Why Your Score Stops at 75% and How to Build Past It
A conversation we have near the end of r2 assessments has become one of the most predictable in the practice. A client has scored at or near 100% on Policy, Procedure, and Implemented across their requirement statements. The program is well-documented, the controls are operating, the evidence held up. Then the weighted maturity scores come back, and the final number is 75%, and the client wants to know what happened. The answer is that Measured and Managed were not included in the assessment scope. Together, those two levels account for 25% of the total weighted maturity score on every requirement statement — Measured at 10% and Managed at 15%. Without them, 75% is not a near-miss. It is the ceiling. What follows is the harder question: how do we implement these for the next cycle? That conversation, happening at the close of fieldwork, is exactly the wrong time to be having it.
A similar pattern surfaces earlier in the same engagements, before scores are final. The policies are written, the procedures are documented, the controls are implemented. And then the conversation shifts to Measured and Managed, and the energy in the room changes. Heads tilt. Spreadsheets get pulled up. Someone says, “We do this, we just don’t have a metric for it yet.”
Both conversations point to the same gap. This guidance walks through what Measured and Managed actually require, where programs slip on the mechanics, and how to design for these levels before the assessment window opens, not after it closes.
Where Measured and Managed Sit in the Maturity Model
HITRUST’s control maturity model has five levels. Only Implemented is scored across all three certification types. Policy and Procedure are scored at r2 only. Measured and Managed are also r2-only, and only when the assessed entity opts in. At e1 and i1, only the Implemented level is evaluated.
Level | Name | What It Tests | Where It’s Scored |
1 | Policy | Documented policies address the requirement | r2 only |
2 | Procedure | Documented procedures operationalize the policy | r2 only |
3 | Implemented | Controls applied across in-scope systems | All assessments (e1, i1, r2) |
4 | Measured | Monitoring activities verify ongoing effectiveness | r2 only (opt-in) |
5 | Managed | Risk treatment process responds to results | r2 only (opt-in) |
That’s both the relief and the risk. The relief, because an i1 or e1 doesn’t force the conversation. The risk, because organizations targeting r2 sometimes treat Measured and Managed as a layer they’ll add later — and “later” tends to arrive the week before fieldwork or shortly before submission when the scores are not what they hoped they would be for submission.
Measured (Level 4) — Measure vs. Metric
Measured asks one substantive question: is there separate or ongoing monitoring that verifies your control is actually working? Scoring moves along two axes: Strength and Coverage. Strength is determined by the type of measurement in place and who performs it. Coverage is the percentage of a requirement statement’s evaluative elements that the measurement actually addresses. Both matter — a Tier 4 independent metric that monitors only a narrow slice of a control’s evaluative elements will still score below Fully Compliant.
Strength breaks down further into whether you have a Measure or a Metric, and whether the measurement is operational or independent. An operational measurement is one prepared and reviewed by the control owner, their subordinates, or peers who report to the same department head — anyone influenced by the control owner, regardless of whether they sit above, below, or alongside them in the org chart. An independent measurement is one prepared and reviewed by a party with no influence relationship to the control owner — an internal audit team, an external assessor, or a similarly positioned function. That distinction is not about who signs off on the output; it is about who produces it. Evidence prepared by a control owner and handed to an auditor for review still scores as operational.
Measured Strength Tiers
| Tier | Classification | Definition |
| 4 | Independent metric | Metric prepared and reviewed by a party not influenced by the control owner. Highest achievable strength. |
| 3 | Operational metric | Metric prepared and/or reviewed by the control owner or an influenced party. |
| 2 | Independent measure | Measure prepared and reviewed by a party not influenced by the control owner. |
| 1 | Operational measure | Measure prepared and/or reviewed by the control owner or an influenced party. |
| 0 | No measurement | No qualifying measurement in place. Scores NC at Measured regardless of coverage. |
A Measure requires seven specific criteria. A Metric requires all seven plus two more — the result has to be tracked over time, and there have to be explicit thresholds or targets. Not implied thresholds, stated ones.
| Measure (7 criteria — all required) | Metric (Measure + 2 more) |
| All seven criteria must be met 1. Addresses the control’s operation or performance 2. Specifies an appropriate frequency of the control 3. Defines what is measured (the data used) 4. Identifies who is responsible for gathering data 5. Describes how the data is recorded 6. Describes how the measurement is calculated 7. Specifies review frequency (≥ once / 12 months) and reviewer | Higher strength than a Measure at the same independence level 1. Addresses the control’s operation or performance 2. Specifies an appropriate frequency of the control 3. Defines what is measured (the data used) 4. Identifies who is responsible for gathering data 5. Describes how the data is recorded 6. Describes how the measurement is calculated 7. Specifies review frequency (≥ once / 12 months) and reviewer 8. Tracked over time so the trend in control effectiveness is visible 9. Has explicitly stated thresholds or targets — not implied |
The All-or-Nothing Tier Rule
The strength tiers are all-or-nothing at the qualification level. Miss one of the seven Measure criteria and the document does not qualify as a Measure — it scores Tier 0, no measurement. The same logic applies to the two additional Metric criteria. There is no partial credit for getting six of seven right.
Independence works the same way. If the measurement is prepared and reviewed by someone influenced by the control owner — a subordinate, a peer reporting to the same department head, or anyone whose judgment could be shaped by the control owner — it is operational regardless of how rigorous the process looks. Only when the full measurement — preparation and review — is performed by a party with no influence relationship to the control owner does it qualify as independent and step up a tier.
Coverage is the second axis and equally unforgiving. The Measured rubric is a grid: Strength tiers run from Tier 0 (no measurement) to Tier 4 (independent metric), and Coverage runs from Very Low (0–10%) to Very High (90–100%). Fully Compliant requires Tier 4 strength AND Very High coverage. At High coverage (66–89%), even a Tier 4 independent metric scores Mostly Compliant, not Fully Compliant. At Moderate coverage (33–65%) with Tier 4 strength, the score is Partially Compliant. Programs that achieve independence but apply it narrowly leave as many points on the table as those that measure broadly but stay operational.
The scoring grids below show how Strength and Coverage interact across both Measured and Managed. Each cell reflects the rating earned at that Strength–Coverage combination. The Managed ceiling rule — Managed cannot exceed Measured Coverage — applies on top of the Managed grid.
Managed (Level 5) — The Ceiling Rule
Managed is even less forgiving in a specific way. It evaluates how the organization responds when the Measured data shows variation. Strength is built from three risk treatment criteria, and the number documented determines the tier — one criterion documented is Tier 2, more than one but not all is Tier 3, and all three documented is Tier 4. An observed but entirely undocumented risk treatment process scores Tier 1. No process at all, or a Measured score of NC, forces Managed to NC regardless of coverage:
- Management involvement at an appropriate level, or a defined escalation and review process when appropriate management is not initially involved.
- A defined mechanism for tracking issues, risks, and risk treatment decisions over time.
- Explicit consideration of cost, level of risk, and mission impact when making risk treatment decisions.
Managed Strength Tiers
Tier | Definition | What It Requires |
4 | All criteria documented | All three risk treatment criteria addressed in writing. |
3 | >1 but not all criteria | Two of the three criteria formally documented. |
2 | 1 criterion documented | Any single criterion addressed in writing. |
1 | Undocumented process | Risk treatment activity observed but not formally documented. |
0 | No process / Measured = NC | No risk treatment process exists, or the corresponding Measured score is NC. |
Coverage is the percentage of identified issues that flow through that process. If no issues were identified by the underlying measure, Managed Coverage is automatically Very High.
The Managed Ceiling
Managed cannot exceed Measured Coverage. If the inputs aren’t being measured comprehensively, the response process can’t earn its full score regardless of how disciplined it is. The response process is bounded by the measurement that feeds it.
Designing for Maturity from the Start
The takeaway for healthcare organizations targeting r2 with Measured and Managed in scope is structural. The work isn’t a scoring exercise added at the end. It’s a design decision made when the control is first written.
Every control intended to reach Tier 3 or 4 needs a measurement defined alongside the procedure: what is tracked, how often, by whom, against what threshold, reviewed by whom. The risk treatment process needs to be in operation long enough to show up in evidence. The handbook is specific: controls at the Implemented, Measured, and Managed levels must operate in their current state for a consecutive 90 days before testing — there is no partial credit for meeting less than the full incubation period. Introducing a risk treatment program 30 days before fieldwork starts is not a near-miss; it means the control cannot be scored at those levels at all. Build the measurement and treatment cadence into the Information Security Management System itself, and the maturity score follows. Bolt it on at the end, and the all-or-nothing rules — both on qualification and on incubation — do what they always do.
Win the Score Before the Assessment Window Opens
Measured and Managed are where many HITRUST Governance programs lose points they didn’t expect to lose. The fix isn’t more documentation in the weeks before fieldwork. It’s a measurement and risk treatment cadence built into the ISMS from the moment a control is designed. Organizations that take that approach tend to find their maturity scores match their internal expectations. Those that don’t tend to be surprised.
Clearwater’s HITRUST team works this pattern from both sides of the table — as an Authorized HITRUST External Assessor and as a program design partner — and we tend to start the maturity conversation early, well before the assessment window opens, because that’s where the score is actually determined. Our HITRUST advisory team is ready to help you assess how your controls would score today against the Measured and Managed criteria, and to design a measurement and risk-treatment cadence that earns the tier you’re aiming for.
Disclaimer: This guidance is authored by Clearwater Security practitioners and reflects current HITRUST CSF framework guidance. This document does not constitute legal advice. Organizations should consult HITRUST’s official guidance at hitrustalliance.net and work with qualified HITRUST External Assessors for assessment-specific direction.
