An offering does not need to meet all aspects of a requirement statement to be mapped. Rationales are a suitable place to explain which aspects of the requirement statement the offering does and does not help with.
Rationales do not need to be long or involved. Sometimes a statement as simple as, “As an endpoint protection package we help detect and prevent malware” is all that is needed.
Rationales can be generic (i.e., they can be reused across many HITRUST CSF requirements). Generic rationales can be a more general statement about the offering.
