Advisories

HAA 2021-014: CSF Version 9.6 Release

Written by HITRUST | Mar 5, 2024 2:32:44 PM

Implementation and Timeline
v9.6 is available within MyCSF and for download here as of December 30, 2021.

Overview
The CSF Version 9.6 Release includes both CSF and MyCSF enhancements which are described further below. The CSF enhancements are changes related to the HITRUST CSF framework, while MyCSF enhancements are related to the MyCSF platform.

CSF Enhancements
CSF Version 9.6 (v9.6) contains the following enhancements:

  • Refreshed NIST SP 800-53 revision 4 mapping and added NIST SP 800-53 revision 4 as a selectable compliance factor.
  • Updates to some requirement statements and illustrative procedures in anticipation of the HITRUST Implemented, 1-year (i1) Validated Assessment release.
  • Assorted errata updates consistent with the CSF Versioning Policy.

The CSF Summary of Changes document offers additional details regarding CSF. MyCSF subscribers can utilize the preview functionality described in HAA 2021-006 to see the potential impact on an existing assessment prior to upgrading to v9.6.

MyCSF Enhancements

  1. CMMC Compliance Factor
    The CMMC Compliance factor will now contain a “Deprecated” flag (see Figure 1) to indicate that the version of CMMC currently mapped to the CSF has been superseded. The CMMC Compliance factor appears in versions 9.4, 9.5, and 9.6 of the CSF and each of these versions will display the “Deprecated” flag. More information about the CMMC program is available here.

Figure 1 

  1. Illustrative Procedure Enhancements
    Beginning in v9.6, the Policy and Implemented illustrative procedures have been formatted to enhance usability and clarity. The Policy illustrative procedures have been formatted to specifically enumerate each evaluative element when the illustrative procedures are displayed from the “More Information” menu as shown in Figure 2. Additionally, the evaluative element count will be shown when the requirement is displayed as shown in Figure 3.For assessments that are performed using v9.6, the evaluative element count displayed within MyCSF must be the denominator for the calculation of coverage for scoring of the requirement statement for the Policy, Procedure, Implemented, and Measured maturity levels in the HITRUST Control Maturity Scoring Rubric. Note that these illustrative procedure enhancements are present on all HITRUST assessments performed using v9.6 and later of the HITRUST CSF where applicable, regardless of assessment type (i1 or r2).

The Implemented and Measured illustrative procedure formatting has been updated to identify each testing procedures should the maturity level be scored (see Figure 2).

Figure 2

Figure 3

  1. Sampling Badge
    In addition, the requirement statement view within MyCSF will now contain a badge (see Figure 4) when the Implemented illustrative procedure requires the External Assessor to select a sample of items and/or occurrences to test. If circumstances exist which prevent sample-based testing (such as a lack of control occurrences), the external assessor must document a rationale for not performing sample-based testing for that HITRUST CSF requirement’s implemented control maturity level.

Figure 4 

Additional Information
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.