Comparing the NIST Cybersecurity Framework and HITRUST Common Security
Framework The NIST Cybersecurity Framework (NIST CsF) continues to gain traction as a tool for reporting on the maturity and effectiveness of an organization’s cyber related controls. At the same time, the HITRUST CSF continues to gain adoption as a controls and reporting framework for information privacy and security across many industries both domestically and internationally. The NIST CsF and HITRUST CSF are complementary tools and can be used together to satisfy many needs within and across organizations.
How are the NIST CsF and HITRUST CSF related?
The NIST CsF is provides a mechanism for assessing and maturing a cybersecurity program based on 98 objective-level Core Subcategories that describe intended cybersecurity outcomes. The HITRUST CSF and its Assurance Program complement the NIST CsF in two major ways: 1) the HITRUST CSF provides the details needed to implement each of the 98 cybersecurity objectives in a way that map to and meet many critical compliance and risk management standards in the most efficient way possible; and 2) the Assurance Program provides a standards-driven process to monitor, assess, and maintain those controls. Without the HITRUST CSF, practitioners using the NIST CSF must create these standards and processes themselves.
How has HITRUST enabled current NIST CsF users to get started?
With the release of HITRUST CSF v9, organizations participating in the HITRUST CSF Assurance Program can view their information privacy and security programs through the lens of the NIST CsF. The NIST CsF Scorecard, now provided in every HITRUST CSF assessment report, details how well an organization meets the objectives specified by the NIST CsF Core Subcategories based on how well it has implemented the underlying HITRUST CSF controls. And for those that do not undergo an assessment under the HITRUST CSF Assurance Program, organizations can prepare a similar report using a publicly-available cross-reference between the HITRUST CSF controls and the NIST CsF Core Subcategories.
About the HITRUST CSF Assurance Program
By leveraging the HITRUST CSF Assurance Program, an organization can perform one assessment against the HITRUST CSF framework to satisfy multiple reporting requests including HIPAA, SOC 2®, NIST Cybersecurity, MARS-E or one of the other regulations or standards incorporated into the HITRUST CSF. In short, it reduces costs, resource burdens and time via an assess once, report many approach.
Additional explanation on how the HITRUST CSF is a model implementation of the NIST CsF and provides support for an organization’s attestation of compliance with the NIST Cybersecurity Framework can be found on the Department of Homeland Security / US CERT website in the Healthcare Sector Cybersecurity Framework Implementation Guide.