If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST CsF in one of two ways.
An organization can generate a NIST CsF scorecard based on the maturity1 of the HITRUST CSF control requirements that support each of the NIST CsF Core Subcategories. A similar approach is used to “roll up” requirement-level scores to the HITRUST CSF Assessment Domains in a HITRUST CSF Assessment Report, and may be generated from the security assessment used for HITRUST CSF certification or from a comprehensive security assessment. The former will provide reasonable assurances about the state of NIST CsF compliance at a reasonable cost, whereas the latter will provide the greatest level of assurance but at a slightly higher cost.2
Alternatively, an organization can use the results of a HITRUST CSF assessment to estimate the NIST CsF Implementation Tiers, which will help provide an organizational-level view into the maturity of its cybersecurity program.
- HITRUST leverage the maturity model outlined in Bowen, P. and Kissel, R. (2007). Program Review for Information Security Management Assistance (PRISMA) (NIST IR 7358). Gaithersburg, MD: NIST. Retrieved from http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf.
- This is the same approach used to provide assurances around an organization’s level of HIPAA compliance, which is explained in an RMF FAQ entitled “If I’m HITRUST CSF Certified, does this mean I’m HIPAA-compliant?” and Frequently Asked Questions About the HITRUST Risk Management Framework.