For an entity to maintain its r2 certification, an interim assessment must be completed and submitted to HITRUST in the 90-day window leading up to the one-year anniversary of the certification issuance date.
For annual MyCSF subscribers, the interim assessment is automatically generated by MyCSF 90 days prior to the required submission date. Assessed Entities with an annual MyCSF subscription can manually generate the object 120 days prior to the required submission date.
Non-subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date and will need to contact HITRUST Support (support@hitrustalliance.net) to generate the interim assessment and obtain access. NOTE: The access will only last for 60 days.
The assessment will consist of one randomly selected requirement statement from each of the assessment domains plus all requirement statements that resulted in required CAPs.
HITRUST determines whether the Assessed Entity has met the criteria to retain its certification, which includes:
- No significant changes to the scope of the current certification (see Chapter 15.6 Significant Changes)
- No security events have taken place impacting the certified environment (see Chapter 15.3 Security Events & Fraud)
- No degradation of the control posture within the certified environment (i.e., no lowering of maturity scores within the sampled requirement statements)
- Sufficient progress on the CAPs documented during the validated assessment
HITRUST’s interim assessment guidelines and expectations to determine whether the criteria have been met include the following:
15.4.1 The External Assessor must inquire with management of the Assessed Entity whether any significant changes occurred since the certification effective date in the Assessed Entity’s business or security policies, processes, controls, hosting locations, or technologies that may impact the Assessed Entity’s ability to meet the certification criteria.
15.4.2 Where a significant change has occurred, the External Assessor and/or Assessed Entity must consult with HITRUST to determine its impact, and testing requirements for the impacted requirement statements. HITRUST will provide direction on the steps necessary to address the change within the interim assessment. For additional details on significant changes, see Chapter 15.6 Significant Changes.
15.4.3 The External Assessor must inquire with management of the Assessed Entity whether any security events have occurred within the scoped and assessed environment that required reporting to a federal or state agency by law or regulation since the certification effective date. If a security event has occurred, the Assessed Entity must follow the process outlined in Chapter 15.3 Security Events & Fraud before HITRUST will issue the interim report.
15.4.4 The External Assessor must perform full testing/validation procedures for all selected requirement statements, working with the Assessed Entity to re-score the randomly selected requirement statements in MyCSF. These validation procedures must be documented in the MyCSF tool in the Assessed Entity’s interim assessment.
15.4.5 When scores have been lowered for the selected requirement statements in the interim (from the validated assessment scores), the External Assessor must determine if the scoring change reflects a degradation in the control environment. The External Assessor may expand its validation procedures to reach a conclusion on the control environment.
15.4.6 Based on the results of all tests performed during the interim assessment, the External Assessor must indicate if they are aware of any reason to revoke the Assessed Entity’s certification prior to the two-year certification anniversary. If the External Assessor has concerns around continuing the Assessed Entity’s certification, they must contact HITRUST Support (support@hitrustalliance.net) to discuss next steps.
15.4.7 The External Assessor must request the Assessed Entity to update the status of required CAPs in MyCSF to reflect the current state of the CAP.
15.4.8 The External Assessor must review the status and progress of CAPs that were included in the initial assessment and conclude whether the entity is making sufficient progress on the CAPs. For purposes of CAP progress, barring extenuating circumstances, 50% or more of required CAPs must be started and/or complete.
15.4.9 The interim assessment must be submitted to HITRUST by the External Assessor. Upon acceptance of the assessment, HITRUST will perform a Quality Assurance review of the submitted assessment. The QA review includes HITRUST review of a random selection of requirement statements. The QA review will be performed using the scoring rubric that was used during the corresponding validated assessment.
15.4.10 In the event of questions from HITRUST during QA, tasks will be opened for the External Assessor to address, similar to the QA process outlined in Chapter 14.2 QA Tasks.
15.4.11 If, at the conclusion of QA review, HITRUST concludes that the Assessed Entity should retain its certification, HITRUST will issue a letter to the Assessed Entity that indicates its certification is still valid. If HITRUST concludes that the Assessed Entity no longer meets the requirements, a letter will be sent to the Assessed Entity asking it to remove any references to its HITRUST certification from its literature and website.
Interim Assessment Testing
As mentioned above, the External Assessor is expected to fully test the randomly selected requirement statements that did not result in required CAPs, as they were tested in the supported validated assessment. The following additional expectations and guidelines apply for interim testing:
15.4.12 The External Assessor must use full sampling where sampling is required. Please note that all External Assessor fieldwork expectations for validated assessments related to timing of validation procedures, performance of validation procedures, and creation of working papers apply to interim assessments (although a Test Plan is not required for the interim assessment).
15.4.13 The External Assessor must assess the nature of any changes to policies and procedures for the selected requirement statements to determine whether they continue to fully address all elements within the corresponding requirement statement. Minor changes that are editorial in nature will not impact scoring during the interim assessment.
CAP Review and Progress
As mentioned above, the Assessed Entity is expected to have made sufficient progress at interim on the CAPs noted in its HITRUST validated report. The following expectations and guidelines for External Assessors apply for interim CAP testing:
15.4.14 All testing of HITRUST requirement statements in support of CAP remediation must follow the HITRUST testing expectations in Chapter 11 Testing & Evidence Requirements.
15.4.15 The compliance state for requirement statements in the interim assessment that must be reviewed is “CAP Required”. Testing must be performed on all CAPs that are in any state other than NOT STARTED.
15.4.16 CAPs that indicate a STARTED status but are not yet COMPLETE should have testing performed that shows the progress towards remediation that has been made. If appropriate, scoring should be updated to reflect the corresponding progress. The testing performed must validate the documented progress toward remediation.
15.4.17 Project planning activities are not evidence of progress toward remediation so items like creating a project plan or work tickets is not considered progress towards remediation. Verifiable artifacts that may be used as evidence include, but are not limited to, meeting minutes, email and text communications regarding remediation approach, draft versions of documents, configuration changes with corresponding change management documentation.
15.4.18 Scoring of a requirement statement that has a linked CAP with a status of COMPLETE is expected to be 100/100/100 for the Policy, Procedure and Implemented maturity levels, respectively. The only exception to this is where risk has been accepted by the Assessed Entity. Risk may be accepted when a requirement statement scores 62 or greater. Assessed Entities have the option to remediate to this level and accept the remainder of the risk. If the risk is accepted to complete a CAP, management must include its risk analysis and rationale that supports its decision.
15.4.19 A remediated CAP must also follow the 90-day incubation period requirements (see criteria 11.2.8 in Chapter 11.2 Testing Requirements).
15.4.20 Testing is performed by the External Assessor to confirm remediation of a CAP. This testing is not required to include those maturity levels and/or evaluative elements that were fully tested during the validated assessment and resulted in a fully compliant score. The External Assessor may rely on the validated assessment scoring results when determining the final score of the requirement statement.
15.4.21 If an Assessed Entity has not demonstrated sufficient progress towards addressing its CAPs, HITRUST may delay providing the interim report or suspend or revoke the Assessed Entity’s certification. HITRUST takes into consideration the number of CAPs, complexity, and length of time since the Assessed Entity entered its CAPs to determine sufficient progress.