy and procedure maturity levels.  If the interim assessment for a reissued validated assessment final report has already been submitted or completed, no changes will be applied to the interim assessment. HITRUST will just link the existing interim assessment to the cloned validated assessment. 

MyCSF Enhancements  

The HITRUST Assurance Change Advisory (HAA 2021-004) will update the MyCSF platform to provide organizations with the ability to optionally remove measured and managed maturity levels from their assessments if they do not plan on scoring them. The optional removal of these maturity levels from the assessment should help prevent accidental scoring and streamline data entry into MyCSF.  

To simplify the evidence attachment process for the measured maturity level, HITRUST will update the MyCSF platform to remove the option for the organization to have to choose whether the evidence is related to an “operational” or “independent” measure. The organization will only need to select that the evidence applies to the measured maturity level. It is still expected that the external assessor will document within the testing results whether the measure was scored as “operational” or “independent”.  

HITRUST is adding additional scoping factor edit checks within the MyCSF platform. This is to help avoid inconsistent responses to some factors and help improve HITRUST QA processing time. The scoping factor questions affected are as follows: 

  • Is the system(s) accessible from the Internet? – If “yes”, then the subsequent below will automatically be answered as “yes” 
  • Does the system allow users to access the scoped environment from an external network that is not controlled by the organization? – If “yes”, then the question above will automatically be answered as “yes” 
  • Is any aspect of the scoped environment hosted on the cloud? – If “yes”, then both questions above will automatically be answered as “yes” 

How A-LIGN Can Help 

A-LIGN’s HITRUST experts hold complimentary workshops to educate organizations on the advisories change and perform a readiness assessment to further analyze the impact on current assessments.  Prior planning will be required before any validated assessment to adjust project plans and submission timelines accordingly.  

A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN uniquely delivers a single-provider approach as a licensed SOC 1 and SOC 2 Assessor, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HISTRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, and Qualified Security Assessor Company. 

For more information regarding HITRUST Certification contact us at [email protected] or call 1-888-702-5446.