HITRUST CSF Bridge Assessments

A new option during COVID-19


You’re likely adapting a wide variety of business practices in response to COVID-19 – but have you considered how you might need to adapt your information security practices? Information protection and compliance remain just as, if not more, important in this environment. If your organization has used the HITRUST CSF® Validated Assessment, you know the process can give peace of mind to your customers and clients. However, if you’re approaching the end of your two-year certification cycle, you might not have the ability to invest the time and resources (typically one to two months) needed to undergo a full assessment.

If you’re looking for ways to buy your organization some additional time, you could consider a HITRUST CSF Bridge Assessment. This streamlined assessment takes only a few days and gives you up to 90 additional days to submit your validated assessment to HITRUST. The following timeline illustrates how the bridge assessment option allows your organization additional time and helps make HITRUST CSF Certification more manageable during COVID-19.

HITRUST Timeline

How does it work?

During a HITRUST CSF Bridge Assessment, a total of 19 requirement statements are randomly selected within the HITRUST MyCSF® platform for testing by the HITRUST Authorized External Assessor. HITRUST then reviews the testing on a priority basis, and if all the requirements are met, you’ll be issued a HITRUST CSF Bridge Certificate. As you use the next 90 days to complete your full validated assessment, those 19 requirement statements are not required to be retested.

What timing do you need to consider?

A HITRUST CSF Bridge Certificate provides your organization additional time to complete the full assessment, but you don’t want to lose sight of these timing considerations:

  • Bridge assessment due date. You have until 30 days after the expiration date of your current certification to submit the bridge assessment object to HITRUST. To allow sufficient planning time, you’ll want to make the decision to undergo a bridge assessment at least 60 to 90 days prior to the expiration date.
  • Validated assessment submission. You must submit your validated assessment object to HITRUST by 90 days after the expiration date of your current certification.
  • HITRUST processing time. HITRUST has committed to making review of bridge assessments a priority, with an expected processing time of two to three weeks.
  • Certification date. Since the bridge assessment allows 90 additional days to submit the validated assessment to HITRUST, your organization’s certification date will remain the same. As a result, your organization maintains a continuous level of HITRUST CSF Certification.

How do you communicate your completion of the bridge assessment to customers?

Before you proceed with a bridge assessment, you’ll want to consider the specific customers or prospects for whom the HITRUST report is a time-sensitive deliverable. While a HITRUST CSF Bridge Certificate does not provide the same level of assurance as a validated report with certification, a bridge certificate does demonstrate the continued effectiveness of your organization’s information protection program.

You’ll want to inform customers and prospects that you are following a known, committed timeline to complete and provide the validated assessment report. This is not an open-ended delay in the certification process. Because a bridge assessment allows your organization to maintain a form of HITRUST CSF Certification continuously, you won’t experience a gap period without a form of certification.

If you’re looking for someone to collaborate with your organization on next steps, our team can help. As a HITRUST Assessor, we have extensive experience working with a variety of organizations to help create a plan for certification.

Contact Us

Erika Del Giudice
Erika L. Del Giudice
Principal, IT Assurance Services
Jaclyn Dettloff
Jaclyn Dettloff
Senior Manager, Audit & Assurance