How to Upload HITRUST Evidence to MyCSF Portal: Best Practices
HITRUST MyCSF evidence uploads require strict formatting, naming conventions, and requirement mapping. This guide explains the best practices for preparing and uploading assessor-ready evidence to the MyCSF portal to avoid kickbacks and assessment delays.
HITRUST r2 validated assessments are notoriously rigorous, and the MyCSF portal is the gatekeeper for your certification. Unlike other frameworks where a shared folder might suffice, HITRUST requires evidence to be meticulously linked to specific requirements, properly named, and formatted for External Assessor review. Automating HITRUST evidence collection and upload preparation is essential to avoid the "evidence kickback" loop that delays certifications by months.
This guide details the exact file naming conventions, formatting standards, and upload strategies required to navigate the MyCSF portal successfully.
What Evidence Standards Do HITRUST Assessors Require?
Answer: HITRUST External Assessors require evidence that is static, time-bound, and independently verifiable. Unlike internal audits where a live demo might work, MyCSF evidence must stand on its own as a permanent record of control implementation.
For an r2 Validated Assessment, evidence is scored against five maturity levels. Most organizations focus on the first three:
- Policy: Documented rules (e.g., Information Security Policy).
- Procedure: Documented steps to execute the policy (e.g., SOPs).
- Implemented: Proof the procedure is actually followed (e.g., screenshots, logs, tickets).
The Golden Rule: If an assessor cannot open the file, read the text clearly, or identify the timestamp and system source from the screenshot alone, they will reject it.
Best Practices for MyCSF File Naming and Formatting
The MyCSF portal allows you to link one piece of evidence to multiple requirements, but messy file names make this impossible to manage.
1. Adopt a Strict Naming Convention
Assessors hate generic names like screenshot.png or evidence.pdf. Use a convention that identifies the requirement and the content immediately.
Recommended Format:
[Req_ID]_[Control_Name]_[Evidence_Type]_[Date].pdf
Examples:
- ✅
09.aa_AuditLogging_Config_Screenshot_2026-01-15.pdf - ✅
01.b_UserRegistration_Ticket_Sample_2026-01-15.pdf - ❌
audit_log.png
2. Use PDF for Everything
While MyCSF accepts various formats, PDF is the standard.
- Why: Spreadsheets (Excel) can be altered; Word docs track changes. PDFs are static.
- Automation Tip: Tools like Screenata automatically convert screenshots and metadata into read-only PDFs to ensure integrity.
3. Highlight and Annotate
Don't make the assessor hunt for the proof.
- Highlight: If uploading a 50-page policy, highlight the specific paragraph relevant to the requirement.
- Annotate: On screenshots, add a red box around the specific setting (e.g., "MFA Enabled: True").
How to Map Evidence to HITRUST CSF Domains
HITRUST CSF has 19 domains. A single piece of evidence often satisfies multiple requirements (inheritance).
| Domain | Common Evidence Type | MyCSF Mapping Strategy |
|---|---|---|
| 01.0 Access Control | Screenshots of IdP (Okta/Azure AD) settings, access request tickets. | Map single IdP config screenshot to multiple requirements (e.g., 01.b, 01.c, 01.j). |
| 09.0 Audit Logging | Exported logs (CSV/PDF) and screenshots of log retention settings. | Link retention policy to "Procedure" and log export to "Implemented". |
| 10.0 Vulnerability Mgmt | Screenshots of scanner dashboards (Tenable/Qualys) and remediation tickets. | Ensure dates on screenshots match the sample period requested by the assessor. |
| 06.0 Configuration Mgmt | Screenshots of "Golden Image" baselines or CI/CD pipeline configs. | Map to both Change Management and Endpoint Protection domains. |
Where Traditional HITRUST Assessment Automation Falls Short
Many organizations use GRC platforms (like Drata or Vanta) or HITRUST-specific tools (like Avast or BARR) to manage the assessment project. These tools are excellent for tracking progress and scoring maturity.
The Automation Gap: However, these tools generally do not capture the raw evidence for "Implemented" maturity automatically.
- The Problem: You still have to manually log into AWS, take a screenshot of the S3 encryption setting, rename the file
06.d_Encryption_2026.png, convert it to PDF, and upload it to the GRC tool or MyCSF. - The Scale: For an r2 assessment with ~400 requirements, this manual process takes hundreds of hours.
The Solution: Evidence automation agents (like Screenata) bridge this gap by performing the "computer use" tasks: logging in, navigating menus, capturing screenshots, and generating the MyCSF-ready PDF automatically.
Step-by-Step: Preparing Evidence for MyCSF Upload
Follow this workflow to ensure 100% acceptance rates for your uploaded evidence.
Step 1: define the Population and Sample
Before uploading, confirm with your External Assessor what the sample size is.
- Example: For "User Access Reviews," do they need Q1, Q2, Q3, and Q4? Or just a random sample of 5 users?
- Action: Only upload exactly what is requested. "Data dumping" annoys assessors.
Step 2: Capture and Standardize
Use automation to capture the evidence.
- Manual Way: Snipping tool → Paste to Word → Save as PDF.
- Automated Way: Run Screenata workflow → Output
01.b_Access_Review.pdf. - Note: Ensure the system clock is visible or the metadata includes a verified timestamp.
Step 3: Validate the Artifact
Check the file against the "3-Second Rule": Can an assessor understand what this proves in 3 seconds?
- Is the URL visible? (Context)
- Is the user logged in visible? (Auth)
- Is the setting clearly "On" or "Off"?
Step 4: Upload and Link in MyCSF
- Log into MyCSF.
- Navigate to the Document Repository.
- Bulk upload your named PDFs.
- Go to the specific Requirement Statement.
- Select "Link Evidence" and choose the file from the repository.
- Tag it with the correct maturity level (usually "Implemented").
Example: Evidence for Requirement 01.b (User Registration)
Requirement: "The organization ensures that a formal user registration and de-registration procedure is implemented for granting and revoking access to all information systems and services."
Evidence Pack Structure:
| File Name | Content | Maturity Level |
|---|---|---|
01.b_Access_Control_Policy_v2.pdf | The written policy document. | Policy (Level 1) |
01.b_User_Onboarding_SOP.pdf | The step-by-step HR/IT guide. | Procedure (Level 2) |
01.b_Jira_Ticket_User_Creation.pdf | Screenshot of a Jira ticket showing manager approval and IT execution. | Implemented (Level 3) |
01.b_AD_User_Created_Log.pdf | Screenshot of Active Directory audit log showing creation timestamp. | Implemented (Level 3) |
Common MyCSF Upload Errors to Avoid
- Broken Links: Uploading a file but failing to link it to the requirement in the portal. The assessor will mark it as "Missing Evidence."
- Dynamic Links: Pasting a link to a Google Drive folder or Notion page. Assessors cannot access these securely, and content can change. Always upload static artifacts.
- Date Mismatches: Uploading evidence from outside the audit period. If your audit period is Jan-Dec 2025, a screenshot from Dec 2024 is invalid for "Implemented" scoring (though valid for Policy if unchanged).
- Blurry Screenshots: High-resolution monitors often result in large screenshots that get compressed. Ensure text is legible at 100% zoom.
Frequently Asked Questions
Can I upload a ZIP file to MyCSF?
MyCSF allows ZIP uploads, but assessors generally dislike them because they have to download and unzip them to view contents. It is better to upload individual, well-named PDFs unless the sample size is massive (e.g., 50 log files).
How long does MyCSF retain evidence?
MyCSF retains evidence associated with an assessment object. However, you should maintain your own offline backup of all evidence packs (the "Evidence Library") in case of portal issues or for future reference during interim assessments (i1).
Does HITRUST accept video evidence?
Video files are large and difficult to navigate. While possible, it is far better to use workflow automation that converts a video recording into a step-by-step PDF storyboard with screenshots. This allows the assessor to scan the document quickly.
Key Takeaways
- ✅ Naming Matters: Use
[Req_ID]_[Description]_[Date]to keep MyCSF organized. - ✅ PDF is King: Convert all screenshots, tickets, and spreadsheets to static PDFs before uploading.
- ✅ Map to Maturity: Distinctly separate Policy docs from Implemented evidence (screenshots/logs).
- ✅ Automate Capture: Use tools like Screenata to generate formatted, timestamped evidence packs automatically, filling the gap left by GRC tools.
- ✅ Static Artifacts Only: Never use dynamic links to live wikis or folders; assessors need permanent records.
Learn More About HITRUST r2 Certification Evidence Automation
For a complete guide to streamlining your assessment, see our guide on automating HITRUST r2 evidence collection, including detailed breakdowns of evidence requirements for all 19 CSF domains.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.