The HITRUST CSF scoring rubric evaluates maturity across five levels: Policy, Procedure, Implemented, Measured, and Managed. To achieve certification in an r2 assessment, each domain must meet a minimum aggregate threshold of 71. Full compliance in Policy, Procedure, and Implementation (100% each) results in high scores that exceed the certification threshold. The Measured and Managed levels, while valuable for demonstrating monitoring and governance, are not required to be scored above zero to achieve certification. In this scenario, the organization demonstrates complete documentation and implementation of controls, which satisfies HITRUST’s certification criteria. Therefore, even with Measured and Managed at zero, the assessment can achieve certification because the foundational maturity levels provide sufficient assurance.