6.3.1 For r2 assessments, the Assessment Options webform in MyCSF must be completed by the Assessed Entity. For i1 or e1 assessments, the Assessment Options page in MyCSF can be completed by either the Assessed Entity or External Assessor.
6.3.2 The Assessed Entity may select the assessment type preset to indicate the type of assessment that will be performed. Alternatively, the Assessed Entity may answer the questions listed in the MyCSF Assessment Options webform to determine the assessment type.
6.3.3 The Assessed Entity must select the CSF version to be used during the assessment (when there is more than one version available for creation). For additional information on the current version of the CSF, see HITRUST CSF Framework.
6.3.4 For r2 assessments, the Assessed Entity must select whether the Measured and Managed PRISMA maturity levels will be scored in the assessment. Assessed Entities can achieve certification without scoring the Measured and Managed maturity levels. For additional information on these maturity levels, see Chapters 9.4 Measured Maturity Level and 9.5 Managed Maturity Level.
6.3.5 For r2 assessments, the Assessed Entity must select whether they will be including all CSF security controls in the assessment or only those required for certification, and whether Privacy controls should be included in the assessment.