# HITRUST CSF Assessment > Draft HITRUST CSF Validated Assessment deliverables for e1, i1, or r2 certification: control requirement responses at all maturity levels, evidence artifacts, Corrective Action Plans, and the Validated Assessment Report. Tags: HITRUST, Compliance, Cybersecurity, Healthcare, Audit ## Example Prompts - Draft control requirement responses for our HITRUST r2 assessment - Score our HITRUST i1 requirements at each maturity level with evidence - Write a Corrective Action Plan for our non-compliant HITRUST requirements - Produce the Validated Assessment Report narrative for HITRUST e1 URL: https://rakenne.app/skills/hitrust-csf-assessment/index.md Try this skill: https://rakenne.app/a/?skill=hitrust-csf-assessment ## Overview Draft HITRUST CSF Validated Assessment deliverables for e1, i1, or r2 certification: control requirement responses at all maturity levels, evidence artifacts, Corrective Action Plans, and the Validated Assessment Report. ## Getting Started Add your source materials to the project workspace, then activate the *HITRUST CSF Assessment* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We need to prepare for our HITRUST r2 validated assessment. We're a healthcare SaaS company — cloud-hosted on AWS, about 800 employees, we handle ePHI and fall under HIPAA. Can you help us build the control requirement responses? > > **Agent:** I'll guide you through the r2 assessment. A few scope questions first: (1) Do you have mobile devices accessing ePHI, and do you offer a patient-facing portal? (2) Are there any other regulatory overlays beyond HIPAA — PCI, NIST, state privacy laws? (3) Have you done a prior HITRUST assessment we can build on? > > **You:** Yes, patient portal, no PCI, and we need to be NIST-aligned. No prior HITRUST — this is our first. Go ahead and start with Category 01 (Access Control). > > **Agent:** Based on your scope — cloud on AWS, HIPAA + NIST overlays, patient portal, ~800 employees — your r2 assessment will include approximately 280 requirements. I've started drafting `control-responses.json`. Here are my responses for requirement 01.a (Business Requirement for Access Control): > > - **Policy (100):** "Information Access Control Policy v2.3, approved by CISO on 14 Jan 2025, addresses business requirements for access control across all ePHI systems." > - **Procedure (75):** "Access provisioning SOP documented in Confluence — covers request, approval, and provisioning workflow. Gap: no formal documented deprovisioning procedure; a separate offboarding SOP is being drafted." > - **Implemented (75):** "AWS IAM roles enforce least-privilege access. Okta SAML federation active for all corporate systems. Gap: privileged access review conducted ad hoc rather than quarterly." > - **Measured (50):** "Access review completion rate tracked; no formal KPI dashboard yet." > - **Managed (0):** "No management review of access control metrics documented." > > Overall score: 68.75 — passing, no CAP required for this requirement. Shall I continue with 01.b and flag requirements that will need CAPs? ## Sample Output Excerpt Below is a representative excerpt from a HITRUST r2 control requirement response document. --- ### Requirement 09.ab — Monitoring System Use **Category:** 09 — Communications and Operations Management **Assessment type:** r2 | **In-scope overlays:** HIPAA, NIST #### Maturity Level Responses | Level | Score | Evidence | |-------|-------|---------| | Policy | 100 | Information Security Monitoring Policy v1.4, approved by Board of Directors, 22 Mar 2024 | | Procedure | 75 | Log Review SOP (ITSEC-SOP-012) covers daily SIEM review. Gap: procedure does not address API gateway log review for the patient portal. | | Implemented | 75 | Splunk SIEM collects logs from all EC2 instances, RDS, and S3 access logs. Daily review tickets generated in Jira. Gap: CloudTrail logs from three legacy Lambda functions not yet forwarded to SIEM. | | Measured | 50 | Mean time to review (MTTR) for security alerts tracked monthly. No formal threshold or SLA defined. | | Managed | 25 | Quarterly security operations review meeting held; minutes on file (Q1 2025). Log monitoring KPIs not yet a standing agenda item. | **Overall score:** 75.0 — Compliant (no CAP required) #### CAP *Not required (score ≥ 62)* --- ### Requirement 01.c — Privilege Management **Category:** 01 — Access Control | Level | Score | Evidence | |-------|-------|---------| | Policy | 100 | Privileged Access Management Policy v2.1 | | Procedure | 50 | PAM SOP covers provisioning; deprovisioning steps missing for contractor accounts. | | Implemented | 50 | CyberArk PAM deployed for database admins. Gap: 12 service accounts have standing privilege without rotation schedule. | | Measured | 0 | No privileged account metrics collected. | | Managed | 0 | No management review of privileged accounts. | **Overall score:** 50.0 — **Non-Compliant (CAP required)** **CAP — CAP-2025-014** | Field | Details | |-------|---------| | Gap | Privileged account management is incomplete: contractor deprovisioning undocumented, 12 service accounts lack rotation, no metrics or management review. | | Corrective action | (1) Update PAM SOP to include contractor offboarding; (2) Rotate all 12 service account passwords and enable automated rotation in CyberArk; (3) Implement monthly PAM dashboard report; (4) Add privileged account review to quarterly security operations meeting agenda. | | Owner | Head of IT Security | | Target date | 30 June 2025 | | Residual risk | Medium | ## Built-in Scripts and Validation The skill includes a validation tool the agent runs against your response document during and after drafting. ### Validation tools | Tool | Purpose | |------|---------| | **hitrust_requirement_coverage_check** | Scans the control response document (JSON or Markdown) and validates: (1) every in-scope requirement has a response at all five maturity levels; (2) each level has a numeric score (0, 50, 75, or 100); (3) each level cites at least one evidence artifact; (4) requirements scoring below 62 overall have a CAP with a named owner and a specific target date; (5) CAP corrective action descriptions are substantive. Returns PASS with a count of validated requirements, or FAIL with a numbered list of specific issues to fix. | --- Back to [Skill Library](https://rakenne.app/skills/index.md)