Skip to content

HITRUST invests in continuously evaluating new control requirements and expanding the coverage of security and privacy authoritative sources supported by the HITRUST CSF framework. To facilitate and empower customers to take advantage of this investment and ensure HITRUST assessments are generated and inherited from (and/or relied upon) the latest available HITRUST CSF controls and mappings, HITRUST is decommissioning CSF v9.1 through v9.4 according to the timeline below.

HAA 2023-002- CSF Version 9.1 – 9.4 Decommission Notice

Notice and Timeline Details
Support of CSF v9.1 through v9.4
Effective as of the release of this advisory, maintenance support (i.e. CSF updates that would result in an errata release according to HAA 2021-005: CSF Versioning Policy) of v9.1 through v9.4 will be discontinued. Questions related to these library versions will continue to be addressed via support tickets until the libraries are removed from MyCSF on March 31, 2026. All Assessments using v9.1 – v9.4 will remain in MyCSF.

Key Assessment Dates

  • Effective September 30, 2023, the ability to create new v9.1 through v9.4 assessment objects will be disabled. All new assessment objects created on or after September 30, 2023, must be created using HITRUST CSF v9.5.x or later.
  • Effective December 31, 2024, the ability to submit v9.1 through v9.4 assessment objects to HITRUST for report processing will be disabled.
    • Effective as of the release of this advisory, the QA Reservation system will not allow the selection of a submission date after December 31, 2024, when booking a reservation for an assessment object using v9.1 through v9.4.
    • As of December 31, 2024, any unsubmitted assessment objects utilizing v9.1 through v9.4 will be marked with a MyCSF banner indicating that they cannot be submitted to HITRUST for processing.

Note that the following will not be impacted by the above notice:

  • Interim and Bridge Assessments will continue to utilize the same version of the HITRUST CSF that was used to create the original r2 Validated Assessment.
  • Internal and external inheritance will continue to be available from v9.1 through v9.4 assessment objects until their expiration—for Uncertified r2 Validated Assessments, a period of one (1) year from report date, and for Certified r2 Validated Assessments, a period of two (2) years from report date and timely completion of its Interim Assessment.

Additional Resources
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.

<< Back to News Next Advisory >>

Subscribe to get updates,
news, and industry information.


Chat Now

This is where you can start a live chat with a member of our team