HITRUST Updated CCSFP Exam Questions and Answers by elin

All three validated assessment types—e1, i1, and r2—evaluate controls considered core to cybersecurity hygiene, though at different levels of assurance. For example, e1 is a low-effort model focusing on essential hygiene, i1 is a moderate-assurance model, and r2 is a comprehensive, risk-based model. Requirement statement counts can vary depending on the regulatory and organizational factors selected during scoping. For instance, adding PCI-DSS or HIPAA will increase requirement counts across all types. All assessment types also require testing of implementation, since evidence of operational control performance is mandatory for validation. The incorrect option is C: r2 assessments always include all 19 domains, and so do e1 and i1 assessments. What differs is the number of requirement statements in each domain, not the domains themselves.

In an i1 assessment, scoring follows a pass/fail logic tied to CAP requirements. If a Control Reference scores below the defined threshold (typically 83 for i1 assessments), any gaps within its requirement statements must be addressed with a required Corrective Action Plan (CAP). A score of 62 is below the threshold, meaning it cannot be accepted without remediation. This ensures organizations remediate key cybersecurity hygiene gaps, even in a moderate assurance assessment. Optional CAPs are not used in i1 assessments, as the assurance program emphasizes mandatory remediation for below-threshold controls. Certification cannot be granted with unresolved required CAPs. Therefore, the correct outcome for a score of 62 in an i1 Control Reference is a required CAP.

In HITRUST scoring, deficiencies are identified when maturity levels fall below required thresholds for certification. In this case, the Policy, Procedure, and Implementation levels are not fully compliant, with scores of 50%, 50%, and 75% respectively. For certification-critical controls, HITRUST requires 100% Implementation, supported by adequate Policy and Procedure. Since the Implementation score is not at 100% and supporting maturity levels are below full compliance, this results in a Required Corrective Action Plan (CAP). The CAP ensures the organization addresses deficiencies through remediation. Unlike optional CAPs, which may apply to non-critical requirements, required CAPs must be documented and remediated to achieve certification. Thus, the correct classification of this scoring outcome is a Required CAP.