If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?
If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways.
An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST CsF Core Subcategories. A similar approach is used to “roll up” requirement-level scores to the HITRUST CSF Assessment Domains in a HITRUST CSF Assessment Report, and may be generated from the security assessment used for HITRUST CSF certification or from a comprehensive security assessment. The former will provide reasonable assurances about the state of NIST CsF compliance at a reasonable cost, whereas the latter will provide the greatest level of assurance but at a slightly higher cost.
Alternatively, an organization can use the results of a HITRUST CSF assessment to estimate the NIST CsF Implementation Tiers, which will help provide an organizational-level view into the maturity of its cybersecurity program.
For more information on the original NIST maturity model, see the NIST IR 7358, Program Review for Information Security Management Assistance (PRISMA).
For more information on how the HITRUST CSF is used to support an organization’s implementation of the NIST Cybersecurity Framework, see the Healthcare Sector Cybersecurity Framework Implementation Guide, Version 1.1.
For more information on the HITRUST CSF, see the Introduction to the HITRUST CSF, and the HITRUST CSF Framework FAQ.