Under which version of the CSF did the framework go industry agnostic and HIPAA became its own regulatory factor?
Correct Answer: C
The HITRUST CSF transitioned to anindustry-agnostic frameworkbeginning withversion 9.0. Prior to v9.0, HITRUST CSF was often perceived as heavily healthcare-focused, since HIPAA was embedded directly into the baseline controls. With v9.0, HIPAA was moved into theregulatory factor category, making it selectable during scoping rather than inherently included for all organizations. This change expanded the CSF's applicability beyond healthcare, making it suitable for industries such as finance, technology, and government contractors. It also aligned with HITRUST's vision of providing a "common security framework" that supports multiple industries while maintaining healthcare compliance capabilities through HIPAA as a regulatory overlay. References:HITRUST CSF Framework Release Notes - "v9.0 Changes"; CCSFP Study Guide - "Transition to Industry-Agnostic Framework."
Question 42
Which of the following are true with e1, i1, and r2 assessment types? (Select all that apply)
Correct Answer: A,B,D
All three validated assessment types-e1, i1, and r2-evaluate controls considered core to cybersecurity hygiene, though at different levels of assurance. For example, e1 is a low-effort model focusing on essential hygiene, i1 is a moderate-assurance model, and r2 is a comprehensive, risk-based model. Requirement statement counts can vary depending on theregulatory and organizational factorsselected during scoping. For instance, adding PCI-DSS or HIPAA will increase requirement counts across all types. All assessment types also require testing ofimplementation, since evidence of operational control performance is mandatory for validation. The incorrect option is C: r2 assessments always include all19 domains, and so do e1 and i1 assessments. What differs is the number of requirement statements in each domain, not the domains themselves. References:HITRUST Assurance Program Overview - "Assessment Type Comparison"; CCSFP Study Guide - "e1, i1, r2 Requirements and Domains."
Question 43
Select the four general risk factor categories used when scoping r2 assessments.
Correct Answer: A,C,D,E
When performing scoping for an r2 assessment, HITRUST requires consideration ofrisk factorsthat tailor requirement statements. Four categories are applied:Technical, Organizational, Compliance, and Operational. * Technical Risk Factorsconsider measurable characteristics such as number of users, systems, or transactions, which directly influence the size and complexity of the control environment. * Organizational Risk Factorsaddress the type of business, industry sector, and whether the entity is a covered entity or business associate. * Compliance Risk Factorsincorporate regulatory drivers (e.g., HIPAA, PCI DSS, state laws) that generate additional requirement statements. * Operational Risk Factorsconsider how data is used, stored, and transmitted, including exposure points like internet-facing systems. "General" and "Privacy" are not categories formally recognized in the HITRUST methodology. Privacy obligations are accounted for under compliance drivers such as HIPAA, GDPR, or state laws. These categories ensure that control requirements are right-sized to the entity's unique environment, reducing both over-scoping and under-scoping. References:HITRUST CSF Assessment Methodology - "Risk Factor Categories"; CCSFP Study Guide - "Scoping Risk Factors in r2 Assessments."
Question 44
When an implementation gap is remediated, what is the minimum number of days the control must operate before retesting? [0130]
Correct Answer: C
For Implemented domain remediations, HITRUST requires 60 days of operation before retesting. This ensures the control is not only deployed, but also functioning effectively over time. A 30-day threshold applies to Policy/Process, while Implemented requires longer to validate consistent application. Extract Reference (HITRUST CSF Scoring & CAP Guidance [0130]): Implementation gaps must show at least 60 days of operating effectiveness before retesting can validate remediation.
Question 45
The HITRUST CSF is updated on an annual basis.
Correct Answer: B
The HITRUST CSF is aliving frameworkdesigned to align with multiple regulatory and industry standards such as HIPAA, NIST, ISO, PCI DSS, and GDPR. While it is updated regularly to maintain alignment with these external sources, the update cycle isnot strictly annual. HITRUST publishes updates as needed, typically in major releases (e.g., v9.1, v9.4, v11) and interim updates when regulatory changes occur. For example, significant updates may happen every 18-24 months, with minor updates issued in between. This flexibility allows HITRUST to remain responsive to evolving security, privacy, and compliance requirements rather than being bound to a fixed yearly schedule. Therefore, the statement that the CSF is always updated annually isFalse. References:HITRUST CSF Overview - "Versioning and Updates"; CCSFP Practitioner Guide - "Framework Maintenance and Update Cycles."
