The HITRUST CSF 90-Day Rules – What You Need to Know

September 26, 2019

Earlier this year, HITRUST announced required changes, effective April 1, 2019 (applicable to all CSF assessor firms), regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality Checklist.

The checklist must be completed and signed by the assessor organization. It requires the participation of both an Engagement Executive and an Assurance Reviewer who is also a Certified HITRUST Quality Practitioner (CHQP). Within the checklist are two long-standing 90-day rules that are enforced for all validated assessments submitted to HITRUST.

Several Coalfire clients have experienced challenges with these rules. This blog will discuss the rules and review their real-world implications, as well as pose solutions to overcoming associated challenges.

90-day Maturation Period

The HITRUST CSF Assessor Quality Checklist states, “All items tested had been approved and/or implemented for 90 days prior to being tested.” So, what does this mean? In short, all policies and procedures must be reviewed, approved, and operationalized 90-days prior to an assessment. This also means that the implementation of all controls must have been in place and operating effectively 90 days prior to beginning a validated assessment. This requirement is intended to ensure that the controls have been appropriately designed and that all implementations are mature and operating effectively.

The practical limitation is that all policies, procedures, and implementations must be in place and operating effectively before any testing of the environment, including policies and procedures, can begin. Policies, procedures, and implementations that are modified following the 90-day maturation window cannot be scored in full. Note, this does not include the normal management of an environment – patching windows, firewall rule updates, change management processes, etc. – all should continue to operate during this window.

90-day Assessment Window

In addition to the 90-day maturation period, the Quality Assurance Checklist states, “All testing was performed within 90 days of submission date.” This means that the assessment must be completed, start to finish, within a 90-day timeframe. This window emphasizes the importance of conducting a thorough and comprehensive self-assessment against the HITRUST CSF prior to moving forward with a validated assessment.

Our Recommendations

Facilitated Self-Assessment

These self-assessments are designed to test all policies, procedures, and implementations against the current version of the CSF. Performing a comprehensive, facilitated self-assessment helps minimize gaps in policies, procedures, and implementations prior to beginning a validated assessment. Using a CSF assessor firm ensures that the HITRUST scoring rubrics and methodologies are used, eliminating surprises on scoring during the validation phase.

Bridge Assessments

A bridge assessment identifies changes in requirements between the CSF version used in an organization’s last validated assessment against those in the current version. The assessment determines gaps in policy and process documentation before the next validated assessment. It evaluates documentation for additional controls and scores them against the HITRUST maturity model. It also helps remediate documentation issues, brings the organization into compliance with changed and/or additional requirements, and provides additional guidance for implementing new requirements.


Helpful services to consider in remediation include customized policy and procedure development, as well as technical implementation for cloud and on-premise environments.

HITRUST Newsletter

HITRUST sends out a periodic newsletter to all subscribers detailing changes in the assessment methodology, new guidance and rules, as well as changes to the framework. You can sign up for the HITRUST Newsletter here.


The 90-day implementation and completion windows are critical factors in determining timelines around HITRUST CSF engagements. For organizations new to HITRUST, performing a self-assessment is a pivotal step to identify remediation efforts needed prior to validation. Organizations that have undergone a validated assessment but need to adhere to the latest version of the CSF should be assessed against that version to ensure the 90-day maturation window is fully observed following remediation. If you have questions or want to discuss these changes, reach out – we would be happy to help.