The HITRUST CSF 90-Day Rules – What You Need to Know

Zach Shales, Principal, Healthcare Certification, Coalfire

Earlier this year, HITRUST announced required changes, effective April 1, 2019 (applicable to all CSF assessor firms), regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality Checklist.

The checklist must be completed and signed by the assessor organization. It requires the participation of both an Engagement Executive and an Assurance Reviewer who is also a Certified HITRUST Quality Practitioner (CHQP). Within the checklist are two long-standing 90-day rules that are enforced for all validated assessments submitted to HITRUST.

Several Coalfire clients have experienced challenges with these rules. This blog will discuss the rules and review their real-world implications, as well as pose solutions to overcoming associated challenges.

90-day Maturation Period

The HITRUST CSF Assessor Quality Checklist states, “All items tested had been approved and/or implemented for 90 days prior to being tested.” So, what does this mean? In short, all policies and procedures must be reviewed, approved, and operationalized 90-days prior to an assessment. This also means that the implementation of all controls must have been in place and operating effectively 90 days prior to beginning a validated assessment. This requirement is intended to ensure that the controls have been appropriately designed and that all implementations are mature and operating effectively.

The practical limitation is that all policies, procedures, and implementations must be in place and operating effectively before any testing of the environment, including policies and procedures, can begin. Policies, procedures, and implementations that are modified following the 90-day maturation window cannot be scored in full. Note, this does not include the normal management of an environment – patching windows, firewall rule updates, change management processes, etc. – all should continue to operate during this window.

90-day Assessment Window

In addition to the 90-day maturation period, the Quality Assurance Checklist states, “All testing was performed within 90 days of submission date.” This means that the assessment must be completed, start to finish, within a 90-day timeframe. This window emphasizes the importance of conducting a thorough and comprehensive self-assessment against the HITRUST CSF prior to moving forward with a validated assessment.

Our Recommendations

Facilitated Self-Assessment

These self-assessments are designed to test all policies, procedures, and implementations against the current version of the CSF. Performing a comprehensive, facilitated self-assessment helps minimize gaps in policies, procedures, and implementations prior to beginning a validated assessment. Using a CSF assessor firm ensures that the HITRUST scoring rubrics and methodologies are used, eliminating surprises on scoring during the validation phase.

Bridge Assessments

A bridge assessment identifies changes in requirements between the CSF version used in an organization’s last validated assessment against those in the current version. The assessment determines gaps in policy and process documentation before the next validated assessment. It evaluates documentation for additional controls and scores them against the HITRUST maturity model. It also helps remediate documentation issues, brings the organization into compliance with changed and/or additional requirements, and provides additional guidance for implementing new requirements.


Helpful services to consider in remediation include customized policy and procedure development as well as technical implementation for cloud and on-premise environments.

HITRUST Newsletter

HITRUST sends out a periodic newsletter to all subscribers detailing changes in the assessment methodology, new guidance and rules, as well as changes to the framework. You can sign up for the HITRUST Newsletter here.


The 90-day implementation and completion windows are critical factors in determining timelines around HITRUST CSF engagements. For organizations new to HITRUST, performing a self-assessment is a pivotal step to identify remediation efforts needed prior to validation. Organizations that have undergone a validated assessment but need to adhere to the latest version of the CSF should be assessed against that version to ensure the 90-day maturation window is fully observed following remediation. If you have questions or want to discuss these changes, reach out – we would be happy to help.

Zach Shales


Zach Shales — Principal, Healthcare Certification, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS