Organizations are required to perform a r2, i1, or e1 validated assessment to obtain a HITRUST certification. HITRUST validated assessments can be leveraged by organizations of any size or complexity and include testing performed by an authorized HITRUST External Assessor.

For a r2 validated assessment, the entity being assessed begins by completing the risk-based scoping questionnaire in the MyCSF tool. Upon completion of the scoping questionnaire, a customized set of HITRUST CSF control references and requirement statements will be generated. For an i1 or e1 validated assessment, the requirement statements are pre-defined, so the risk factor questionnaire is not available for completion.

For the r2, i1, and e1 validated assessments, the Assessed Entity, or its designee, responds to the requirement statements and determines the level of compliance for each of the five PRISMA-based maturity levels for the r2 and the Implemented maturity level for the i1 or e1 (see Chapter 9 PRISMA Maturity Levels for additional information). Once the Assessed Entity, or its designee, has determined and entered compliance scores for each PRISMA maturity level across all requirement statements, it submits the populated MyCSF object to its External Assessor for validation.

The External Assessor will validate the scores using its testing procedures, which it documents within MyCSF (see Chapter 11 Testing and Evidence Requirements for additional details). Upon completion of the External Assessor validation procedures and any necessary score adjustments, the Assessed Entity will sign the Management Representation Letter and Validated Report Agreement, and provide any necessary Corrective Action Plans (CAPs). The External Assessor will validate the CAPs (see criteria 13.9.7 in Chapter 13.9 CAPS and Gaps) and submit the assessment to HITRUST.

After submitting the validated assessment, HITRUST will perform Quality Assurance (QA) procedures (during the Assessed Entity’s reservation block) to validate the submission. If there are questions during QA, HITRUST will coordinate directly with the Assessed Entity and/or External Assessor to address. After successful completion of QA, the Assessed Entity will receive draft reports for their review (see Chapter 14 Undergoing Quality Assurance for additional details).

Upon successful completion of the r2 and meeting the scoring threshold for certification, Assessed Entities will receive their HITRUST certification reports along with a NIST CSF Cybersecurity Framework report. The NIST report includes a scorecard detailing the Assessed Entity’s compliance with NIST Cybersecurity Framework-related controls included in the assessment. For the i1 and e1, Assessed Entities will only receive HITRUST certification reports. For the r2, i1, or e1 assessment, if the scoring thresholds for certification have not been met, the Assessed Entity will receive a ‘validated-only’ report, which does not include a certification letter. For additional information on the HITRUST reports issued for each assessment type, see Chapter 15 Reporting & Maintaining a HITRUST Certification.