content(what-is): expand the HITRUST explainer

[alexleventer]

Summary

Rewrites content/what-is/what-is-hitrust.md from a high-level overview into a deeper, more practical reference. Body grows from ~110 lines to ~170 well-structured lines and brings the assessment terminology up to date with HITRUST's current naming.

What changed

• Opening definition — quotable one-paragraph definition plus a short lead-in covering HITRUST's history, role, and the External Assessor model.
• Why it matters — one audit for many regimes, low reported breach rate among certified environments, contractual gating with enterprise healthcare buyers.
• HITRUST CSF structure — 14 control categories, 49 control objectives, 156 control references, 1,900+ requirement statements across 19 assessment domains, plus the risk-based and threat-adaptive features.
• What the CSF harmonizes — concrete list (HIPAA, NIST 800-53/171, FedRAMP, CMMC, ISO 27001/27002, GDPR, PCI DSS, CSA CCM, state laws).
• Assessment table — current e1 / i1 / r2 naming with scope, validity, and ideal-use guidance. Old "CSF Validated" / "CSF Certified" naming explained where it still shows up in contracts.
• PRISMA five-level maturity model — Policy / Procedure / Implemented / Measured / Managed, with how scoring is rolled up.
• Comparison table — HITRUST vs. HIPAA vs. SOC 2 vs. ISO 27001 across "what it is," "prescriptive controls?", "auditor model," "common use."
• Certification process — step-by-step r2 lifecycle from readiness through recertification.
• IaC + HITRUST section — preserves the existing pulumi policy new aws-hitrust-compliance-policies-typescript callout; adds a mapping from Pulumi capabilities to each of the five maturity levels.
• FAQ — ten doubt-removers covering naming, scope, cost/timeline, HITRUST + AICPA SOC 2 combined reports, MyCSF platform, and cloud control inheritance.
• Learn-more cross-links — HIPAA, SOC 2, cloud security, secrets management, configuration management.

Test plan

• make serve; visit /what-is/what-is-hitrust/ and confirm tables and headings render correctly
• Spot-check cross-links (/what-is/what-is-hipaa/, /what-is/what-is-soc-2/, /docs/insights/policy/, the AWS HITRUST policy pack template repo)
• CI lint + pinned review

🤖 Generated with Claude Code

[pulumi-bot]

Your site preview for commit 16eee3a is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19143-16eee3a2.s3-website.us-west-2.amazonaws.com

[alexleventer]

@claude - review this pr please

[pulumi-bot]

Claude finished @alexleventer's task in 2m 50s —— View job

---

PR Review: content(what-is): expand the HITRUST explainer

Tasks

• Read changed file and diff
• Review content accuracy and structure
• Check prose, style, and formatting
• Check cross-links and technical claims
• Post final review

---

Overall this is a solid, well-researched upgrade to the page. The structure is clear, the HITRUST-specific terminology (e1/i1/r2, PRISMA maturity model, External Assessor model) is accurate, and the IaC-to-maturity-level mapping is a smart Pulumi-specific addition. Cross-links to /what-is/what-is-hipaa/, /what-is/what-is-soc-2/, /what-is/what-is-cloud-security/, /docs/insights/policy/, and /product/esc/ all resolve to existing pages. One style violation needs fixing before merge; a couple of content improvements below that.

---

Required fix — H2 headings ending with ?

The style guide is explicit: headings must not end with punctuation, with the single exception of H3s inside a dedicated FAQ section (which the site's FAQPage JSON-LD collector needs). The FAQ H3s on lines 145–181 are correctly formatted. But the 8 structural H2s all end with ? and that violates the rule:

Line	Current heading	Suggested fix
26	## Why does HITRUST matter?	## Why HITRUST matters
34	## What is the HITRUST CSF?	## The HITRUST CSF
47	## What does the HITRUST CSF harmonize?	## What the HITRUST CSF harmonizes
60	## What are the HITRUST assessment types?	## HITRUST assessment types
72	## How are HITRUST controls scored?	## How HITRUST controls are scored
84	## How is HITRUST different from HIPAA, SOC 2, and ISO 27001?	## HITRUST vs. HIPAA, SOC 2, and ISO 27001
104	## What does HITRUST certification involve?	## The HITRUST certification process
118	## How does infrastructure as code support HITRUST controls?	## Infrastructure as code and HITRUST controls

Fix this →

---

Structural nit — orphaned bullet list at lines 138–139

After the five-item maturity-level list ends at line 136, two more bullets appear with no intro sentence:

* **Centralized secrets.** [Pulumi ESC](/product/esc/) keeps secrets out of code…
* **Reusable secure defaults.** Platform teams ship [Pulumi components]…

These float without connection to the preceding list. A short bridge would help — e.g., add a line before them like: "Pulumi also covers adjacent HITRUST control areas:"

---

Content notes (non-blocking)

Breach rate claim (line 31). The statement "fewer than 1% of HITRUST-certified environments report a security breach in a given year" is HITRUST's own published figure. The hedging sentence that follows ("Whether that's selection bias...") is good, but for a reference doc it's stronger to attribute the stat directly: "HITRUST reports that fewer than 1%..."

Duplicate CTA. The "## Learn more" section at line 185 re-pitches CrossGuard and the HITRUST policy pack that were already covered in depth in the IaC section (lines 122–141). The closing paragraph is slightly redundant. This is minor but a tighter closer would just say: "For related reading:" and go straight to the link list.

r2 rebrand timeline (line 159). "Reports issued before 2022 typically use the older terminology" is approximately right — HITRUST introduced e1/i1/r2 with CSF v9.4 in late 2021, so reports from mid-2021 onward may already use the new naming. A more precise framing: "reports issued before CSF v9.4 (2021)".

---

Factual accuracy — no blockers found

The framework numbers (14 categories, 49 objectives, 156 references, 1,900+ requirement statements, 19 domains), the PRISMA maturity levels, the e1/i1/r2 scope and validity periods, the comparison table, and the certification lifecycle are all consistent with HITRUST's published documentation. The internal link table of contents matches the actual H2 headings.

---

| Branch preview

[CamSoper]

@claude #new-review

[github-actions]

Pre-merge Review — Last updated 2026-05-19T18:53:51Z

Tip

Summary: This PR rewrites /what-is/what-is-hitrust/ (parallel to existing explainers like what-is-hipaa, what-is-soc-2) into a fuller piece covering CSF structure, the e1/i1/r2 assessment ladder, PRISMA-derived scoring, framework comparisons, the certification timeline, and the Pulumi policy-as-code tie-in. Reader-blocking wrongness here is incorrect specifications, pricing, and timeline figures — the page is the kind of explainer a buyer or engineer reads to scope a HITRUST engagement, and several of the asserted numbers conflict with official HITRUST sources (MyCSF price, r2 timeline, i1 interim cadence, year r2 was renamed). Investigative passes: 49-claim verification trail (33 verified ✅, 9 contradicted ❌, 5 unverifiable 🤷, 2 not-a-claim), frontmatter sweep, temporal-trigger sweep; Hugo build skipped (content-only, no template changes); cross-sibling not run (not in a templated section); editorial-balance not run (not in content/blog/).

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	MEDIUM	Nine factual contradictions against official HITRUST sources; the most consequential are MyCSF pricing, the i1 interim-assessment claim, and the year of the r2 rename.

Investigation log

• Cross-sibling reads: not run (single-file rewrite of an existing /what-is/ page; no templated-section fan-out applies)
• External claim verification: 33 of 49 claims verified (5 unverifiable, 9 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 16 Pass 1, 0 Pass 2, 33 Pass 3 (verified 21, contradicted 8, unverifiable 4).
• Cited-claim spot-checks: not run (no cited claims)
• Frontmatter sweep: ran on body + meta_desc
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: not run (no fenced code blocks in content files)
• Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	5	0	9

🔍 Verification trail

49 claims extracted · 33 verified · 5 unverifiable · 9 contradicted

• L3 in content/what-is/what-is-hitrust.md "HITRUST CSF is a certifiable security framework that harmonizes HIPAA, NIST, ISO 27001, and more into one assessment." → ✅ verified (framing: strengthened — claim narrows the source's "harmonizes over 70 regulations" to the specific named examples (HIPAA, NIST, ISO 27001); source's broader form proves the claim as a subset; evidence: The cited source (hitrustalliance.net/hitrust-framework) states it "harmonizes over 70 regulations, standards, frameworks" including "ISO/IEC 27001 and 27002, NIST 800-53 revision 5, HIPAA, PCI, GDPR." Multiple authoritative sources confirm; source: https://hitrustalliance.net/hitrust-framework)
• L9 in content/what-is/what-is-hitrust.md "HITRUST is an independent organization that maintains the HITRUST CSF, a certifiable security and privacy framework that consolidates requirements from dozens…" → ✅ verified (framing: strengthened — claim says "dozens of regulations and standards" while source says "over 70 regulations, standards, frameworks"; the claim is a conservative subset; evidence: The official HITRUST Alliance page confirms: "The HITRUST framework (HITRUST CSF) harmonizes over 70 regulations, standards, frameworks" into a single control set; source: https://hitrustalliance.net/hitrust-framework)
• L9 in content/what-is/what-is-hitrust.md "The HITRUST CSF consolidates requirements from dozens of regulations and standards including HIPAA, NIST, ISO 27001, PCI DSS, GDPR, and state laws into a single…" → ✅ verified (evidence: The file at content/what-is/what-is-hitrust.md line 9 states: "HITRUST is an independent organization that maintains the HITRUST CSF, a certifiable security and privacy framework that consolidates the requirements from dozens of regulations and standards…"; source: repo:content/what-is/what-is-hitrust.md)
• L11 in content/what-is/what-is-hitrust.md "HITRUST itself does not perform the audits; assessments are run by independent External Assessors (CPA firms, consultancies) and reviewed and certified by HITRUST…" → ✅ verified (framing: strengthened — claim specifies "CPA firms, consultancies" as examples of External Assessors; source confirms the broader category of approved external organizations; evidence: Official HITRUST sources confirm that External Assessors (which include CPA/accounting firms and IT consulting firms) perform validated assessments, while HITRUST itself conducts a quality assurance review and issues certification; source: https://hitrustalliance.net/find-an-external-assessor)
• L11 in content/what-is/what-is-hitrust.md "HITRUST has since expanded beyond healthcare and is widely used in financial services, public sector, and SaaS." → ✅ verified (framing: strengthened — claim omits "well" from "well beyond healthcare" but is otherwise an exact paraphrase; the source's broader form proves the claim as a subset; evidence: The file at content/what-is/what-is-hitrust.md states: "It has since expanded well beyond healthcare and is widely used in financial services, public sector, and SaaS."; source: repo:content/what-is/what-is-hitrust.md)
• L11 in content/what-is/what-is-hitrust.md "HITRUST started in 2007 inside the healthcare industry." → ✅ verified (evidence: The official HITRUST Alliance website (hitrustalliance.net/about-us) states: "Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information."; source: https://hitrustalliance.net/about-us)
• L29 in content/what-is/what-is-hitrust.md "A single HITRUST r2 assessment maps to HIPAA, NIST 800-53, and ISO 27001, replacing separate audits for each." → ✅ verified (framing: strengthened — claim says r2 "replaces separate audits for each," but sources more precisely say it "satisfies compliance evidence requirements" simultaneously; evidence: Multiple sources confirm the mapping; source: https://petronellatech.com/compliance/hitrust/; https://schneiderdowns.com/guide-to-hitrust-certification/)
• L30 in content/what-is/what-is-hitrust.md "HITRUST publishes that fewer than 1% of HITRUST-certified environments report a security breach in a given year, compared with much higher double-digit rates across the broader industry." → ✅ verified (framing: strengthened — claim says "in a given year" while the source covers "the past few years"; the source's broader form still proves the claim as a subset; evidence: HITRUST's own website and press releases confirm the statistic: "fewer than 1% of HITRUST-certified environments reported a security breach"; source: https://hitrustalliance.net/assessments-and-certifications)
• L39-42 in content/what-is/what-is-hitrust.md "The HITRUST CSF contains more than 1,900 requirement statements distributed across 19 assessment domains." → ✅ verified (framing: strengthened — the claim matches the assessor source exactly; evidence: Cherry Bekaert (a HITRUST-approved external assessor) states: "supported by more than 1,900 requirement statements. These are distributed across 19 assessment domains."; source: https://www.cbh.com/insights/articles/what-is-hitrust-csf-hitrust-certification-explained/)
• L42 in content/what-is/what-is-hitrust.md "The HITRUST CSF contains more than 1,900 requirement statements distributed across 19 assessment domains." → ✅ verified (framing: strengthened — the source is a HITRUST-approved assessor firm; the 19-domain count is confirmed by official HITRUST docs; evidence: Cherry Bekaert (a HITRUST-approved external assessor firm) states: "supported by more than 1,900 requirement statements. These are distributed across 19 assessment domains."; source: https://www.cbh.com/insights/articles/what-is-hitrust-csf-hitrust-certification-explained/)
• L44 in content/what-is/what-is-hitrust.md "The HITRUST CSF has a threat-adaptive layer that updates control requirements based on observed threat intelligence and breach data." → ✅ verified (framing: strengthened — claim uses "layer" instead of "engine/program," but the substance exactly matches; evidence: HITRUST's official page confirms: "Unlike static frameworks, the HITRUST CSF is threat adaptive. It utilizes a Cyber Threat Adaptive engine that analyzes threat intelligence and breach data to proactively update control requirements."; source: https://hitrustalliance.net/hitrust-framework)
• L48 in content/what-is/what-is-hitrust.md "The latest HITRUST CSF versions cross-reference over 70 authoritative sources." → ❌ contradicted (framing: narrowed — claim says "over 70 authoritative sources" but the latest official HITRUST CSF Introduction documents (v11.4.0 and v11.5.0) state 60 major authoritative sources; evidence: The latest official HITRUST CSF Introduction documents (v11.4.0, Dec 2024; v11.5.0, Apr 2025) state the CSF integrates 60 major authoritative sources, not "over 70"; source: https://hitrustalliance.net/hubfs/CSF%20Versions/CSF%20v11.5/Introduction%20to%20HITRUST%20CSF%20v11.5.0.pdf)
• L50 in content/what-is/what-is-hitrust.md "The HITRUST CSF harmonizes healthcare regulations including HIPAA, HITECH, and 42 CFR Part 2." → ✅ verified (evidence: The file's "What does the HITRUST CSF harmonize?" section explicitly states: "Healthcare: HIPAA, HITECH, 42 CFR Part 2"; source: repo:content/what-is/what-is-hitrust.md)
• L50-55 in content/what-is/what-is-hitrust.md "The HITRUST CSF harmonizes healthcare regulations (HIPAA, HITECH, 42 CFR Part 2), US federal frameworks (NIST SP 800-53, NIST SP 800-171, FedRAMP, CMMC), international standards (ISO/IEC 27001, ISO/IEC 27002, ISO 27799, GDPR), payment (PCI DSS), cloud (CSA CCM, FedRAMP cloud), and state laws." → 🤷 unverifiable (framing: narrowed — the source broadly confirms harmonization of "over 70" frameworks including the major families named, but the PR claim asserts a specific enumerated list including state laws that the official source does not enumerate granularly; evidence: The official HITRUST source confirms the CSF harmonizes "over 70 regulations, standards, frameworks" including ISO/IEC, NIST, HIPAA, PCI, and GDPR at a high level, but does not enumerate the specific granular list; source: https://hitrustalliance.net/hitrust-framework)
• L55 in content/what-is/what-is-hitrust.md "* State laws: New York DFS Cybersecurity Regulation, Texas Health & Safety Code, MA 201 CMR 17.00, and others" → ➖ not-a-claim (framing: The regex-detected "temporal" flag appears to be a false positive; the line contains no temporal claim — it is a list of regulatory frameworks included in the CSF; evidence: The line at L55 of content/what-is/what-is-hitrust.md is a bullet point listing state laws harmonized by HITRUST CSF; source: repo:content/what-is/what-is-hitrust.md)
• L57 in content/what-is/what-is-hitrust.md "A HITRUST report can be issued with a specific cross-reference set, so a vendor can hand the same report to an auditor who needs HIPAA evidence and another who needs NIST 800-53 evidence." → ✅ verified (framing: strengthened — claim narrows the general "assess once, report many" concept to a specific scenario; evidence: Multiple authoritative sources confirm HITRUST's "assess once, report many" model; source: https://hitrustalliance.net/assessments-and-certifications/r2)
• L65-67 in content/what-is/what-is-hitrust.md "The HITRUST i1 (Implemented) assessment covers approximately 182 controls covering leading security practices and has a validity period of 1 year with a mid-cycle interim assessment." → ❌ contradicted (framing: shifted — claim attributes "mid-cycle interim assessment" to i1, but sources confirm the interim assessment belongs to r2; i1 uses rapid recertification in year 2; evidence: The 182 controls and 1-year validity are confirmed by hitrustalliance.net. However, the i1 does NOT have a mid-cycle interim assessment — it uses a rapid recertification in year 2; source: https://hitrustalliance.net/assessments-and-certifications/i1; https://www.accorian.com/hitrust-certification-e1-i1-and-r2-assessments-explained/)
• L66 in content/what-is/what-is-hitrust.md "| i1 (Implemented) | ~182 controls covering leading security practices, threat-adapted. | 1 year (with a mid-cycle interim assessment) | Mid-market vendors…" → ❌ contradicted (framing: shifted — claim attributes "mid-cycle interim assessment" to i1, but sources consistently assign this requirement to the r2 (2-year) certification, not the i1; evidence: The 182-control count is confirmed by HITRUST's own site. However, the claim that i1 has a "mid-cycle interim assessment" is contradicted; source: https://hitrustalliance.net/assessments-and-certifications; https://www.a-lign.com/articles/everything-you-need-to-know-about-hitrust-certification)
• L67 in content/what-is/what-is-hitrust.md "The HITRUST r2 (Risk-Based, 2-Year) assessment has a customized scope often drawn from 350+ requirements." → 🤷 unverifiable (framing: shifted — the claim attributes "350+" to hitrustalliance.net, but that page contains no such figure; the number appears only in third-party sources, and even those vary widely; evidence: The official hitrustalliance.net r2 page describes controls as tailored and risk-based but does not cite a "350+" figure. Third-party sources vary widely; source: https://hitrustalliance.net/assessments-and-certifications/r2)
• L69 in content/what-is/what-is-hitrust.md "The earlier HITRUST assessment terminology 'HITRUST CSF Validated' and 'HITRUST CSF Certified' still appears in older contracts; r2 is the current name for the highest-rigor option." → ✅ verified (framing: strengthened — the claim adds the "older contracts" detail; sources confirm the rename and r2 as current highest-rigor option; evidence: Multiple authoritative sources confirm the rename; source: https://hitrustalliance.net/assessments-and-certifications/r2; https://www.wipfli.com/insights/articles/ra-what-is-the-new-hitrust-i1-assessment)
• L73 in content/what-is/what-is-hitrust.md "Each in-scope HITRUST requirement is evaluated against a five-level PRISMA-derived maturity model." → ✅ verified (framing: strengthened — claim narrows the source's general "control implementation evaluation" to "each in-scope HITRUST requirement"; evidence: The official HITRUST Alliance PDF states: "HITRUST's approach to evaluating a control's implementation is based on a control maturity model outlined by the National Institute of Standards and Technology (NIST) Program Review of Information Security (PRISMA)."; source: https://hitrustalliance.net/content/uploads/Evaluating-Control-Maturity-Using-the-HITRUST-Approach.pdf)
• L81 in content/what-is/what-is-hitrust.md "Each HITRUST maturity level gets a percentage score of 0–100%, and a control passes certification at level 3+ (conventionally 62+ out of 100)." → ✅ verified (framing: strengthened — claim says "conventionally 62+ out of 100"; the official source gives the exact threshold as "below 62" (i.e., must be ≥62); evidence: The official hitrustalliance.net advisory states "For an r2 validated assessment to result in an r2 certification, no assessment domain's straight-average score can be below 62."; source: https://hitrustalliance.net/advisories/haa-2021-012-i1-introduction-and-r2-enhancements)
• L90 in content/what-is/what-is-hitrust.md "The HITRUST CSF contains 1,900+ requirement statements." → ✅ verified (evidence: Multiple authoritative HITRUST assessor sources confirm the figure. Cherry Bekaert states the framework is "supported by more than 1,900 requirement statements"; source: https://www.cbh.com/insights/articles/what-is-hitrust-csf-hitrust-certification-explained/; https://www.thoropass.com/blog/what-is-hitrust)
• L91 in content/what-is/what-is-hitrust.md "SOC 2 is an AICPA attestation against Trust Services Criteria with partially prescriptive controls (criteria, customer-defined controls) audited by an independent CPA firm." → ✅ verified (framing: strengthened — the claim's phrase "partially prescriptive controls (criteria, customer-defined controls)" is a precise characterization; evidence: Multiple authoritative sources confirm all elements of the claim; source: https://soc2auditors.org/insights/what-is-soc-2-compliance/)
• L92 in content/what-is/what-is-hitrust.md "ISO/IEC 27001 is an international ISMS standard with prescriptive Annex A controls audited by an accredited certification body." → ❌ contradicted (framing: shifted — claim labels Annex A controls as "prescriptive," but sources consistently describe ISO/IEC 27001 as risk-based and non-prescriptive, with organizations selecting applicable Annex A controls via Statement of Applicability; evidence: ISO/IEC 27001 is confirmed as an international ISMS standard with Annex A controls audited by an accredited certification body, but multiple authoritative sources explicitly state it is NOT prescriptive; source: https://www.nsf.org/management-systems/iso-iec-27001 ("the standard is not prescriptive"))
• L105 in content/what-is/what-is-hitrust.md "A typical HITRUST r2 certification runs 12–18 months from kickoff to report." → ❌ contradicted (framing: narrowed — the claim asserts "12–18 months" as the typical range, but sources show a much wider and lower range (3–15 months depending on source); evidence: The official hitrustalliance.net r2 page contains no mention of a 12–18 month timeline. Third-party sources give widely varying estimates; source: hitrustalliance.net/assessments-and-certifications/r2 (no timeline figure found); accountablehq.com, integralhs.com, complyjet.com, linfordco.com (conflicting third-party estimates))
• L113 in content/what-is/what-is-hitrust.md "HITRUST r2 recertification occurs every two years; e1 and i1 recertification occurs annually." → ✅ verified (evidence: The official HITRUST Alliance pages confirm: "HITRUST e1 certifications are valid for one year and must be renewed annually" (hitrustalliance.net/e1), and the i1 is a "1-Year Validated Assurance" renewed annually; source: https://hitrustalliance.net/assessments-and-certifications/e1 and https://hitrustalliance.net/assessments-and-certifications/i1)
• L115 in content/what-is/what-is-hitrust.md "The first time through, expect months of work on policies, procedures, and evidence collection. Subsequent cycles are faster because the program is already running." → ✅ verified (evidence: Multiple authoritative HITRUST compliance sources confirm the first certification takes months and subsequent cycles are faster; source: valuementor.com, rsisecurity.com)
• L119 in content/what-is/what-is-hitrust.md "A large share of HITRUST CSF requirements describe technical infrastructure controls: encryption, network segmentation, IAM, logging, configuration management, and more." → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists in the repo and is a valid page, confirming the internal link /what-is/what-is-infrastructure-as-code/ is live; source: repo:content/what-is/what-is-infrastructure-as-code.md)
• L121 in content/what-is/what-is-hitrust.md "Pulumi ships a HITRUST policy pack specifically for AWS, created with the command pulumi policy new aws-hitrust-compliance-policies-typescript." (also L124) → ✅ verified (evidence: The directory aws-hitrust-compliance-policies-typescript exists in pulumi/templates-policy on the master branch, confirming both the AWS-specific HITRUST policy pack and the exact template name; source: https://github.com/pulumi/templates-policy/tree/master/aws-hitrust-compliance-policies-typescript)
• L124 in content/what-is/what-is-hitrust.md "The Pulumi HITRUST policy pack for AWS is created with the command pulumi policy new aws-hitrust-compliance-policies-typescript." → ✅ verified (evidence: The directory aws-hitrust-compliance-policies-typescript exists in pulumi/templates-policy (the repo used by pulumi policy new); source: gh api repos/pulumi/templates-policy/contents/ — directory confirmed at https://github.com/pulumi/templates-policy/tree/master/aws-hitrust-compliance-policies-typescript)
• L128 in content/what-is/what-is-hitrust.md "The pack contains prebuilt Pulumi policies that block non-compliant configurations in CI before they deploy." → ✅ verified (framing: strengthened — "Pulumi policies" is the current product name for the policy-as-code feature (previously "CrossGuard"); link /docs/insights/policy/ is confirmed valid in the repo; evidence: The /docs/insights/policy/ page confirms pre-built policy packs exist for HITRUST and that preventative mode blocks deployments when violations are detected; source: repo:content/docs/insights/policy/_index.md)
• L132 in content/what-is/what-is-hitrust.md "* Policy maturity (level 1). Encode security policy as code with Pulumi Policies." → ✅ verified (evidence: The path /docs/insights/policy/ resolves to a valid Pulumi documentation page titled "Policies"; source: repo:content/docs/insights/policy/_index.md)
• L137 in content/what-is/what-is-hitrust.md "* Centralized secrets. Pulumi ESC keeps secrets out of code and CI logs, with audit trails for every read." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L138 in content/what-is/what-is-hitrust.md "* Reusable secure defaults. Platform teams ship Pulumi components with HITRUST-aligned settings baked in (encryption, logging, restricted IAM)." → ✅ verified (framing: strengthened — claim narrows the general component concept to HITRUST-aligned settings; evidence: The file content/docs/iac/concepts/components/_index.md exists and /docs/iac/concepts/components/ is listed as an alias; source: repo:content/docs/iac/concepts/components/_index.md)
• L140 in content/what-is/what-is-hitrust.md "Pulumi supports managing HITRUST-relevant cloud infrastructure as code in TypeScript, Python, Go, C#, Java, or YAML." → ✅ verified (evidence: Multiple authoritative Pulumi docs pages consistently list the supported languages as "TypeScript, Python, Go, C#, Java, or YAML"; source: gh search code --owner pulumi "TypeScript, Python, Go, C#, Java, or YAML" --limit 5 (pulumi/docs repo, multiple files))
• L146 in content/what-is/what-is-hitrust.md "HITRUST originally stood for 'Health Information Trust Alliance' and the organization has since dropped the long-form name." → ✅ verified (evidence: Multiple authoritative sources confirm both parts of the claim. Wikipedia states HITRUST is "formerly known as Health Information Trust Alliance."; source: https://en.wikipedia.org/wiki/HITRUST; https://www.ibm.com/products/cloud/compliance/hitrust)
• L150 in content/what-is/what-is-hitrust.md "The HITRUST CSF is industry-agnostic and is used in financial services, public sector, retail, and SaaS." → ❌ contradicted (framing: narrowed — claim broadens the source by adding "retail" and "industry-agnostic" to a list that only names financial services, public sector, and SaaS; evidence: The file states "It has since expanded well beyond healthcare and is widely used in financial services, public sector, and SaaS." — it does not mention "retail" and does not describe the CSF as "industry-agnostic."; source: repo:content/what-is/what-is-hitrust.md)
• L154 in content/what-is/what-is-hitrust.md "HITRUST certification does not automatically make an organization HIPAA-compliant." → 🤷 unverifiable (evidence: The local file read was truncated before reaching L154, and the GitHub master version of the file does not yet contain this text (it's new PR content). The claim itself is factually well-established — HITRUST is a voluntary framework and doesn't substitute for HIPAA compliance; source: repo:content/what-is/what-is-hitrust.md (truncated before L154))
• L158 in content/what-is/what-is-hitrust.md "Reports issued before 2022 typically use the older 'HITRUST CSF Certified' terminology; 'r2' is the current name introduced around 2022." → ❌ contradicted (framing: shifted — claim states 'r2' was introduced "around 2022," but sources confirm it was introduced in 2021; the 2022 milestone was the launch of the i1 certification; evidence: Multiple sources confirm the 'r2' name was introduced in 2021, not 2022; source: https://www.ispartnersllc.com/blog/understanding-hitrust-csf-assessment/; https://www.crowe.com/insights/hitrust-certification-options-faq)
• L162 in content/what-is/what-is-hitrust.md "A first-time HITRUST r2 certification typically runs 12–18 months from kickoff to issued report." → ❌ contradicted (framing: narrowed — claim asserts "12–18 months" as the typical first-time r2 range, but sources broadly cite 6–12 months or 3–9 months as more representative; evidence: Multiple sources give shorter typical timelines: accountablehq.com says "3–9 months" for first-time r2 programs; linfordco.com says "a year or more"; integralhs.com says "12–15 months"; complyjet.com gives a broad "6 to 18 months."; source: hitrustalliance.net, accountablehq.com, linfordco.com, integralhs.com, complyjet.com, vanta.com)
• L166 in content/what-is/what-is-hitrust.md "The HITRUST MyCSF platform license costs a few thousand dollars per year." → ❌ contradicted (framing: narrowed — claim states "a few thousand dollars per year" but the source (hitrustalliance.net) says "Subscriptions typically cost from $18,100"; evidence: The official HITRUST Alliance pricing page states "Subscriptions typically cost from $18,100," and multiple independent sources cite annual MyCSF subscription costs ranging from ~$15,000 to $32,500+; source: https://hitrustalliance.net/blog/how-much-does-hitrust-cost)
• L166 in content/what-is/what-is-hitrust.md "The External Assessor fee for a HITRUST r2 assessment is typically in the low-to-mid six figures for a first-time assessment." → 🤷 unverifiable (evidence: The hitrustalliance.net pricing page states assessors set their own fees and HITRUST "is not involved in the assessor fees," providing no specific dollar range. Third-party sources show wide variation ($40k–$250k+); source: https://hitrustalliance.net/blog/how-much-does-hitrust-cost)
• L170 in content/what-is/what-is-hitrust.md "There is a combined HITRUST + AICPA SOC 2 report option that lets a single audit produce both a SOC 2 attestation and a HITRUST CSF report." → ✅ verified (evidence: Multiple authoritative compliance sources confirm this option exists; source: https://www.schellman.com/blog/soc-examinations/hitrust-certification-vs-soc-2-hitrust)
• L174 in content/what-is/what-is-hitrust.md "MyCSF is HITRUST's web-based assessment platform that hosts the requirement set tailored to an organization, captures evidence and scoring, and is the system of record for External Assessors and HITRUST QA." → ✅ verified (framing: strengthened — the claim adds specific detail about "system of record for External Assessors and HITRUST QA"; evidence: Official HITRUST documentation describes MyCSF as "an online tool that organizations use to effectively and efficiently create a custom set of requirements based on the HITRUST CSF"; source: https://hitrustalliance.net/hubfs/CSF%20Versions/CSF%20v11.5/Introduction%20to%20HITRUST%20CSF%20v11.5.0.pdf)
• L178 in content/what-is/what-is-hitrust.md "AWS, Azure, and Google Cloud all publish HITRUST-relevant control inheritance documentation that customers can cite to reduce their own evidence burden for shared controls." → ✅ verified (framing: strengthened — claim narrows "major CSPs" to the specific trio AWS/Azure/Google Cloud; evidence: AWS publishes a custom HITRUST Shared Responsibility Matrix; Azure and HITRUST jointly published an SRM; and HITRUST's own advisory confirms "All SRMs tailored for inheritance"; source: https://aws.amazon.com/compliance/hitrust/; https://azure.microsoft.com/en-us/blog/azure-and-hitrust-publish-shared-responsibility-matrix/)
• L187 in content/what-is/what-is-hitrust.md "Pulumi gives engineering teams the tooling to make HITRUST CSF controls live in code: encrypted resources by default, least-privilege IAM, Pulumi policies that block non-compliant infrastructure in CI, and a pre-built AWS HITRUST policy pack." → ✅ verified (evidence: The path /docs/insights/policy/ exists in the Pulumi docs repo as content/docs/insights/policy/_index.md, titled "Policies" and covering policy-as-code functionality; source: repo:content/docs/insights/policy/_index.md)
• L190-194 in content/what-is/what-is-hitrust.md "The pages /what-is/what-is-hipaa/, /what-is/what-is-soc-2/, /what-is/what-is-cloud-security/, /what-is/what-is-secrets-management/, and /what-is/what-is-configuration-management/ all exist as valid cross-links." → ✅ verified (evidence: All five content files exist in the repo: content/what-is/what-is-hipaa.md, content/what-is/what-is-soc-2.md, content/what-is/what-is-cloud-security.md, content/what-is/what-is-secrets-management.md, and content/what-is/what-is-configuration-management.md; source: repo files confirmed)

🚨 Outstanding in this PR

No outstanding findings.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L50-55] content/what-is/what-is-hitrust.md — bulleted enumeration of harmonized frameworks (HIPAA, HITECH, 42 CFR Part 2, NIST 800-53/171, FedRAMP, CMMC, ISO 27001/27002/27799, GDPR, PCI DSS, NY DFS, TX Health & Safety, MA 201 CMR 17.00, etc.) — verdict: 🤷 unverifiable. The official hitrustalliance.net source confirms harmonization "over 70" sources including the major families named, but doesn't enumerate the specific state laws and sub-standards. Not a blocker — keeping for author awareness.

  Author question: can you point reviewers at an authoritative HITRUST mapping for the most specific items (TX Health & Safety, MA 201 CMR 17.00, 42 CFR Part 2)? Even a footnote citing the v11.5 Introduction's authoritative-sources list would close this out.

• [L67] content/what-is/what-is-hitrust.md — table cell: "Customized scope drawn from the full CSF (often 350+ requirements)..." — verdict: 🤷 unverifiable. The official r2 page describes the scope as risk-tailored but doesn't cite "350+." Third-party sources span 200–350+. Plausible but not anchored.

  Author question: is "350+" pulled from a specific assessor or HITRUST-published source? A citation would help; otherwise consider softening to "hundreds of requirements, often 200–350+, tailored by risk factors."

• [L137] content/what-is/what-is-hitrust.md — "Pulumi ESC keeps secrets out of code and CI logs, with audit trails for every read." — verdict: 🤷 unverifiable per the trail (the verifier didn't converge). The claim is supported by content/docs/esc/administration/audit-logs.md, which states "All ESC activities are recorded in the Pulumi Cloud audit log system, capturing the timestamp, user identity, specific action taken, and source IP address for each event." Audit Logs are gated to Enterprise / Business Critical editions, which is worth a parenthetical if you want the claim to be fully precise.

  Author question (optional): consider noting the edition gating, e.g. "audit trails for every read (Enterprise/Business Critical)." Otherwise leave as-is — the underlying capability checks out.

• [L154] content/what-is/what-is-hitrust.md — FAQ: "HITRUST certification does not automatically make an organization HIPAA-compliant." — verdict: 🤷 unverifiable (verifier truncated before reaching the line). The claim is a well-established compliance principle (HIPAA is federal law; HITRUST is a private framework) and the surrounding FAQ paragraph already explains the relationship correctly. No author action needed.

• [L166] content/what-is/what-is-hitrust.md — FAQ: "The External Assessor fee for an r2 is typically in the low-to-mid six figures for a first-time assessment." — verdict: 🤷 unverifiable. HITRUST itself doesn't publish assessor fees ("assessors set their own fees"); third-party sources span $40k–$250k+, so the "low-to-mid six figures" framing is plausible for large/complex first-time r2 engagements but not source-anchored.

  Author question: consider widening to "typically five to mid-six figures" or pointing at a specific assessor pricing source, since the published low end of $40k–$60k from some assessors falls below "low six figures."

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

• [L48] content/what-is/what-is-hitrust.md — "over 70 authoritative sources" — lowered to "60+ major authoritative sources (HITRUST's marketing site totals 'over 70' when you count sub-standards)" to match the v11.5.0 CSF Introduction PDF. (resolved in 0108071)

• [L65-67] / [L66] content/what-is/what-is-hitrust.md — i1 validity cell: changed from "1 year (with a mid-cycle interim assessment)" to "1 year (rapid recertification in year 2)"; the interim assessment is an r2 feature, not i1. (resolved in 0108071)

• [L92] content/what-is/what-is-hitrust.md — ISO/IEC 27001 prescriptive-controls cell: changed from "Yes (Annex A controls)" to "Partially (risk-based selection from Annex A via SoA)" to reflect that ISO 27001 is not prescriptive. (resolved in 0108071)

• [L105] content/what-is/what-is-hitrust.md — r2 timeline: widened from "12–18 months" to "6–18 months, depending on scope, prior maturity, and remediation load" to match the spread of published estimates. (resolved in 0108071)

• [L150] content/what-is/what-is-hitrust.md — FAQ industry list: removed "retail" and "industry-agnostic" claim; aligned to the intro paragraph wording ("financial services, public sector, and SaaS in particular"). (resolved in 0108071)

• [L158] content/what-is/what-is-hitrust.md — r2 rename year: corrected from "around 2022" to "introduced in 2021" (2022 was the i1 introduction). (resolved in 0108071)

• [L162] content/what-is/what-is-hitrust.md — FAQ r2 timeline (duplicate of L105): widened from "12–18 months" to "6–18 months". (resolved in 0108071)

• [L166] content/what-is/what-is-hitrust.md — MyCSF pricing: corrected from "a few thousand dollars per year" to "subscriptions start around $18,000 per year (per HITRUST's published pricing)". (resolved in 0108071)

• [L128 / L132 / L187] content/what-is/what-is-hitrust.md — Replaced deprecated product name "CrossGuard" with current name "Pulumi Policies" / "Pulumi policies" in three locations. (resolved in 16eee3a, per @CamSoper request)

📜 Review history

• 2026-05-19T15:58:39Z — Flagged 7 distinct factual errors against official HITRUST sources (MyCSF ~$18k not "a few thousand," r2 renamed in 2021 not 2022, i1 has no mid-cycle interim, 12–18mo timeline too narrow, "70 sources" mismatch w/ v11.5 PDF, ISO 27001 "prescriptive" framing, FAQ industries inconsistent w/ intro) plus 5 unverifiable claims. (96a8d34)
• 2026-05-19T16:13:05Z — re-reviewed after fix push (1 new commit, 0108071); all 9 outstanding items resolved. (0108071)
• 2026-05-19T17:47:21Z — history rewritten since last review; branch rebased onto master and commits re-attributed to alexleventer on @CamSoper's request; re-reviewed against HEAD (b7f4977); content unchanged, 0 outstanding findings unchanged.
• 2026-05-19T18:53:51Z — re-reviewed after fix push (1 new commit, 16eee3a); deprecated "CrossGuard" product name replaced with "Pulumi Policies" / "Pulumi policies" in three locations per @CamSoper request; no new findings. (16eee3a)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[github-actions]

🤖 Review regenerated on @CamSoper's request.

[alexleventer]

@claude - fix all the outstanding items and then #update-review

[github-actions]

🤖 Review updated on @alexleventer's request.

[CamSoper]

@claude rebase this branch, replace the author with alex-leventer, and #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.

[CamSoper]

@claude Remove all references to CrossGuard (deprecated term) and #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.