HITRUST provides reports for each of the following assessments (example HITRUST reports are available at MyCSF Help):
- HITRUST Essentials, 1-year (e1) Readiness Assessment
- HITRUST Essentials, 1-year (e1) Validated Assessment
- HITRUST Implemented, 1-year (i1) Readiness Assessment
- HITRUST Implemented, 1-year (i1) Validated Assessment
- HITRUST Risk-based, 2-year (r2) Readiness Assessment
- HITRUST Risk-based, 2-year (r2) Validated Assessment
15.1.1 For HITRUST Essentials, 1-year (e1) Validated, HITRUST Implemented, 1-year (i1) Validated and HITRUST Risk-based, 2-year (r2) Validated Assessments, the requirement statements average scores per domain must meet the threshold required to attain a certification.
15.1.2 The i1 and e1 require the core e1 and i1 requirement statements in each domain to score at least an 83, while the r2 requires each domain to score at least a 62 to achieve certification. Note that in the r2 assessment, the domain scores considered for certification include all requirement statements in the assessment. The i1 and e1 only take into consideration the core requirement statements for certification (i.e., excluding requirement statements added for a combined assessment). For scoring examples, see Appendix A-15: Certification Threshold Scoring Examples.
Upon achieving the required score, the corresponding Certification Report (HITRUST Essentials 1-year (e1) Certification Report, HITRUST Implemented 1-year (i1) Certification Report or HITRUST Risk-based, 2-year (r2) Certification Report) and copies of the certification letter are issued. The copies of the certification letter include one copy with the certification letter and scope of the assessment and one copy with only the certification letter. This is intended to allow Assessed Entities to share only the necessary details of the certification with their relying parties.
15.1.3 For assessments that do not meet the required certification average score threshold, a HITRUST Essentials, 1-year (e1) Validated Assessment Report, HITRUST Implemented, 1-year (i1) Validated Assessment Report or HITRUST Risk-based, 2-year (r2) Validated Assessment Report are issued, respectively. HITRUST refers to these non-certified reports as “validated-only” reports and each report will state that certification thresholds were not met.
15.1.4 The HITRUST Essentials, 1-year (e1) Certification Report and HITRUST Implemented, 1-year (i1) Certification Report are valid for 12 months if there are no significant changes or security events related to the in-scope environment.
15.1.5 The HITRUST Risk-based, 2-year (r2) Certification Report is valid for 24 months, with a requirement to complete an interim assessment at the 12-month anniversary (see Chapter 15.4 Interim Assessment), and if there are no significant changes
(see Chapter 15.6 Significant Changes) or security events (see Chapter 15.3 Security Events & Fraud) related to the in-scope environment.
NIST Certification
HITRUST offers two separate NIST Cybersecurity Framework (CSF) certifications depending on the HITRUST CSF version used for the underlying r2 assessment:
- For r2 validated assessments created using HITRUST CSF version 11.3.2 or earlier, a complimentary report based upon NIST CSF v1.1 will be provided with each completed HITRUST r2 assessment. Complimentary NIST CSF v1.1 reports are not available for HITRUST CSF versions 11.4.0 or later.
- For r2 validated assessments created using HITRUST CSF version 11.4.0 or later, a NIST CSF v2.0 report is available as an optional purchased add-on. To obtain the NIST CSF v2.0 report, an Assessed Entity must select the corresponding compliance factor, NIST Cybersecurity Framework 2.0, within the “Factors” webform (see Chapter 6.7 Factors).
HITRUST certification of the Organization’s NIST Cybersecurity Framework implementation is based on the NIST Cybersecurity Framework (either NIST Cybersecurity Framework v1.1 or v2.0) and presented via HITRUST’s NIST Cybersecurity Framework Scorecard. The Scorecard reflects the aggregated scores for the underlying HITRUST CSF controls as they are mapped by HITRUST to the NIST Cybersecurity Framework Core Subcategories.
15.1.6 A NIST Cybersecurity Framework Certification Report (v1.1 or v2.0) is issued if the average score of the NIST-mapped HITRUST CSF requirements is 70 or higher on each Core Function and Category.
15.1.7 A NIST Cybersecurity Framework validated-only (i.e., non-certified) report is issued if the average score of the NIST-mapped HITRUST CSF requirements does not achieve a score of 70 on one or more Core Functions and Categories, or if the underlying r2 certification was not achieved.
15.1.8 The NIST Cybersecurity Framework Report is not available with a HITRUST Essentials, 1-year (e1) Validated Assessment or HITRUST Implemented, 1-year (i1) Validated Assessment.
HITRUST AI Security Assessment with Certification (ai1 or ai2)
HITRUST offers a HITRUST AI Security Assessment, ai1 (when combined with an e1 or i1 assessment) and ai2 (when combined with an r2 assessment), which is designed to deliver an AI security assessment and accompanying certification for deployed AI systems. This certification is available for organizations performing an e1, i1 or r2 assessment using version 11.4.0 and later of the HITRUST CSF who select the “Cybersecurity for AI Systems” Compliance factor (see Chapter 6.7 Factors). For additional details on certification eligibility, see A-19: AI Security Certification Eligibility.
Upon selecting the factor and answering the factor tailoring questions, the corresponding assessment will include the necessary HITRUST requirement statements to support the ai1 or ai2 certification.
15.1.9 The ai1 or ai2 certification is awarded if the average control maturity scores of all AI security requirement statements tailored into the assessment through the “Cybersecurity for AI Systems” compliance factor achieve a minimum of 83 in ai1 assessments or 62 in ai2 assessments.
15.1.10 15.1.10 The ai1 or ai2 certification is dependent on achievement of the underlying HITRUST e1, i1 or r2 certification. This is due to the need to consider the security of the supporting technology layers used to deliver the AI functionality (e.g., the application leveraging the AI model, the cloud services used to deliver that application, the data center that those cloud services reside in).
NOTE: The underlying HITRUST e1, i1 or r2 certification can be achieved regardless of whether the necessary scores for the ai1 or ai2 certification have been achieved. See below for diagram depicting the possible outcomes.
Upon achieving criterion 15.1.9 and 15.1.10, the corresponding ai1 or ai2 report and copies of the certification letter are issued. These will be issued in addition to the deliverables for the underlying HITRUST e1, i1 or r2 certification. HITRUST ai1 or ai2 assessments which do not meet the required certification criteria will receive a non-certified “validated-only” report stating that certification thresholds were not met.
Assessed Entities who maintain an existing HITRUST e1, i1 or r2 certification and were unable to perform an ai1 or ai2 assessment may still be able to achieve an ai1 certification without completing a new e1, i1 or r2 validated assessment. For an example approach, see A-18: Example Add-on Certification Approach for Existing HITRUST Certifications.
Insights Reports
A separate Insights Report may be provided with HITRUST e1, i1, or r2 validated assessments which include Compliance factors eligible for Insights Reporting. The Insights Reports provide easy-to-understand and reliable compliance reporting over the authoritative sources assessed. These reports include the precise HITRUST control mapping against the specific authoritative source, communicate coverage and compliance with the authoritative source, and identify the requirement statements for which a control observation was identified. Note that the availability of Insights Reports depends on the CSF version used in the assessment.
For additional information on the current available Insights Reports, Assessed Entities may contact their CSM or HITRUST Support (support@hitrustalliance.net).
HITRUST Reporting Process
When the QA process is complete the draft reports are built, reviewed, and posted by HITRUST.
15.1.11 The Assessed Entity has 30 days to review the draft reports.
15.1.12 Changes to scope, factors, and scoring may not be requested via draft report revisions. Additionally, new evidence may not be introduced during the reporting phases.
15.1.13 After the Assessed Entity has reviewed the draft reports, they may either:
- Approve the Draft Reports: If the Assessed Entity does not request revisions to the draft reports, it can approve the draft reports by selecting the “Approve HITRUST CSF Draft Report” button within the HITRUST CSF Reports section of the assessment.
- Request Revisions: If the Assessed Entity would like to request revisions to the draft reports, it may do so by selecting the “Request Revision” button within the HITRUST CSF Reports section of the assessment. This initiates a webform that allows the Assessed Entity to prepare each revision request individually.
15.1.14 If the Assessed Entity does not approve the draft reports or request revisions within 30 days, the draft reports are automatically approved by MyCSF.
Upon approval from the Assessed Entity, HITRUST will prepare and post the final reports, and the Assessed Entity and External Assessor will be notified that the final reports are available. Additionally, the HITRUST marketing team will send a press kit to the Assessed Entity.