No. Consideration Answer at-a-glance
Assessment tailoring
1 Is HITRUST requiring that this AI certification be added to my HITRUST e1, i1, or r2 assessment if my in-scope IT platforms use AI? No, the AI cybersecurity assessment is an optional add-on that HITRUST strongly recommends but doesn’t require adding to a HITRUST e1, i1, or r2 assessment when AI is leveraged within the scope of the HITRUST assessment.
2 Is this yet another stand-alone assessment? No, the AI cybersecurity assessment is an optional add-on to a HITRUST e1, i1, or r2 assessment.
3 What types of assessments qualify? Validated e1, i1, and r2 assessments using CSF v11.4.0 and later that are tailored to include the Cybersecurity for Deployed AI Systems regulatory factor.
4 Any new assessment tailoring questions for AI? Yes. Just 3 short questions, which will only be asked if the assessment is tailored to include the Cybersecurity for Deployed AI Systems regulatory factor.
5 How many requirements? No more than 44 added HITRUST CSF requirements.
Assessment scoping
6 Any changes to assessment scoping for AI? Yes. Only deployed IT platforms leveraging an AI model can achieve this certification, and the scope description will capture a tiny bit of info about AI model(s) in use.
7 Which AI system layers must be assessed? Basically it’s the added IT components unique to AI (e.g., the model, the AI platform, and any specialized AI compute infrastructure in use) in addition the overall IT platform components normally scoped into a HITRUST assessment.
Assessment performance
8 Any guidance for external assessors performing AI security assessments? Yes, thanks to the efforts the 2024 HITRUST External Assessor AI Working Group.
9 Will any of these AI security requirements be inheritable from AI platform providers? Yes, inheritability is supported. In many AI deployments the AI platform provider and/or model creator are either partially or fully responsible for performing many AI security controls.
10 Do all assessment domains have AI-focused requirements? No, by design. Some assessment domains, such as wireless networking, don’t have AI specificities.
11 Which control maturity levels need to be tested for the AI security requirements? Mirrors the underlying HITRUST CSF assessment. Meaning:
  • If the AI cybersecurity requirements are added to an e1 or i1 assessment, the implemented control maturity level is considered.
  • When added to an r2 assessment, up to 5 control maturity levels (policy, process, implemented, measured and managed) may be considered (dependent on assessment tailoring).
12 Can I carve-out an AI platform provider and/or AI model creator? It depends on your HITRUST CSF assessment type (e1, i1, or r2). e1 and i1 assessments do allow carve-outs, and r2 assessments do not.
Assessment outcomes
13 What’s it take to achieve the certification? Very similar to what is currently in use for HITRUST e1, i1, and r2 assessments.
14 Will there be any changes to the e1, i1, or r2 assessment workflows in MyCSF to accommodate this new certification? No. None needed.
15 How will CAPs and gaps be determined? Also very similar to what is currently in use for HITRUST e1, i1, and r2 assessments.
HITRUST’s QA review of the assessment
16 Will HITRUST perform quality assurance (QA) reviews of these assessments before issuing the AI cybersecurity certification? Yes. In addition to the QA review procedures we do now on all validated HITRUST CSF assessments, we will perform QA reviews of:
  • A sample of the added AI cybersecurity requirements.
  • A sample of the added AI cybersecurity requirements with non-zero scores at the measured and/or managed control maturity levels.
  • All added AI cybersecurity requirements deemed not applicable by the assessed entity.
17 If the e1, i1, or r2 assessment that the AI cybersecurity certification is attached to does not achieve certification (either because it failed HITRUST’s QA review or because it did not achieve control maturity scores needed to certify), will HITRUST still issue the AI cybersecurity certification? No. This aligns with our viewpoint that reliable AI cybersecurity assurances cannot be achieved without accompanying cybersecurity assurances over the foundational IT systems enabling the delivery of AI capabilities.
18 What happens if the AI cybersecurity assessment fails HITRUST’s QA review? Failing HITRUST’s QA review is pretty rare, but we’ve planned for this should it occur.
Impact on i1 rapid recertification
19 If these AI security requirements are added onto a new i1 assessment, is the year 2 i1 assessment still eligible for rapid recertification? Yes. In this scenario:
  • The first year i1 assessment would consist of all 182 core i1 requirements and all of the AI security requirements.
  • The second year i1 assessment would consist of a sample of the core 182 i1 requirements and (because there is less than 60) all of the AI security requirements.
20 Can I add these AI security requirements into a i1 assessment that is being performed under the rapid recertification approach? Yes. In this scenario, the i1 assessment would consist of a sample of the core 182 i1 requirements and (because there is less than 60) all of the AI security requirements.
Impact on r2 interim assessments
21 How does adding the AI security requirements into an r2 assessment impact the r2 interim assessment? 10% of the AI security requirements present in the r2 assessment are sampled and added to the r2 interim assessment, alongside the 19 HITRUST CSF requirements sampled from the core.
22 How does adding the AI security requirements into an r2 assessment impact the interim letter provided by HITRUST upon successful completion of the r2 interim assessment? In this case, HITRUST will issue 2 interim letters: One for the AI certification and another for the r2 certification.
Impact on r2 bridge assessments
23 If these AI security requirements are added onto an r2 assessment, is that r2 assessment still eligible for a bridge assessment? Yes. In this case 10% of the AI security requirements present in the r2 assessment are sampled and added to the bridge assessment, alongside the 19 HITRUST CSF requirements sampled from the core.
Impact of significant changes
24 What happens to organization’s AI security certification if significant changes are made to the certified AI system? When an Assessed Entity has identified a significant change to the AI system that may impact its current certification, it must notify HITRUST to determine the steps that can be taken to maintain its certification.

Feedback

Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.
Feedback portal link

Post Comment