HITRUST built the CSF to address a comprehensive series of threats resulting in a common set of information protection requirements for Assessed Entities. For r2 assessments, HITRUST addresses differences in organizations by tailoring the requirement statements in an Assessed Entity’s assessment based on a set of organizational, system, and regulatory risk factors (see Chapter 6 Pre-Assessment). HITRUST expects each Assessed Entity to implement the corresponding requirement statements in its organization to address each of the HITRUST-identified threats. If an Assessed Entity cannot implement a specified requirement statement (regardless of assessment type), one or more compensating controls will need to be selected to address the risks posed by the threats the originally specified requirement statement was meant to address. HITRUST refers to these compensating controls submitted to and approved by the HITRUST Alternate Controls Committee as ‘alternate controls.’
8.2.1. For those Assessed Entities that would like HITRUST to consider a separate control to be performed in lieu of a requirement statement, the Assessed Entity must first submit the requirement statement(s) and corresponding compensating control(s) to HITRUST Support (support@hitrustalliance.net). For consideration within a validated assessment, the compensating control(s) and all supporting documentation must be submitted at least 30 days prior to the start of fieldwork for the corresponding HITRUST validated assessment.
8.2.2. The submission must include a corresponding risk analysis, which will be used to justify an exception to one or more requirement statements applicable to the Assessed Entity. The Assessed Entity must demonstrate the validity of an alternative control by producing a risk analysis that shows the compensating control addresses a similar type and level of risk as the original requirement statement. For additional details on the necessary components of the risk analysis, see HITRUST Risk Management Handbook Appendix, A-1 Alternate Controls.
8.2.3. In addition, the compensating control(s) must be something other than what may be required by other, existing requirement statements because all requirement statements specified in an assessment must be implemented to provide a minimally acceptable level of residual risk.
8.2.4. The HITRUST Alternate Controls Committee will review the content submitted and determine whether to accept the compensating control(s) as an alternate control(s). If approved, HITRUST will provide the process for documenting, scoring, and validating the alternate control(s) in the validated assessment.