In addition to minor wording updates and clarification, the changes between version 1.0 and version 1.1 of the Assessment Handbook include the key modifications summarized in the table below.
| Chapter | Modification |
|---|---|
| 1.0 Introduction | Added link to the MyCSF Help website. |
| 3.2 Assessors | Added paragraph summarizing skill expectations for staffing HITRUST assessments, including expected AI skills. |
| 3.3 Independence Requirements | 3.3.5 and 3.3.6 – Included Internal Assessors in the independence requirements |
| 4. Assessment Types | Updated the description of e1 and i1 assessments to include the newly released enhancement that allows Assessed Entities to include other authoritative sources in those assessments. Added a characteristic to the table comparing e1, i1, and r2 assessments to address the ability to obtain Insights Reports over added authoritative sources. |
| 4.1 Readiness Assessments | Updated the description of e1 and i1 readiness assessments to include the newly released enhancement that allows Assessed Entities to include other authoritative sources in those assessments. |
| 4.2 Validated Assessments | Updated the description of e1 and i1 readiness assessments to include the newly released enhancement that allows Assessed Entities to include other authoritative sources in those assessments. Included a description of Insights Reports associated with e1, i1, and r2 assessments. |
| 5.1 r2 Validated Assessment Workflow | Updated chapter 5.1 to describe only the r2 Validated Assessment Workflow. Included a description of the process to request Insights Reports during the Complete phase of the r2 Validated Assessment Workflow. |
| 5.2 e1 and i1 Validated Assessment Workflow | Added chapter 5.2 to describe the enhanced e1 and i1 Validated Assessment Workflow that allows for Compliance factors to be included in the assessment for the purpose of obtaining Insights Reports over the included authoritative sources. The e1 and i1 Validated Assessment Workflow includes the following new phases:
|
| 5.3 r2 Readiness Assessment Workflow | Chapter 5.2 Readiness Assessment Workflow was renamed to accommodate the addition of chapter 5.2 e1 and i1 Validated Assessment Workflow described above and to address only r2 Readiness Assessments. |
| 5.4 e1 and i1 Readiness Assessment Workflow | Added chapter 5.4 to describe the e1 and i1 Readiness Assessment Workflow which includes a new phase, Assessment Results Review. |
| 5.5 Interim and Bridge Assessment Workflow | Chapter 5.3 Interim and Bridge Assessment Workflow was renamed to Chapter 5.5 Interim and Bridge Assessment Workflow. The content of this chapter is unchanged. |
| 5.6 Assessment Status Dashboard | Chapter 5.4 Assessment Status Dashboard was renamed to Chapter 5.6 Assessment Status Dashboard. The content of this chapter is unchanged. |
| 5.7 MyCSF Assessment Status Notifications | Chapter 5.5 MyCSF Assessment Status Notifications was renamed to Chapter 5.7 MyCSF Assessment Status Notifications. The content of this chapter is unchanged. |
| 6.2 Name & Security | Added criteria 6.2.3 to clarify that only one organization may be listed in the Name & Security Webform and corresponding HITRUST assessment report. |
| 6.5 Scope of the Assessment | 6.5.2 – Added expectation that the Assessed Entity includes in the description whether the platform/system incorporates an AI model. |
| 6.7 Factors | 6.7.1 – removed the statement that factor questions are not available on i1 or e1 assessments. 6.7.4, 6.7.5, and 6.7.6 – Added criteria to explain the use of the factor webform in i1 and e1 assessments. |
| 7.1 Assessment Scoping | 7.1.1 – Added that the installation and configuration must include all primary scope components of the system (e.g., operating system, database, etc.) for the entire 90-day period. 7.1.1 – Added the definition of ‘production environment’ as a footnote. |
| 7.2 Required Scope Components | Added scoping considerations for the AI Security Assessment. |
| 7.3 Carve-outs | Added a note for organizations performing an r2 who need to carve-out a service provider for their ai certification. |
| 8.1 Requirement Statement Background | 8.1.1 – Added “NOTE: Regardless of the illustrative procedure wording, the External Assessor must ensure testing coverage of the entire requirement statement” Removed the statement that e1 and i1 assessments do not contain Compliance factors. |
| 9.4 Measured Maturity Level | 9.4.2 – Added clarification that the measure review must occur annually at a minimum. |
| 11.2 Testing Requirements | 11.2.9 – Added criteria to describe the treatment of the 90-day incubation period for implementation when a service provider is responsible for performing a requirement. |
| 11.3 Working Papers & Evidence | 11.3.11 – Clarified that sample-based evidence for the same test may be in a zip file or embedded in a spreadsheet if properly labeled to identify each sample item. Added 11.3.16 – “Regardless of the evidence collection method (e.g., manual or automated), the evidence must meet all HITRUST requirements.” |
| 11.4 Population & Sampling | Added additional descriptions for “item-based” and “time-based” testing and populations. 11.4.8 – Added a note describing the process if the External Assessor is unable to select an additional sample during the fieldwork period due to non-performance of the control. |
| 12.4 Reliance on Testing Performed by the Assessed Entity | 12.4.10 – Added criteria to clarify that Internal Assessors are not required to test all requirement statements within the assessment. 12.4.13 – Added criteria to clarity that there is no limit to the amount of testing performed by an Internal Assessor that an External Assessor may rely upon. |
| 13.9 CAPs and Gaps | 13.9.1 – Added clarification that only the core e1 and i1 requirement statements are included in the CAP determination for e1 and i1 assessments. Inserted 13.9.3 with the AI Security certification CAP and gap logic. |
| 14.1 Quality Assurance Process | In the description of the Core QA sample, explained that in e1 and i1 assessments with included Compliance factors, HITRUST reviews a Core QA sample for each factor. |
| 14.4 Escalated QA | Inserted 14.4.19 to describe the option if HITRUST requests the removal of a compliance factor to remediate an assessment. |
| 15.1 HITRUST Reporting | 15.1.2 – Updated to explain that the e1 and i1 certification determination is based only on the core e1 or i1 requirement statements. Added content around NIST 2.0 certification. Added content describing the AI Security certification. Added a description on Insights Report in e1, i1, and r2 assessments. |
| 15.2 Report Re-Issuance | Added 15.2.4 to provide instructions for when an organization has a name change. |
| 15.3 Security Events & Fraud | Added 15.3.2 with the HITRUST definition of a security event. |
| 15.4 Interim Assessment | Added information in the introductory paragraphs around the interim approach for add-on certifications in an r2 assessment (e.g., ai2). Below 15.4.3, included a note specifying the External Assessor approach in an interim if a security event or significant change has been identified. 15.4.9 – Included a requirement that the interim assessment must be submitted on or within 90 days prior to the one-year anniversary of the organization’s r2 certification date. |
| 15.5 Rapid Assessment | Re-titled Rapid Recertification to Rapid Assessment Updated entire Chapter to reflect the ability to perform a rapid assessment on a combined e1 or i1 assessment. 15.5.4 – 15.5.7 – Criteria in the HITRUST CSF requirements included in i1 Rapid Assessments were updated to address the treatment of requirement statements added due to any included Compliance factors. 15.5.8 – 15.5.14 – New sections Leveraging the e1 Rapid Assessment, and HITRUST CSF requirements included in e1 Rapid Assessments containing the following new criteria have been added to address the e1 Rapid Assessment. 15.5.15 – 15.5.20 – Criteria in the Detection of Control Degradation section have been updated to include the e1 assessment. |
| 15.6 Significant Changes | Added a change in AI model as a potential significant change. Added 15.6.3 to reflect additional steps upon notification to HITRUST of potential significant change. Included a description and example for the treatment of changes to secondary scope components. |
| 15.7 Re-certification | 15.7.1 and 15.7.2 – Added validity timeframe for add-on certifications. |
| 15.8 Bridge Assessments | 15.8.4 – Added bridge approach when the r2 certification contains an add-on certification (e.g., ai2). |
| 15.9 Emerging Mitigation Process | Added new Chapter describing EMP approach and expectations. |
| 15.10 HITRUST Treatment of Non-compliance | 15.10.5 – Added criteria to describe exception approval process and requirements. Re-numbered to 15.10 due to new 15.9 Chapter |
| A-3: Not Applicable (N/A) Examples | Added N/A Example 19165.07e1Organizational.13. |
| A-4: Never N/A Examples | Added Examples 19180.09z1Organizational.2 and 19249.06b1Organizational.2 |
| A-15: Certification Threshold Scoring Examples | Included an additional example for an i1 or e1 assessment domain average score calculation. |
| A-16: Sample-based Testing Examples | Added a new appendix to demonstrate the differences between ‘time-based’ and ‘item-based’ populations. |
| A-17: Expected AI Expertise for External Assessors | Added a new appendix to define expected AI expertise for External Assessors. |
| A-18: Example Add-on Certification Approach for Existing HITRUST Certifications | Added a new appendix to demonstrate an approach for add-on certification for existing HITRUST certifications. |
| A-19: AI Security Certification Eligibility | Added a new appendix to define eligibility criteria for AI security certification. |