In order to perform a HITRUST assessment, you must be able to score your organization’s control environment compliance with the HITRUST CSF Maturity Model. The maturity model is used for scoring both Self-Assessments and Validated Assessments (more info). Understanding how to use the HITRUST Maturity Model to accurately rate your controls’ compliance is critical as HITRUST and your authorized CSF assessor, in the case of a Validated Assessment, will be using it to corroborate and certify your assessment or scoring. This article will help you understand how controls are scored in HITRUST assessments and how those scores ultimately drive the HITRUST rating that is the basis for determining whether or not an organization is certified.
What is the HITRUST Common Security Framework (CSF)?
Before we talk about how scores impact an organization’s ability to achieve HITRUST certification, let’s dig into what the HITRUST Common Security framework is. The CSF stands apart in the landscape of information security and privacy frameworks because of three key criteria:
- It’s certifiable. This is because unlike many frameworks in existence (i.e. SOC 2, HIPAA, NIST CSF) the framework is managed by a central body that issues a formal certification that is good for two years assuming the organization’s information security program remains in good standing as determined by an interim assessment at the one-year mark.
- It’s comprehensive. In addition to being able to certify an organization against the HITRUST CSF, organizations may also evaluate their implemented systems for compliance with other frameworks (i.e. PCI, CMMC, and others). Note that the inclusion of other frameworks does not result in any form of certification – a report on compliance (ROC) is not issued if PCI is added.
- It’s flexible. Through the scoping process in HITRUST’s MyCSF tool, an organization may tailor the assessment to fit their environment through the consideration of scoping factors including the number of users, accessibility of the system, number of transactions, usage of legacy technologies, and other criteria. This process supports a right-sized assessment given the implemented system(s) being assessed.
- It’s efficient. HITRUST’s integrated approach ensures various program components are aligned and evaluated in a unified testing approach. Which reduces the overall level of effort associated with undergoing multiple assessments for multiple frameworks.
How Does HITRUST Work?
Again, it is important to understand that HITRUST is a method of certifying implemented system(s) as proof of information security and compliance program effectiveness.
As discussed in Understanding the HITRUST Certification Process, a maturity-based scoring method is used to evaluate the organization’s information security program operation. The maturity model is built on the idea that there are multiple factors that determine the overall score for performance against a certain requirement within the CSF.
For example, completeness of coverage is considered, as well as how effectively the control is implemented. If a given control is implemented within 75% of the environment with 100% effectiveness, partial credit is still given. This is an improvement over some frameworks which utilize an all-or-nothing approach. Through the assessment process, the client and the assessor collaborate to reach a point of agreement regarding the score for each requirement.
What is The HITRUST CSF Maturity Model?
According to the Risk Analysis Guide for HITRUST Organizations and Assessors, the HITRUST CSF expands on the traditional concepts of design effectiveness and operational effectiveness. HITRUST takes an approach based roughly on the concepts derived from the Carnegie Melon Software Engineering Institute’s (CM-SEI) Capability Maturity Model Integrated (CMMI) process improvement model. By starting with a well-understood baseline for maturity-based scoring, assessors evaluate the maturity of a control’s implementation based on a quantitative scale.
Changes to the HITRUST Assessment Portfolio
It’s important to note that in 2021, HITRUST announced changes to the assessment and certification portfolio. What we have come to know as the “HITRUST Validated Assessment” is now known as the “HITRUST r2 Validated Assessment with Certification”. In addition, HITRUST began offering the “HITRUST i1 Validated Assessment with Certification”. If you’ve not already done so, you should study up on the differences between these two assessments by reading What is HITRUST on our website. The scoring process is different between the two assessments, and I will detail the differences in the sections below.
Maturity Levels In the i1 vs. r2 Assessments
The HITRUST Maturity Model requires that each control be assessed in five different areas: Policies, Processes/Procedures, Implemented, Measured, and Managed. While the r2 validated assessment leverages up to five levels of maturity to determine a score for a given requirement, the i1 validated assessment uses only the “implemented” score. This does not mean that other factors like policies and process documentation are not considered, it just means they are not considered separately from the implementation of required elements.
How Many Maturity Levels are Defined by Hitrust CSF?
The HITRUST Maturity Model requires that each control be assessed in five different areas: Policies, Process/Procedures, Implemented, Measured, and Managed. The following is how HITRUST briefly summarizes the five areas and the generic criteria that can be used to evaluate compliance with that level:
Level: Policy (weight: 15%)
- Evaluation Criteria
-
- Do formal, up-to-date policies or standards exist that contain “shall” or “will” statements for each element of the requirement statement?
- Do the policies and standards that exist for each element of the requirement statement cover all major facilities and operations for the organizations and/or systems/assets in scope for the assessment?
- Are the policies and standards that exist for each element of the requirement statement approved by management and communicated to the workforce?
Level: Procedures (weight: 20%)
- Evaluation Criteria
-
- Do formal, up-to-date, documented procedures exist for the implementation of each element of the requirement statement?
- Do the procedures clarify where the procedure is to be performed, how the procedure is to be performed, when the procedure is to be performed, who is to perform the procedure, and on what the procedure is to be performed?
- Do the procedures address each element of the requirement statement across all applicable facilities, operations, and/or systems/assets in scope?
- Are procedures for the implementation of each element of the requirements statement communicated to the individuals who are required to follow them?
Level: Implemented (weight: 40%)
- Evaluation Criteria
-
- Is each element of the requirements statement implemented in a consistent manner everywhere that the policy and procedure applies?
- Are ad hoc approaches that tend to be applied on an individual or on a case-by-case basis discouraged?
Level: Measured (weight: 10%)
- Evaluation Criteria
-
- Are self-assessments, audits, and/or tests routinely performed and/or metrics collected to evaluate the adequacy and effectiveness of the implementation of each element of the requirements statement?
- Are evaluation requirements, including requirements regarding the type and frequency of self-assessments, audits, tests, and/or metrics collection documented, approved, and effectively implemented?
- Does the frequency and rigor with which each element of the requirements statement is evaluated depend on the risks that will be posed if the implementation is not operating effectively?
Level: Managed (weight: 15%)
- Evaluation Criteria
-
- Are effective corrective actions taken to address identified weaknesses in the elements of the requirements statement, including those identified as a result of potential or actual information security incidents or through information security alerts?
- Do decisions around corrective actions consider cost, risk, and mission impact?
- Are threats impacting the requirements periodically re-evaluated and the requirements adapted as needed?
As you review the HITRUST CSF Maturity Model, you will note that each level builds on the previous in a cycle of continuous improvement. This cyclical process is the core functionality of a successful information security management system.
What are the Possible Scores for Controls?
The following briefly describes the different maturity levels that you can rate a control on each level of the maturity model.
- Maturity Level: Non-Compliant
- Description: Very few, if any, elements exist for the level being evaluated.
- Score: 0%
- Maturity Level: Somewhat Compliant
- Description: Less than half of the elements exist for the level being evaluated.
- Score: 25%
- Maturity Level: Partially Compliant
- Description: Approximately half of the elements exist for the level being evaluated.
- Score: 50%
- Maturity Level: Mostly Compliant
- Description: Many of the elements exist for the level being evaluated.
- Score: 75%
- Maturity Level: Fully Compliant
- Description: Most, if not all, of the elements exist for the level being evaluated.
- Score: 100%
Whether performing a Self-Assessment or Validated Assessment, you will be required to assign a maturity level in the MyCSF tool for each control and its compliance with each of the five levels of the HITRUST CSF Maturity Model (e.g., Policy, Procedure, Implemented, Measured, and Managed).
Again, for the i1 validated assessment, the scoring for levels of maturity are the same, it’s just that only the implemented score is considered.
How are HITRUST Control Scores Calculated?
Now that you know maturity level scores that can be given to each of the maturity levels for each control, you are probably wondering how the control scores are calculated. While the MyCSF tool generates the scores for you, it is important to understand how the calculation works. Quite simply, the score for each control is the sum of the products of the weight maturity model level multiplied by the maturity level rating for all the maturity model levels.
r2 Validated Assessment Scoring
This example is specific to the r2 validated assessment and let’s use the following scenario as an example to walk through the calculation process. Assume that an organization had documented policies and procedures related to a control (or the set of controls within a domain) and that the controls were mostly implemented during the period of the assessment. Additionally, assume that none of the controls were considered managed; however, the organization measured some (less than half) of the control(s).
Level: Policy
- Weight: 15%
- Maturity Level: Fully Compliant
- Score: 100%
- Product: 15 x 1.0 = 15
Level: Procedures
- Weight: 20%
- Maturity Level: Fully Compliant
- Score: 100%
- Product: 20 x 1.0 = 20
Level: Implemented
- Weight: 40%
- Maturity Level: Fully Compliant
- Score: 100%
- Product: 40 x 1.0 = 40
Level: Measured
- Weight: 10%
- Maturity Level: Somewhat Compliant
- Score: 25%
- Product: 10 x 0.25 = 2.5
Level: Managed
- Weight: 15%
- Maturity Level: Non-Compliant
- Score: 0%
- Product: 15 x 0.0 = 0
Total Score: 77.5
As shown in the example above, by summing the product of the weight and score for each level, the scenario would result in a score of 77.5.
It is important to understand that 75 percent of your overall score comes from the Policy, Procedure, and Implemented levels. The scoring is structured this way because the most important thing is that controls have been documented in a policy and procedure so people know how to do it and that they are fully implemented (meaning it can be tested to prove effectiveness). Measured and Managed levels are more for those mature organizations that have systems in place to measure the performance of a control.
The point of emphasis here is that the focus needs to be placed on the Policy, Procedure, and Implementation areas. If you can show that your policies and procedures are documented and the controls implemented in such a way as to meet the requirements, those controls will be compliant. There may be a need for a certain percentage of controls to have Measured and Managed activities that should be in place in order to achieve certification, but it’s important to ensure that the Policy, Procedure, and Implementation levels are addressed to help you achieve certification.
i1 Validated Assessment Scoring
Scoring for i1 Validated Assessments is much simpler and there is no weighting factored in since only the maturity level of “implemented” is considered. For a given requirement, there are a number of evaluative elements – typically less than 10. For any given requirement the assessor will determine if all, some, or none of the evaluative elements have been met. If all of them have been met, then a score of 100% will be granted for implementation. If only some of the evaluative elements are met, then a score of 25%, 50%, or 75% will be granted in accordance with guidance provided by HITRUST in the Scoring Rubric. If none of the evaluative elements are met, then a score of 0% will be awarded.
What are the HITRUST Certification Requirements?
Now that we know how to calculate a score, what does a 77.5 really mean as far as obtaining a HITRUST certified report? The average total score of controls within each domain is compared to HITRUST’s final scoring ranges to get a maturity level rating. Maturity level ratings range from 1- to 5+. Each domain must receive at least a rating of 3, or a score greater than 62, in order to obtain a certified HITRUST report. If one or more domains receive a rating lower than 3, HITRUST will only issue a validated report.
Any controls related to certification which do not receive a rating of 3+ (>71) or higher will be required to prepare a Corrective Action Plan (CAP). An organization may have domains with controls requiring CAPs and still receive a HITRUST certification as long as each domain received a rating 3 or higher.
I1 Validated Assessment Scoring
Again, the certification requirements for the i1 assessment are much simpler than for the r2. The scores for all of the applicable requirements within each of the domains within the assessment are averaged, and each domain must have an average implementation score of 83% to obtain certification.
If you would like to learn more about the HITRUST assessment processes, please check out some of our additional related blogs:
- Navigating Compliance Frameworks: SOC 2 vs. HITRUST
- SOC 2 + HITRUST: How Your Organization Could Benefit From Both
- Avoiding HITRUST Self-Assessment Pitfalls
- The Benefits of HITRUST Certification: Understanding HITRUST vs HIPAA
Conclusion
Hopefully, this has helped you better understand how to accurately assess and score your controls for HITRUST assessments (for both Validated and Self-Assessments). As a Certified CSF Assessor firm, Linford & Co would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions that you may have.
This article was originally published on 2/21/2018 and was updated on 5/25/2022.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.