HITRUST CCSFP - Certified CSF Practitioner 2025 Exam

In an i1 assessment, scoring below threshold levels (generally 83 for certification-critical controls) results in a required Corrective Action Plan (CAP). A score of 37 falls into the “Somewhat Compliant” category and indicates major deficiencies. Because i1 assessments emphasize cybersecurity hygiene, HITRUST does not allow “risk acceptance” at such low scores. Instead, CAPs are required to ensure remediation is planned and tracked. This approach guarantees that organizations address weaknesses that could leave them vulnerable to common threats. Unlike r2 assessments, where some flexibility exists based on risk tailoring, i1 is structured to enforce mandatory remediation for below-threshold results. Therefore, a Control Reference score of 37 in i1 unequivocally requires a CAP.

Scoping an assessment involves identifying regulatory factors that apply to an organization’s operations. In this case, the entity is a pharmacy that accepts Medicare/Medicaid and processes credit cards. Medicare/Medicaid participation introduces obligations under CMS Minimum Security Requirements (High), which adds federal requirements specific to healthcare entities working with Centers for Medicare and Medicaid Services. Credit card acceptance triggers applicability of the Payment Card Industry Data Security Standard (PCI-DSS), a widely recognized standard for protecting cardholder data. Additionally, pharmacies often fall under the FTC Red Flags Rule, which applies to organizations that maintain consumer accounts and must protect against identity theft. By contrast, FISMA applies to federal agencies or contractors, not pharmacies, and FedRAMP applies only to cloud service providers working with the federal government. Therefore, the correct set of regulatory factors is FTC Red Flags Rule, PCI-DSS, and CMS Minimum Security Requirements (High).

When scoring Measured and Managed maturity levels in HITRUST, evidence requirements are more rigorous. If these levels are scored above 50%, organizations must demonstrate that formal processes exist to measure control performance, that reports are generated to monitor effectiveness, and that accountability for measurement and management is assigned. Specifically:

Processes show how control gaps are tracked, risks mitigated, and remediation addressed.

Reports provide tangible outputs proving monitoring activities (e.g., audit logs, vulnerability reports).

Responsible individuals must be identified to show governance and ownership of measurement functions.

Organizational scoping factors, while important for tailoring requirements, do not serve as evidence of maturity scoring. HITRUST’s QA team requires this documentation to confirm that high maturity levels are not claimed without demonstrable evidence of ongoing monitoring and governance.

The A1 Security Assessment factor is an optional module that introduces requirements for evaluating the security and governance of AI-based systems. These requirements are mapped into HITRUST CSF across domains like risk management, monitoring, and governance. Importantly, the A1 factor is not restricted solely to r2 assessments. While r2 provides the most comprehensive assurance model, A1 can also be added to other eligible assessment types such as i1 when the scope involves AI risks. The factor is treated like any other regulatory or organizational factor in MyCSF—its selection generates additional tailored requirement statements. Therefore, the claim that A1 can only be added to r2 is inaccurate. The correct understanding is that A1 can apply to multiple assessment types, depending on scoping decisions.

HITRUST offers Rapid Assessments as a lightweight reporting option for organizations and their relying parties. These assessments provide high-level visibility without requiring large numbers of requirements. In fact, a Rapid Assessment may contain fewer than 60 requirement statements depending on scoping and factors selected. There is no requirement that an assessment or insights report exceed 60 requirements to qualify as a rapid assessment. Instead, the determination is based on the selected assessment type (e1, i1, or targeted factors) and whether the output is requested in “rapid” format. This flexibility allows small organizations or specific use cases to leverage HITRUST without unnecessary burden.

The e1 assessment focuses on essential cybersecurity hygiene controls. To achieve certification, the Implemented maturity level must demonstrate full (100%) compliance for each requirement statement. Partial implementation (such as 50%) indicates that the control is not consistently applied or lacks complete coverage across systems and users. HITRUST emphasizes the Implemented level in e1 because it represents proof that foundational safeguards are actively functioning. Scoring 50% would fall into the “Partially Compliant” category, which is insufficient for certification. Even if policies and procedures exist, HITRUST requires controls to be fully implemented for an e1 certification outcome. This strict requirement helps ensure that entities with lower assurance models still achieve a baseline of strong operational security.

HITRUST scoping boundaries help organizations define how their environments are assessed. The Shared IT services boundary is used when scoping common technology services and supporting infrastructure (e.g., hosting platforms, networks, identity services) that serve one or more business units. This contrasts with Follow-the-data (traces data flows across processes/units), Enclave-focused (a discrete segmented environment), and Enterprise (the entire organization).

“Shared IT services boundaries encompass the common IT platforms and supporting infrastructure leveraged by one or more business units.” [CCSFP Study Guide – Scoping Boundaries, 0155]

HITRUST enforces strict evidence requirements to maintain credibility of assessment results. For Policy and Procedure maturity levels, if a score above 25% is claimed, the organization must link appropriate evidence (e.g., documented policies, standard operating procedures). For Implementation, Measured, and Managed, evidence must be provided whenever a score greater than 0% is claimed. This ensures that claims are supported by objective artifacts rather than assertions. Evidence can include policy documents, monitoring reports, logs, meeting minutes, or audit records. HITRUST QA verifies that evidence is linked to requirement statements at each maturity level. Without linked evidence, scores may be reduced or reverted during QA. This policy ensures transparency, accountability, and prevents overstatement of control effectiveness.

The r2 assessment is the most risk-tailorable of all HITRUST assessment types. Unlike the standardized e1 and i1 assessments, which are designed for essential or moderate assurance, the r2 adapts dynamically based on organizational, technical, compliance, and operational risk factors. For example, the number of users, systems, or internet-facing components directly impacts the number and type of requirement statements. Regulatory drivers such as HIPAA, PCI-DSS, or GDPR also add requirements, ensuring the assessment aligns with the entity’s unique obligations. This tailoring ensures that organizations with higher risk exposure face more stringent testing, while lower-risk entities are not overburdened with unnecessary controls. Neither interim assessments nor bridge certificates are tailorable—they are point-in-time processes tied to existing validated assessments.