On an r2 assessment, when considering the CAP vs. gap decision, will CAPs be required if a Control Reference has an aggregate raw score of 72.5 across Requirement Statements with gaps?
Correct Answer: B
HITRUST applies the CAP requirement at theControl Reference level. A CAP is required when the Control Reference score falls at70 or belowand Implementation maturity is not at 100%. In this case, the aggregate score is72.5, which is above the certification threshold of 71. Even though there are gaps within individual requirement statements, the Control Reference as a whole is performing above the threshold, meaning a CAP is not mandatory. However, the gaps must still be documented, and remediation may be encouraged, but they will not block certification. This policy ensures that CAPs are only required where deficiencies present material risk to certification.
References:HITRUST Scoring Rubric - "CAP Trigger Conditions"; CCSFP Practitioner Guide - "Gap vs.
CAP Decisions."