Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector.1

Since the NIST CsF lacks the prescriptive controls needed for an organization to implement the framework, HITRUST provides NIST CsF-implementing organizations a single, comprehensive, prescriptive, yet tailorable control framework to meet its business objectives.2 The HITRUST CSF also helps organizations satisfy multiple regulatory and other compliance requirements—including the Health Insurance Portability and Accountability Act3 (HIPAA) Security Rule’s standards and implementation specifications—and ultimately meet industry-recognized due care and due diligence requirements for the adequate protection of health information.

By implementing the HITRUST RMF, organizations automatically implement the NIST CsF recommendations and meet the cyber resilience objectives specified by the NIST CsF Subcategories.

  1. Joint HPH Cybersecurity WG. (May 2016). _Healthcare Sector Cybersecurity Framework Implementation Guide, _Version 1.1. Retrieved from
  2. For more information on the HITRUST CSF, see the Introduction to the HITRUST CSF, and the HITRUST CSF Framework FAQ.
  3. HHS (March 2013). HIPAA Administrative Simplification Regulation Text for 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013). Washington, DC: Government Printing Office. Retrieved from


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment