What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.
Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.
Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.