June 30, 2025

Guest: Chris Shaffer

Bio:
Chris Shaffer leads CBIZ’s HITRUST CSF assessor program. He brings over 20 years of information technology security, operations, and consulting experience to his clients. Chris specializes in leading engagements for SSAE 21, (SOC 1), SOC 2, PCI-DSS, HIPAA, HITRUST, NIST, ISO, and general IT computing controls for private and public businesses across a variety of industries. He has extensive experience working with hosting, data center, managed service providers, and software service organizations.

Prior to entering an external consulting role, Chris managed security and network operations for multiple software, datacenter, and hosting service providers in executive and operational capacities. He brings a high level of operational understanding to every engagement, helping clients navigate internal processes and procedures.

Summary:
In this episode of the Virtual CISO Podcast, host John Verry and guest Chris Schaeffer discuss the HITRUST framework, its evolution, and its significance in the cybersecurity landscape. They delve into the Common Security Framework (CSF), the different assessment models (E1, I1, R2), and how HITRUST compares to other frameworks like SOC 2 and ISO 27001. The
conversation also touches on the future of HITRUST, including potential reciprocity with other standards and the impact of emerging technologies like AI.

Keywords:
HITRUST, CSF, cybersecurity, assessment frameworks, information security, compliance, E1, I1, R2, SOC 2, ISO 27001

Takeaways:

  • HITRUST was founded to help organizations demonstrate security and compliance.
  • The Common Security Framework (CSF) is central to HITRUST 's offerings.
  • HITRUST assessments are categorized into E1, I1, and R2 models.
  • E1 is a good entry point for organizations new to HITRUST.
  • HITRUST assessments are rigorous and require a high level of detail.
  • The CSF is updated annually to remain relevant to current threats.
  • HITRUST aims to provide consistency across different organizations.
  • Reciprocity between frameworks could simplify compliance for organizations.
  • The future of HITRUST may involve more integration with AI and other standards.
  • Smaller organizations may find HITRUST assessments burdensome without reciprocity.

 

Johnn Verry (00:00.332)
Yeah, first first podcast I recorded was Katie Arrington and 45 minutes later I’m like, shit.

no. Did you redo it?

Yeah. She redid it. She was nice. It was like five o’clock on a Friday. She was at the Pentagon and she spent the she re-recorded the whole podcast. Yes. Yeah, she was a nice. She’s a nice woman. All right. You ready? Cool. Hey there and welcome to yet another episode of the Virtual SESA Podcast with you as always your host, John Verry. And with me today is Chris Schaefer. Hey, Chris.

That was my

Chris Shaffer (00:25.378)
Yes, sir.

Chris Shaffer (00:36.738)
How’s it going, John?

It is going well. Looking forward to this conversation. So always start easy. Tell us a little bit about who you are and what is it that you do every day.

Yeah. So my name is Chris Schaefer. I’m a managing director here at CBiz, most recently with Markham and Markham Risk Advisory Services. I’ve been in the industry with Markham and its previous firm for about 10 years now. And in 2016, I joined us to the High Trust Third Party Assessor Program. And we’ve been a High Trust Third Party Assessor ever since.

And looking forward to discussing high hitrust and where it’s going and who they are and how we can potentially help.

Absolutely. Before we get down to business, I always ask, what’s your drink of choice?

Chris Shaffer (01:26.04)
Drink of choice. Urban, you know. And probably right now Buffalo Trace and Blanton’s if I can find it available.

Very good. And you’re not going to go wrong with that that tree, right? Which ends in Pappy if you take that same mash and go far and go far enough along. But of course, finding Pappy these days gets a little bit crazy.

Well, even more, heard that the flooding a couple of weeks ago hit the distillery. I saw some pictures of that and interestingly enough, we actually did a T-mounting in Lexington about five, six years ago and we visited that distillery and a few others in the area. It was a great, great time.

Better that it hits the distiller than one of the Rick houses Because we won’t know about this for another nine years and who the heck knows you know who’s gonna be here in nine years, right? mean, you know Well, if you’re drinking Buffalo Trace, that’s a younger bourbon. I mean, I drink Knob Creek, which is nine years. So I don’t need to worry about anything

They wouldn’t

Chris Shaffer (02:29.664)
Yeah, well they wouldn’t tell us where the Pappy and the Blanton’s barrels were. Everybody asked. But I don’t think a lot of people know. I saw that Netflix documentary.

yeah, about the bourbon ice, yeah that was crazy. That was crazy. All right, so like you alluded to, you do lots of things attestation oriented, but high hitrust is the thing that we’re here to talk about today. So let’s just set the floor, if you will. What exactly is hitrust?

Yeah, so High Trust was originally a non-profit organization. think they were founded in late 2000s, 2007 if I remember correctly. Originally known as the High Trust Information Trust Alliance and really geared towards helping healthcare organizations and their providers demonstrate security and compliance in a consistent manner through their CSF or common security framework.

However, in version 19, and I think we’re going to touch on this a little bit, they kind of moved to be more of an industry agnostic approach with version nine. But now they’ve moved into AI controls and security assessments as well. And we can talk about that in a little bit. this year, I think it was March, they partnered with an investment firm to fuel their continued growth and focus on their core offerings and meeting the needs of the marketplace as well.

Yeah, it’s been an interesting journey for them. Back in the very beginning, guy by the name of Brian Klein authored the first SCF. Brian at the time was working at a children’s hospital in Philadelphia. He’d just come out of the military. had a military background. And I used to go and have lunch with him. And we would talk about it. And he would pick my brain about how to say things in an ISO way as opposed to a NIST, DISA, know, FISMA kind of way. So yeah, it’s been around a while.

Johnn Verry (04:21.934)
That for sure. So there’s two, I think two pieces, if you will, two core components of high hitrust that if somebody is talking about high hitrust, you need to know a bit about the CSF and my CSF. talk about what.

So the CSF is really the it’s at the core of their offering. It’s their framework that they use for all of their offerings, whether it’s the different assessment types they have now, their new AI certification. And it’s unique because it brings in a lot of authoritative sources and you can get insight reports such as HIPAA, NIST, ISO, PCI DSS.

And it tends to be more threat adaptive than a lot of the other frameworks because it’s updated more frequently and usually no less than annually. And you go through the assessment requires their MyCSF portal tool. And this is available with a subscription. It’s required for any validated assessment or certification that an organization would undergo. And it allows you to create an assessment object, which is the list of requirements that would be applicable to that organization and their goals.

as well as insight reporting. It has different reporting to measure your maturity, as well as corrective action plan management on an ongoing basis if you choose to use it for that. So it’s a great tool. It’s come a long way in the nine years that I’ve been using it. Version 2, I think they launched their own part of that. I believe it was built on RSAM.

It’s a tool. They continually evolve it every time I log in, I see a new feature and something new and different. They continue to evolve it to meet the needs of the organizations and marketplace.

Johnn Verry (06:08.598)
If I was going to oversimplify it, you can think of the CSF as being the list of controls that you may need to implement. So sort of comparable to the clauses and annex A of ISO 27001 or the hitrust services criteria of SOC 2. And then I guess you can compare the MyCSF to a good GRC tool, governance risk and compliance tool, with the difference being that in this particular case,

It’s how you interact with it and it helps you figure out which controls you need based on risk and context. And then it’s also integral to that self-assessment and or third-party assessment process, correct?

Correct, I couldn’t say it better myself.

Okay, well, I tell you what, don’t you want to ask me the next question and I’ll answer it? Kidding, kidding. I know there are some answers that I could answer myself, but there’s a lot I couldn’t. let’s get into, and just to kind of also frame this, High hitrust is another, I’m going to call it both security framework and attest, attestation framework, right? Correct. I mean, the focus of it is,

Yeah.

Johnn Verry (07:21.59)
like ISO or SOC 2 is for organizations to be able to demonstrate the maturity of their cybersecurity program to a third party.

Exactly. And there are some key differences which we can talk about in a bit because it’s not a one size fits all, whereas like the PCI DSS, assuming you’re not a merchant with an SAQ, there’s a finite on the DSS, whereas how you implement a SOC 2 might be different than another organization. So it does bring some continuity and structure to that. But yes, it is the base framework which all assessments are performed.

And there’s some options, you know, with the E1, I1, R2, which I’m sure we’ll talk about.

I was just going to ask you, so go right there. You had those three basic levels now. used to be what it was just an assessment or a self-assessment validated, and then they moved to this three-tier model. Can you explain the three-tier model?

So in 2003 with the launch of version 11, they made some different offerings because in prior years, HyTrust had the, you know, it was known to be very difficult with what is now the R2, which was the only assessment prior to version, or 2023. And the E1 assessment, which is really essential.

Chris Shaffer (08:44.59)
you know, cybersecurity hygiene. It’s only 44 requirements, but it hits on all the major points that most organizations who deal with sensitive information, whether that’s healthcare information or client information, should be doing. And it’s a good starting point. We’ve seen a large ramp up in organizations that want to be hitrust certified, start with that and then either continue with that or then move on to the next option, which would be the I-1. And that’s really the, you know, it’s best practices over a broad range of threats.

Yeah.

cool thing with that is it’s implementation only. So when we talk about the R2, which is the big one, it’s built upon the maturity, the Prisma maturity model. So you have to have a policy for each requirement. You have to have a procedure that somebody could implement that policy with. And then you obviously have to implement that and operate it over a given period of time. With the I1, it’s just implementation. So one of those requirements might be your business continuity plan or information security management program, which is a policy and procedure.

but you’re not having to write unique policies and procedures for each of those 182 in the I1 requirements. So it’s a good stepping stone between the E1 to the I1. The I1 is kind of comparable to most SOC 2s. The end goal for lot of organizations is the R2. And that R2, as I mentioned, is built upon the Prisma model. So you have to have a policy, you have to have a procedure, and you have to have implementation. Those are the minimum required for certification.

Then there’s also, how do you measure your effectiveness of actually implementing that as an organization? So your monitoring controls to make sure that those things are actually happening. And then how do you manage any exceptions to make sure that you improve the process overall? The latter two are less common. A lot of organizations have measured and managed in certain areas, but certainly not across every requirement as they’d be spending a lot of time measuring and monitoring rather than implementing for a lot of organizations.

Chris Shaffer (10:48.622)
Difference with the E1 versus the I1 and R2, the E1 is an annual assessment. It has to be done every year. Whereas the I1, recently, think it was late last year, they implemented what’s called a rapid reassessment or rapid recertification. And this is where the assessor will come back in. We won’t look at all of 182 requirements. But by default, the MyCSF tool, which we talked about, will auto-select

basically one third of the requirements in any of the items that might have had a corrective action plan tied to it. And we measure and do it similar to a surveillance audit in the ISO world. And assuming there’s no degradation in the maturity of the requirements, I think the maximum is two. That’s all you have to do. So it’s a much easier assessment that second year versus a full 182 requirements. The R2 is even

could be even easier. Within the tool, again, MyCSF, it’ll select one from each of the protection domains, and we’ll talk about, we could talk about the CSF and how it’s organized through control objectives and references and the different implementation levels. But the interim assessment, you choose one from each of the 19, and that’s what’s presented to the user to be reassessed. And then any corrective action plans and progress towards meeting those.

would also be included as well.

And then we add every third year, you know, after three years you’re coming back and you’re doing the full. Full assessment. Full assessment. Mirrors a lot of the other frameworks like ISO 270001 as an example.

Chris Shaffer (12:32.334)
And by that time, there’s usually been a couple changes, you know, since the CSF is updated annually. When you go through major revisions, there’s a big one. I’ve done a lot of, you know, version nine to version 11, you know, gap analysis and readiness assessments to make sure that organizations are prepared. Version 11 is a lot more streamlined. And it’s also nice that now each of those requirements, whether it’s the E1, the I1, or the R2, the requirements are nested. So if you start with the 44 with the E1,

Those 44 are going to be included inside the I-1 and those 182 from the I-1 are also going to be included within an R2 assessment. The R2 assessments range from with most factors that you would select within the MyCSF tool, high 200s to, you know, for a level one or a smaller risk organization, all the way up to, you know, 600 or even more, depending on regulatory factors. And that’s also something to talk about with the R2.

because it’s risk-based. The letter R stands for risk and two stands for two year. The risk-based nature of that is the different system factors that an organization would select. And it’s usually around how much data they have or what would be relevant in terms of a breach into the risk to that organization. So if we’re looking at a typical database, the number of records that are held, less than 10 million.

would usually be a level one, 10 to 60 million would be a level two, and then over 60 million would be a level three. know, the level threes are HIPAA high 500s. And then if you want to show compliance with any regulatory factors such as HIPAA or PCI DSS, really, there’s probably, I don’t know the exact number, but there’s well over 30 different regulatory factors you could include within that, which may add more requirements.

to the assessment.

Johnn Verry (14:34.306)
Yeah, it’s interesting. So it sort of becomes like, sort of a bit of a framework of frameworks.

Correct, correct. within the MyCSF tool, you can see how each of those requirements are then mapped back to a relevant authoritative source. So if you’re bringing in your program and you’re subject to CMS or GDPR or Massachusetts data protection, you can see how all those requirements are mapped back and then you can get insights reports to a lot of those as well to show your compliance with us.

Yeah, gotcha. And it’s always interesting to me how the different frameworks organize these groups of requirements into different domains. How does high hitrust do that?

Yeah, so the CSF is. It’s it’s it starts with, you know, control objectives or control. There’s objectives, references, and then the requirement statements based upon the implementation level. So it’s a little confusing and we don’t have to go through all of that, but overall they take those requirements and they put them into 19 domains. know, domain might be endpoint security. It could be.

risk management, vulnerability management, business continuity. Each of those 19 domains will have a subset of requirement statements. Each of those domains also need to hit a maturity or a scoring that would allow it to have certification. And that’s important because a lot of frameworks, let’s say PCI DSS, it’s either in place or it’s not in place. With HyTress, you don’t have to be perfect. You just have to hit the minimum requirement for

Chris Shaffer (16:17.006)
for each of those domains to result in certification. Or if you’re doing an internal assessment, you could choose where to focus your remediation efforts or improvement on. So it’s useful in that regard since it’s not, you don’t have to be 100 % out of the gate. And I would say the majority of our assessments we do at least have a handful of individual requirements that may not hit 100 % maturity.

And then maturity could be implementing a control consistently across the organization. Let’s say that one of the requirements is you have encryption on your laptops. Well, if you have some that don’t, but the majority do, you might score, say, 75 % on the implementation. That’s not going to completely cause that domain that it’s tied to to fail, which is nice. With the E1, there’s less requirements, so the ability to average becomes a little bit, you know.

a little bit more difficult. Some of the domains only have one, so if it’s not in place, then that’s bigger. Whereas you look at, access control, which has a minimum of 10 in the E1. Well, that might be a little bit, you know, an opportunity for improvement that you could correct on an ongoing basis versus putting the entire assessment itself at risk.

Yeah, we actually have a client that’s going through E1 right now. And that’s exactly the problem that they’re having, is that it was one of the domains that only had two controls. And they had a small blip in the monitoring of certain systems. But it’s enough to kind of put them in a difficult spot to be able to pass, because the lack of that one control goes on the problem. So the Lord giveth and the Lord taketh away.

The biggest one I see is when organizations don’t have wireless, right? So that’s, think it’s domain five. So all of domain five is usually not applicable except for that control for monitoring for unauthorized aspects. So the requirement might be to monitor for, mean, document all approved wireless access points. But there’s also a part on the tail end of that requirement that says, and then monitor for unauthorized.

Chris Shaffer (18:29.048)
lot of people that do their own readiness assessments and they come to us and say, yep, we’re ready and this is not applicable, you know, we…

We point at that one and then it kind of derails the efforts because one of the concepts of high hitrust is implementation maturity in terms of the time. And for anything to be implemented before the assessor can review it has to be 90 days. So they can’t make a change during the assessment. As we’re going through it, we note the gap, they fix it during the assessment. And then we can’t score that because it has to have been in place for at least 90 days.

60 for policy and procedure on an R2. So that’s why readiness assessments are extremely valuable to make sure that the organization is set up for success and that they’re not going to get those gotchas with the maturity scoring when it comes down to the higher risk domains.

Yeah, that’s it. So now you’re of delving into the next topic I want to chat about, which is like pros and cons of the different frameworks, right? You’re somebody who’s sitting there and you have choices of, can go get certified to one of these frameworks, which is the right one for me, which gets interesting. One of those things is the way you just said, is that some frameworks are a little bit more forgiving. It’s kind of the nature of the framework. Like ISO in that particular case, you’d have a nonconformity that you could correct.

you’d be OK. In high hitrust, they don’t give you that latitude. SOC 2 kind of somewhere. SOC 2, OK, you don’t have to have it, but there is an exception noted in your report. So again, interesting differences between them. So talk a little bit about that, right? So what’s your thought process? Because you guys in legacy Markham RAS, now C-Biz, you do SOC 2, you do ISO 27001, you do high hitrust, you do PCI, you do

Johnn Verry (20:22.976)
ISO for 27701, you do a lot of frameworks. Like how do you view the different frameworks and sort of the pros and cons and how would you guide somebody who’s kind of looking at the three of them going, hey, which one should I do?

This one will surely light up the comments. Each one has their benefit, right? We’re a CPA firm at heart, so the SOC 2, it’s got a defined period if we’re doing a type 2 examination, so you get that level of assurance for that given period, say typically a year. But not all SOC 2s are equal, and SOC 2s from within the firm or the controls that presented by the service organization or even between firms and the quality that goes into those.

god, yes.

Chris Shaffer (21:05.728)
I like SOC 2s for the flexibility, however, consistency is tough there. We’re an ISO certification body as well. We undergo office visits each year and witness audits by our accreditation body to make sure that we’re doing our quality management. Standards are being performed. PCI, there’s a process that we go through with the…

PCI counsel to make sure that, you know, they look at some of our reports on compliance and measure that. High Trust is unique because every single assessment that we perform or validate goes to High Trust for the certification decision. And they do their own QA. And they look and they place a really high focus on quality and consistency. think it was mid last year, they were, you know, they launched or released their assessor handbook to make sure that every

know, third party assessor organization was operating by the same rules and had clear guidance on how to do. And that’s been fantastic. So that we’re able to make sure that we can compete on a level playing field, you know, with ISO as well. You know, there’s different organizations and the sampling methodology could be different there and the amount of work and quality there. So it’s, it’s, and with the ISO, you know, it’s

you almost have to request the statement of applicability. Otherwise, you don’t really know what controls were marked in place or not in place. The certificate itself just doesn’t provide that level of assurance. But it has this, you know, all of them have their benefits and their needs. And, you know, one of the things that I hitrust later on is working towards is reciprocity. So we could talk about that, you know, maybe in the future where they’re going. But…

I think the unique difference is that they are the certification body and every assessment goes through them. However, each of them, like I mentioned, that 90 day window, the assessor doesn’t have to look back the entire year. So if an organization wants assurance for that given period of time, well then the SOC might be a better fit. Same goes for ISO and PCI as well. So each of them have their benefits. It’s confusing to say the least.

Chris Shaffer (23:24.794)
And it really goes down. What I advise clients on is speak to your clients, ask them what would provide the assurance that they need. A lot of times they’re unfortunately checking the box and saying, hey, you need an ISO certificate or you need a PCI report on compliance or you have to have a high hitrust certification. And even now, those vendor agreements that come into place, those take years to go through legal.

It says high hitrust certification. And well, I tell them about the E1 or the I1 and they’re like, well, I don’t know. I want to do the R2. I’m like, well, it says high hitrust certification. Obviously, you’re going to want to ask for permission rather than forgive this. But the E1 is high hitrust certification and the I1 is as well. Now you want to be careful with that. But as long as you’re showing improvement, most clients that you’re working with, they just want to see the organization that they’re working with.

improve on a consistent basis and you know the high hitrust and CSF allows and affords those opportunities.

Yeah, is. there’s a couple of things which are interesting to me about High Trust. First, the move away from being, you know, used to be the Health Care Information Alliance, whatever it was. But it was very health care centric. So I thought that was interesting. They moved away from that. You know, I think it makes sense. were, hey, they were developing. They were having a hard time really gaining a super amount of traction. It was the five major health care companies, know, the United.

CSEs and anthems were really known as really pushing hard for it And they had built a program that wasn’t didn’t necessarily have to apply just to healthcare. So almost self-restrictive So it’s interesting thing they moved in that direction You really you know weird way I’m wrestling with it as well now that we’re seeing more and more high hitrust out there is it feels a little bit like Like especially if you go are too it feels like a combination of ISO and sock, right?

Johnn Verry (25:27.726)
Because you’ve got, like what I like about ISO personally, I’m an ISO fan, is ISO I believe has some superiority because it’s got that management system component, really. it also, that lends some benefit because the audits can be focused on the management system and not the controls, which allows them to quote unquote provide a similar or better value at a lower cost point. Then you had SOC 2, which doesn’t have the management system.

Okay, so you have to beat the hell out of the controls, right? So now you got a $45,000 audit instead of a, you know, $20,000 audit every year. And now you look at high hitrust and it seems to be like, well, now we have the management system component. We’ve got the beat the hell out of the controls like we do in a SOC 2. And we have the cost that is probably comparable to doing both of them at the same time, right? It’s an expensive attestation. But I think you could argue that

because of how prescriptive it is to an extent and to how diligent it is, that it’s a pretty damn… If you are R2 certified, you have to have a damn good cybersecurity program, a better cybersecurity program than it would take to be be SOC 2 attested with no exceptions noted or an ISO 27001 certified program.

100 % and you know, hitrust origin was originally built upon ISO and it aimed to bring the consistency with the implementation with the prescriptiveness with those requirements on a risk-based model So I 100 % agree and you know a lot of my guys when we go through and do these if they’ve never worked on a high hitrust assessment You know, they’re floored about the level of detail and all the elements that need to be tested

But it really brings consistency and I think it brings adoption within the industry. And for a long time it was very difficult. The only path was what is now known as the R2. And with the E1 and I1 it’s made it little bit more attainable. And the adoption has certainly grown. And I still see people staying with the E1 even though it’s only been out for about two years at this point. I think I was told I was the

Chris Shaffer (27:50.382)
first one to submit an E1 for certification in the March, April of 2023. But we’ve seen people continue, move up to the I1, people that start with the I1 and do an R2 readiness and then say, oh, we can’t do this. This is a 2026 or seven initiative now. Because it is very detailed and it is very difficult. And they’re making the R2 the gold standard. And especially for large organizations who might have a lot of data or risk.

to their program and some of those requirements are very detailed and it can be very time consuming.

And from that perspective, I think it was interesting, and I think that’s one of the reasons we’re seeing more of it right now, is we have this entry-level pathway in. And I think in a weird way, too, if you look at ISO or SOC 2, the E1 is a little bit easier, because like you said, it’s 44 controls. Now, you do hold people’s feet to the fire a bit for the 44 controls, but it is kind of a nice entry-level way of saying, hey, I have something.

Right. have some level of certification. What are you seeing? Are you seeing like, you know, I mean, used to just be, you full. What are you seeing in distribution of people coming in? Are you seeing like the people that were R2 originally were part of high hitrust or just staying up there in that R2 world? Are people coming in usually at the E1 or I1 level? Do you see people still coming in R2? Is it based on what they’re being asked for by their clients? What are you seeing?

Yes, I don’t know if I actually completed my thought there on the previous question, but the vendor agreements would say just high hitrust certification, and they’re asking that, right? A lot of organizations have started with the E1 or the I1. And I would say well over 50 % of the new clients we’ve started working with in the last couple of years have gone that route. I’ve had some previous, not as many, R2 clients that have reverted to an I1.

Chris Shaffer (29:56.718)
because the clients, they asked if they had the conversation with their clients, their clients have accepted that. They were relatively low risk, but they were told they had to have high hitrust certification and the cost of operating an R2 compliant information management program just wasn’t there for the value of the client that was requesting it. But by and large, well over half, if not maybe even up to 65, 70 % of the

new clients are starting with the E1 and I1 path because it’s more attainable. since it’s nested, everything they do on those E1 with those 44 requirements or 182 for the I1, they’re reusable. So they just, as they have time, budgets are pretty strained nowadays and clients are looking to meet their customers’ needs and with changing staff and resources. it’s made it a lot more.

It’s easier to maintain on an ongoing basis and certainly for the adoption for the first time.

Yeah, so obviously there’s a cost to implement. There’s a cost to certify. And there’s a cost to maintain. And if you start with that lower end of the scale, all three of those are going to be lower, because there’s an impact on effectiveness and efficiency of operation to run additional control, basically.

Yep. Yep. I have a, I have a client that has for part of their business units, they have a current R2 they’ve been doing for, I this is probably their second, maybe even third certification. So I’ll another firm does that, but we do their SOC reports. So now we’re going to be doing, you know, many more of their products for another client that’s requested it. And they’re in conversations with that client. Hey, can we start with the I1 for this? Because this is going to be a level three and they

Chris Shaffer (31:46.648)
think originally they needed it by March of 26 and had some very frank conversations like, don’t think that this is attainable, but let’s start the path to getting you there from a readiness perspective, as well as having you have the conversation with internal business, as well as with the clients and setting a path for success to make this achievable. Otherwise, it’s going to be a tremendous amount of work.

Yeah, we’ll have an interesting conversation with one of our clients right now is that they were ISO 27001 and SOC 2. Now they’re being asked for high hitrust. Now they’re going E1. But yeah, they’re asking me and I’m like, look, guys, it doesn’t make any sense to maintain all three of these. Right? I mean, we got to go back to clients. I know you have three different client contracts and this one says ISO, this one says SOC, this one says high hitrust. But at some point we got to go back and sit down with somebody and say, right? This doesn’t make sense.

We have three certifications that are telling you the same thing. Let’s pick the high water mark or pick, in their particular case, I’m thinking personally, keep the ISO and keep the high hitrust. Because I think SOC 2 is closer to high hitrust with the extent and rigor of the controls. And I think ISO has some benefits from an extensibility perspective than dealing with private information. So ISO 27701 is a nice bolt on.

And then they also do a lot of AI work, so 42,000 won. So if we kind of stack that over here and we say, from a management system, since we got all of this covered, and then from a high hitrust perspective, we’ve got that deep extent rigor and validation that things are operating the way they are intended, that seems like a pretty damn good combination to be able to hand somebody. If at that point somebody wants more, I don’t know if it’s worth it. You know what mean?

Yeah, if you write a SOC report from depending on how the high hitrust assessment was completed and we complete all of our assessments, you know, in the manner with the, you know, the timing that we could write a type two report from it. Yes. So, know, taking a report, you know, taking the testing and the requirements and wrapping that into a SOC two, maybe not even a SOC two plus. But that’s usually, you know, for those clients that

Johnn Verry (33:57.278)
Low cost option.

It’s gonna be a fraction of.

That’s a pretty cool approach.

Yeah, and High Trust has their new AI they launched last fall, which really draws on NIST and ISO, correct me if wrong, the ISO, I think it’s 23862.

Yeah, it’s weird number. That’s the one that supports 42,000. Exactly. think it’s 23… 889?

Chris Shaffer (34:27.982)
I don’t remember. Well, you can layer that in to any high hitrust assessment and get that report separately. So let’s say that you do that. And for some reason, you know, whatever AI and it’s for service providers, not necessarily for, you know, for usage. But it doesn’t affect the certification itself, the base certification, which is useful. So I’m interested to see how, you know, high hitrust their AI security assessments align with forty two thousand one is I know we’re also looking to be.

become accredited for $40,000 as well.

And roughly in kind of a ballpark right ranges right like E1 audits range between X and Y, know wide ranges are fine, you know versus versus I won versus are to just to give people who are listening like a least some semblance of an understanding

Yeah, you know, I would say E1 assessments are in the, most organizations, scope obviously matters and they could have hundred locations and huge systems, let’s say E1 is on the 10 to $20,000 range. you know, it’s 44 requirements. It’s certainly if it’s, if they’ve gone through this before, it should be rather easy to get through that assessment. They give you 90 days to complete every assessment within by hitrust assessment guidelines, but

Most E1s should be completed within a few weeks. I1s, I’d say in the 30 to 50 range. mean, there’s 182 requirements there. if it’s the organization’s first time, it might take a little time for them to understand how to provide the evidence and what’s going be requested. And R2s, I would say those probably start in the 60 all the way up until the

Chris Shaffer (36:15.692)
low six figures depending on scope and risk factors or implementation level required.

Yeah, so you can see that there’s quite a wide range and there’s a lot of benefit. That’s interesting. Cool. So you sort of alluded a little bit, where does high hitrust go from here? You said it’s going to be interesting to see what they do from an AI perspective. What else are you thinking about, like, where high hitrust is going?

So that that challenge that you posed about having to do three different reports, right? In the old days, I think I had one client and I say that now but it’s probably been six seven years ago. We had a client that did high hitrust PCI sock and then they were exploring ISO and I don’t think we were a certification body at that time, but if they were they would have we would have done it as well and That’s a lot to manage

both from an assessment standpoint, because we’re pretty good at doing combining, know, provide once, report many, but the logistics and aligning periods and how quality management standards and how assessments need to be completed to reuse that testing and that evidence can be very challenging and expensive to the clients. mean, if those, high hitrust assessment is on a different period than they’re socked to, they’re essentially going through, you know, two audits a year.

That’s challenging from an internal resource perspective. It’s costly from an external assessment cost. So they’re really working on reciprocity. I know that they’ve got a state ramp. I know they’re working with some other regulatory bodies to get the high hitrust CSF and validated reports, whether that’s most likely going to be R2, to be accepted in lieu of another type of assessment. Their success on that, we’ll see.

Chris Shaffer (38:03.502)
but I know that that’s a key focus with some of the working groups within the High Trust Assessor Council, which I’m part of. So that would be very valuable if you could say, here you go, you you guys should accept this. But it really comes down to educating their clients. And unfortunately, the third party risk management person on the other end, they might just be checking a box that says this vendor has this report and they’re good to go rather than really looking at the risk and the value, whether it was a sp-

Sock Report or ISO or PCI DSS or, you know, high hitrust certification. So that’s going to take some education, but I think we’re going to get there because people are to start pushing back. And, you know, I think high hitrust is in a pretty good place with the consistency across the organ across the industry being the certification body. ISO as well. Each one of them has their benefits. I know what the target market they’re selling into and what.

But somebody’s got to do something because it’s a whole lot for every organization, especially smaller ones.

Yeah, well, yeah, and we hadn’t touched on prior this, right? But you just started to touch on state ramp, which touches on Fed ramp. And then you’ve got, of course, CMMC. So now, like, we have another problem, right, that the government, the US government, has a different set of standards than business, you the commercial side of the house does, right? So that would be an interesting approach is, you know, because, I mean, I think that

know, CMMC is a, you know, the MIS-871 guidance is a pretty solid set of guidance, right? It’s a fairly robust program. A little too focused on confidentiality because it was a derivation of some of the 853 stuff specific to confidentiality. But it’s still a pretty damn good little program. And you could argue that if you’ve got a CMMC and now you have a, and you’re handing that to your defense industrial base clients.

Johnn Verry (39:54.75)
And now somebody on the other side says, I want ISO 27001. And we have a lot of clients that have full. Like, kind of be nice if you could say, well, isn’t my CMMC good enough? Right now what you’re saying is the same thing. Like, hey, now you want state ramp or you want FedRAMP and you want CMMC. But I’ve already got it. I hitrust. You know, it’s the same damn controls just framed a little bit different. Isn’t there a way that we could get to a point of reciprocity? somebody is going to win the reciprocity battle. And when they do,

Everyone’s life’s gonna be easier and somebody’s gonna, there’s gonna be some big winners and some big losers.

I I agree. And high hitrust with using all those different authoritative sources and mapping them in, they’re kind of well poised to show the value to the, because the requirement, you the implementation guidance or the illustrative procedures are largely pulled from 853. You know, the program as a whole is, you know, it’s kind of around ISO. I know that with the R2 assessments, assuming you meet the maturity, you get a NIST CSF, you know, high hitrust certification for that as well, letter showing that.

But I think CMMC would probably be the biggest opportunity for them to make inroads into because once that finally gets launched and people start requiring and going through those, I think that’s going to be the biggest win. the market is there, which every government subcontractor and then those service providers that they use are going to have to be.

required to have that. we’ll see, but there’s got to do something because having clients pay for four different assessments or makes no sense. It just doesn’t make any sense when they’re all kind of saying the same thing and then maybe a different manner.

Johnn Verry (41:38.09)
I agree. And and CMMC, you know, the opportunity there is huge just when you think about the Dib. And if you look at the, you know, the, CUE registry, right, at NARA, like the Dib data is one 19th or one 20th of that, right? Like, so every other agency that, you know, ultimately, especially if with the way the lawmaking takes place, it’s likely that they’re going to look at this and go, well, like, well, we’re giving other people CUE.

Why should our CUE get less money? Let’s ask them for 801.71 CMMC. So I mean, you could be at a point where five or 10 years from now, virtually anyone that’s doing business with the government exchanging student information, intellectual property, stuff around court, stuff around student information, all that information, FERPA type stuff, all gets covered by CMMC. And at that point, now everyone’s got that and everyone has something to deal with their commercial clients.

It’s kind of a win-lose situation, right?

Yeah, should be interested to see how that plays out. And I know that we’re on the, that’s on our roadmap to join. And I think we are starting the FedRAMP third party assessor process. I think we just submitted that. So we’re looking to have that hopefully next year. See you shortly after.

All right. Well, yeah, it’s going to be a fascinating next five to 10 years on your side of the equation, on the ATTEST side. Of course, that forces what we do on our side, is people ready for ATTEST. yeah, it’s going to be a fascinating five-year period. I think we beat this up pretty good. Did we miss anything?

Chris Shaffer (43:15.586)
I don’t think so. I don’t think so. We can go, can speak for hours on the details there. I’ve been doing this for a while. And, but from a high level, you know, I think high hitrust is great because it builds the consistency. It’s now scalable from the smaller organizations to the larger one where previously it wasn’t. So that’s been great for adoption and, you know, building the brand and the, you know, the making sure that clients and the vendors are.

are able to achieve this and meet those contractual obligations from sales enablement and ongoing risk management process as well.

Yeah, I think the secret for if you’re a high hitrust or you’re somebody who’s an advocate of high hitrust is going to be, does it become like if you look at most third party risk management programs, they usually say something like are you ISO certified, SOC 2 attested, or equivalent. If they got high hitrust added to that statement, I think it gives them a little bit more, would give them a little more juice. You know what I mean?

Because right now, people go to the, I think the vast majority of people who get any one of these types of certifications get it because someone tells them they have to.

Of course, of course. Or they feel that they needed to be competitive in the marketplace. Yeah. think United Health Group in 2016 had a clause in their standard agreement that said SOC 2 with, you know, current high hitrust self assessment within 90 days of validated assessment. after I think it was 18 months and then certification in 24. So we’ll see how that goes. But reciprocity is going to be key, making it attainable.

Johnn Verry (44:31.511)
Right. Right.

Chris Shaffer (44:55.404)
so that organizations are able to compete on a level playing field so they don’t have to go through all of these assessments, especially for the smaller ones. It’s very burdensome.

Yep. If someone wants to get in contact with you, what’s easiest way to do that?

Yeah, so you can send me, let’s see, LinkedIn. We can post this after the fact here. But it’s linkedin.com forward slash cp, Schaefer, S-H-A-F-F-E-R, one, the number one. And either that or christopher.schaefer, S-H-A-F-F-E-R at cbiz.com.

Sounds good, man. I appreciate you coming on.

Thanks, John. Bye bye.