Advisories

HAA 2021-005: CSF Versioning Policy

Written by HITRUST | Mar 15, 2024 5:00:26 AM

Summary 
To provide further transparency to the HITRUST Community a versioning policy for the HITRUST CSF is being introduced. The policy defines the criteria for updates to the HITRUST CSF and corresponding communications that can be expected from HITRUST. 

Versioning Policy 
All CSF versions will now observe the following syntax: v[Major].[Minor].[Errata] 

In support of the syntax HITRUST will observe the following definitions: 

Major Release (Example: v8.0.0, v9.0.0, v10.0.0): 

  • Changes to CSF structure including: 
  • Adding, removing, or material changes to the Categories, Objectives, or Control References and corresponding descriptions. 
  • Updates to the taxonomy of the CSF. 
  • An Assurance Advisory will be published to announce the change. 

Minor Release (Example: v9.1.0, v9.2.0, v10.1.0): 

  • Material changes to the CSF and related information in the platform including: 
  • Changing the Control References required for certification or inclusion of Requirement Statements in an assessment. 
  • Adding, removing, or material changes to a Requirement Statement and/or Implementation Requirements. 
  • Adding, removing, or changes to Authoritative Sources, related Regulatory/Compliance Factors or mappings. 
  • Updates which result in a Requirement Statement moving to a different Control Reference, Domain, or Level. 
  • Material changes to Illustrative Procedures. 
  • Adding or removing General, Geographic, Organizational, or Technical Factors and/or related operational functionality. 
  • An Assurance Advisory will be published to announce the change. 

Errata Release (Example: v9.1.2, v9.1.3, v10.0.1): 

  • Immaterial changes to the CSF and related information in the platform including: 
  • Minor updates to CSF categorization vernacular (no material impact) 
  • Changes to the Factor Type designation or Topics 
  • Immaterial changes to a Requirement Statement and/or Implementation Requirements 
  • Updates which do not result in a Requirement Statement moving to a different Control Reference, Domain, or Level 
  • Immaterial changes to the Illustrative Procedures 
  • Spelling, punctuation, grammatical, typos or stylistic corrections 
  • Adding, removing, or changes to Community Supplemental Requirements and related information in the platform, related Regulatory/Compliance Factors or mappings* 
  • An Assurance Advisory will not be published to announce the change. The new release will be available within MyCSF as an optional update to certain existing assessments and used as the default version for any newly created assessments after the release. 

* Due to the nature of Community Supplemental Requirements, modifications do not rise to the level of a minor release, which necessitates an advisory/announcement to all HITRUST users. 

Implementation and Timeline 

Versioning of the HITRUST CSF 
Effective as of the release of v9.5.0 all versions of the HITRUST CSF will observe the versioning syntax of v[Major].[Minor].[Errata] and CSF Versioning Policy. 

MyCSF 
Starting with v9.5.0, all CSF Library versions within MyCSF are displayed using the versioning syntax of v[Major].[Minor].[Errata]. Previous CSF Library versions will only display the major and minor release. 

Additional Information 
See HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes including CSF Version Upgrades for related MyCSF enhancements.  

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.