Background on HITRUST CSF e1, i1, and r2 certification scoring thresholds:

For HITRUST e1, i1, and r2 validated assessments, the per-assessment-domain scoring averages must meet the threshold required to attain a certification. However, the control maturity scoring threshold that must be demonstrated to achieve HITRUST CSF certification differs based on the type of HITRUST assessment performed. The i1 and e1 assessments require each assessment domain to average out to at least an 83, while the r2 requires each domain to average out to at least a 62 to achieve certification.

Specific to achievement of the HITRUST AI Cybersecurity Certification:

The HITRUST AI Cybersecurity Certification scoring threshold mirrors that of the underlying HITRUST CSF assessment with which it is combined. The approach: Certification is awarded if the control maturity scores of all AI security-focused requirements tailored into the assessment through the AI Cybersecurity regulatory factor average at least 83 in e1 and i1 assessments and at least 62 in r2 assessments.

The HITRUST Cybersecurity for Deployed AI Systems Certification is dependent on achievement of the underlying HITRUST CSF e1, i1 or r2 certification, while the underlying HITRUST CSF e1, i1 or r2 certification can be achieved regardless of whether the HITRUST Cybersecurity for Deployed AI Systems Certification is achieved. The reason for this dependence: Meaningful assurances over AI security cannot be reached without also considering the cybersecurity of the supporting technology layers used to deliver the AI functionality (e.g., the application leveraging the AI model, the cloud services used to deliver that application, the data center that those cloud services reside in).

This approach has the following benefits:

  1. Minimizes introduction of new, complex business rules into the HITRUST Assurance Program. The added AI security requirements are basically treated as a separate assessment domain for the purposes of this calculation.

  2. It is easy to explain and understand, especially to those already familiar with HITRUST certifications.

  3. Establishes a high yet achievable certification bar.

  4. Allows certification to be achieved even with some imperfection in the AI security control environment.

  5. Does not allow a strong AI security environment to “carry” a weak foundational cybersecurity environment, and vice versa.

Feedback

Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.
Feedback portal link

Post Comment