Control Reference scores are averaged to determine Domain scores.
Correct Answer: A
Scoring in HITRUST follows a roll-up model. Requirement Statements are scored at the most granular level.
These scores are then averaged to determine the score of the Control Reference. Once all control references within a domain are scored, their averages are rolled up to calculate the Domain Score. Domain scores are critical because HITRUST requires each domain in an r2 assessment to achieve at least a 71 to qualify for certification. This hierarchical scoring ensures that weaknesses in individual controls impact the higher-level domain score, maintaining balance across domains. Without averaging, entities could potentially offset poor control performance in one area with excellence in another, which would distort the overall risk picture.
References: HITRUST CSF Scoring Rubric - "Roll-Up of Scores"; CCSFP Practitioner Guide - "From Requirement Statements to Domain Scores."