As HITRUST introduces new available add-on certifications (e.g., ai1 or ai2) there may be Assessed Entities who already maintain the underlying e1, i1 or r2 certification and would like to obtain the HITRUST add-on certification. Since a new add-on certification may only be available for CSF versions later than the Assessed Entity’s current certification, and it would require testing additional HITRUST requirements to obtain the certification, these situations require a customized approach. Each Assessed Entity should contact its HITRUST CSM or HITRUST support (support@hitrustalliance.net) to confirm the appropriate approach for obtaining the additional certification.
The following is an example of an approach for an Assessed Entity with a current valid r2 certification (NOTE: below circumstances may vary depending on the add-on certification, assessment type, timing and inheritance approach for the assessment):
1. The current r2 certification holder will create a new e1 assessment object using HITRUST CSF version 11.4.0 or later with the same scope as the certified assessment.
2. The e1 assessment object must then be tailored to include the “Cybersecurity for AI Systems” Compliance factor (see Chapter 6.7 Factors) while performing all other pre-assessment procedures (e.g., pre-assessment webforms, QA reservation, etc.).
3. During the assessment, the Assessed Entity may use internal inheritance to inherit the e1 core requirement statement scores from its prior r2 certified assessment into the e1 assessment object (see Chapter 12.2 Reliance on Assessments Using Inheritance).
4. The Assessed Entity and External Assessor must score and validate the ai1 requirements added into the e1 assessment from the “Cybersecurity for AI Systems” Compliance factor (and any other e1 core requirements which could not be inherited).
5. Any HITRUST requirements performed by a service provider which cannot be directly tested by the External Assessor should utilize external inheritance (when appropriate based on shared responsibilities).
6. If there are HITRUST requirements performed by a service provider that cannot be tested or inherited (e.g., a service provider has not completed its ai1 or ai2 certification), the requirements for that service provider may utilize carve-outs (see Chapter 7.3 Carve-outs) as long as the HITRUST AI security assessment is an ai1.
7. Upon completion of the assessment, it should follow the standard submission processes for an e1 assessment (See Chapter 13. Assessment Submission Process).
8. Upon successful completion of QA, HITRUST will provide the HITRUST ai1 certification reports (see Chapter 15.1 HITRUST Reporting).
NOTE: The above approach can also be used by Assessed Entities who wish to complete an r2 assessment but need to carve-out a service provider for its HITRUST AI Security Assessment. The Assessed Entity would follow step #1 after completing its r2 assessment (NOTE: the initial r2 assessment would not include selection of the “Cybersecurity for AI Systems” Compliance factor, and would not carve-out any in-scope service providers).