Cognome | HSCC AI Cyber Governance Maturity Assessment
Scored against the HSCC Health Industry AI Cyber Governance Framework Implementation Guide (May 2026), Appendix C
What this is
This tool operationalizes the 5-point maturity scale defined in Appendix C of the HSCC AI Cyber Governance Framework Implementation Guide. It assesses your organization's AI cyber governance program across the three objectives HSCC defines: AI Cybersecurity Governance Framework, Regulatory Alignment, and Standards & Compliance Mapping.
How to use it
- Assemble a cross-functional assessment team (IT/security, clinical leadership, compliance, legal, privacy, AI Governance Committee) before scoring — no single function should score in isolation, per HSCC guidance.
- Go to each of the three Objective tabs. For each control statement, select the maturity level (1–5) that best reflects current, documented practice — not intent or plans.
- Where evidence is ambiguous between two levels, HSCC's rule applies: assign the LOWER score unless there is documented evidence the higher level is substantially met.
- Use the Evidence/Notes field to record what document, system, or artifact supports the score (inventory record, charter, audit report, crosswalk, dashboard, etc.).
- The Maturity Summary tab calculates each objective score automatically and applies HSCC's conservative scoring rule: overall maturity = the LOWEST of the three objective scores.
- Use the Gap & Remediation Log to document gaps below your target maturity level, with owners and timelines, per HSCC Appendix C Step 6.
"Use the lowest of the three objective scores as the overall maturity level, unless the organization formally documents and the AI Governance Committee approves an alternative scoring rule… The conservative default ensures that a significant gap in any one area is not masked by strength in others."
Scoring reminder — HSCC Appendix CRisk tier → minimum maturity
| Risk Tier | Example | Minimum Maturity Level Required Before Deployment |
|---|---|---|
| Tier 1 — Critical / High Risk | Clinical diagnostics, direct treatment decisions | Level 4 minimum before deployment |
| Tier 2/3 — Moderate Risk | Operational workflow tools with limited PHI | Level 3 recommended |
| Tier 4 — Low Risk | Administrative tools, no PHI | Level 2 may be acceptable |
Navigate
Objective 1
Obj 1 — Cyber Governance
Score Objective 1: AI Cybersecurity Governance Framework
Objective 2
Obj 2 — Regulatory Alignment
Score Objective 2: Regulatory Alignment
Objective 3
Obj 3 — Standards Mapping
Score Objective 3: Standards & Compliance Mapping
Results
Maturity Summary
Auto-calculated scores, overall maturity, board-report view
Follow-up
Gap & Remediation Log
Track gaps below target maturity with owners and timelines
Source text
HSCC Reference
Full level descriptions and evidence examples (Appendix C source text)
Source: HSCC Health Industry AI Cyber Governance Framework Implementation Guide, May 2026, Appendix C (Maturity Model) and Appendix D (AI Autonomy Levels). This tool is an independent implementation tool built on the publicly published HSCC framework and is not an HSCC work product.
Objective 1: AI Cybersecurity Governance Framework
Inventory, committee structure, board oversight, lifecycle management, NHI/agentic controls, incident response, and supply chain risk
Score each control area independently. HSCC rule: where evidence is ambiguous between two levels, assign the LOWER score unless the higher level is substantially documented.
HSCC scores each objective as a single 1–5 rating: the lowest of its control-area scores. This tool shows the control-area breakdown so gaps are visible at a granular level, consistent with that same conservative rule.
Continue to Objective 2 →Objective 2: Regulatory Alignment
HIPAA, FDA SaMD/PCCP, state law, post-market surveillance, and liability/insurance alignment for AI
Score each control area independently. HSCC rule: where evidence is ambiguous between two levels, assign the LOWER score unless the higher level is substantially documented.
HSCC scores each objective as a single 1–5 rating: the lowest of its control-area scores. This tool shows the control-area breakdown so gaps are visible at a granular level, consistent with that same conservative rule.
Continue to Objective 3 →Objective 3: Standards & Compliance Mapping
NIST AI RMF, OWASP LLM Top 10, MITRE ATLAS, ISO/IEC 42001 family, and clinical safety standards alignment
Score each control area independently. HSCC rule: where evidence is ambiguous between two levels, assign the LOWER score unless the higher level is substantially documented.
HSCC scores each objective as a single 1–5 rating: the lowest of its control-area scores. This tool shows the control-area breakdown so gaps are visible at a granular level, consistent with that same conservative rule.
Continue to Maturity Summary →AI Cyber Governance — Maturity Summary
Auto-calculated from Objective 1–3 | Format aligned to HSCC Appendix K board reporting template
1. Governance Objective Scores
| Governance Objective | Score (1–5) | Status | HSCC Level Definition | Target Level |
|---|
2. Deployment Readiness Check
Per HSCC: High Risk systems (clinical diagnostics) require at least Maturity Level 4 before deployment, while Low Risk (administrative) systems may accept Level 2. Enter your highest-risk-tier AI system’s tier below to check readiness against current overall maturity.
3. Maturity Trend
Update at each reassessment cycle to track your governance maturity over time.
| Assessment Date | Obj. 1 | Obj. 2 | Obj. 3 | Overall |
|---|
Source: HSCC Health Industry AI Cyber Governance Framework Implementation Guide, May 2026, Appendix C and Appendix K. Independent implementation tool, not an HSCC work product.
Ready to export your results? Go to Export & Print.
Continue to Gap & Remediation Log →Gap & Remediation Log
Per HSCC Appendix C, Step 6: document gaps below target maturity with evidence, owner, timeline, and success criteria
Tip: prioritize gaps in the objective with the lowest score first — HSCC’s conservative scoring rule means that objective sets your overall maturity ceiling regardless of strength elsewhere.
Continue to Export & Print →Export & Print
Save a copy of your completed assessment.
These exports include your scores and notes from all three Objectives, plus the Gap & Remediation Log — not just the Maturity Summary page.
Runs entirely in your browser — nothing is uploaded or sent to Cognome.
Looking to print the HSCC Reference material instead? Go to the Reference tab.
HSCC Reference — Appendix C & D
Source: HSCC AI Cyber Governance Framework Implementation Guide, May 2026, pages 56–60
Appendix C: Maturity Model — Overview
Governance effectiveness is assessed on a 5-point scale:
How to Conduct a Maturity Assessment (HSCC’s 7 steps)
- Assemble the Assessment Team. Cross-functional team: IT/security, clinical leadership, compliance, legal, privacy, AI Governance Committee. No single function should score in isolation.
- Define Assessment Scope. Enterprise level, by business unit, or by AI risk tier. Score separately by risk tier where the AI portfolio is diverse.
- Gather Evidence. Documentation, artifacts, and data for each objective — inventory records, policies, approval workflows, audit reports, crosswalks, training records, dashboards, incident logs. Scores should be based on demonstrated, documented practice — not intent or plans.
- Score Each Objective. Score 1 to 5 based on the level description that best fits current state. Where the organization falls between two levels, assign the LOWER score unless there is documented evidence the higher level criteria are substantially met. Each objective is scored independently.
- Determine Overall Maturity. Use the lowest of the three objective scores as the overall maturity level, unless the organization formally documents and the AI Governance Committee approves an alternative scoring rule (e.g., weighted average based on risk exposure). The conservative default ensures a significant gap in any one area is not masked by strength in others.
- Identify Gaps and Prioritize Remediation. For any objective scored below target, document specific gaps, supporting evidence, and a remediation plan with owners, timelines, and success criteria.
- Document and Report. Complete the Maturity Assessment Summary and present findings to the AI Governance Committee and executive leadership. Retain records for audit and year-over-year trend analysis.
Appendix D: AI Autonomy Levels
For scoring individual AI systems, not governance maturity.
The AI autonomy framework establishes a common language for responsibility and oversight, similar to autonomous vehicle levels.
Note for Healthcare Organizations: The autonomy levels are intended to support HDO governance and procurement decisions. They are NOT equivalent to the safety engineering frameworks FDA uses to evaluate automated medical devices. FDA’s evaluation focuses on automation bias, complacency, loss of situational awareness, and skill degradation. For AI-enabled medical devices subject to FDA oversight, review device labeling rather than relying on autonomy level classification alone.
Risk-Tier Minimum Maturity
Referenced in the main guide body.
"In summary, governance must align with risk tiers. For example, High Risk systems (clinical diagnostics) require at least Maturity Level 4 before deployment, while Low Risk (administrative) systems may accept Level 2."
Source: HSCC Health Industry AI Cyber Governance Framework Implementation Guide, May 2026, pages 56–60. Independent implementation tool, not an HSCC work product.