An i1 Control Reference that scores a 37 would yield what result?

In an i1 assessment, scoring below threshold levels (generally 83 for certification-critical controls) results in a required Corrective Action Plan (CAP). A score of 37 falls into the “Somewhat Compliant” category and indicates major deficiencies. Because i1 assessments emphasize cybersecurity hygiene, HITRUST does not allow “risk acceptance” at such low scores. Instead, CAPs are required to ensure remediation is planned and tracked. This approach guarantees that organizations address weaknesses that could leave them vulnerable to common threats. Unlike r2 assessments, where some flexibility exists based on risk tailoring, i1 is structured to enforce mandatory remediation for below-threshold results. Therefore, a Control Reference score of 37 in i1 unequivocally requires a CAP.