Overview
The HITRUST CSF v11.2 framework (v11.2) is available within MyCSF and downloadable here as of October 10, 2023.
The changes included in v11.2 consist of:
- An initial wave of requirement statement consolidation to reduce the volume of requirement statement overlap within the CSF.
- Several new and refreshed Authoritative Sources.
New and Refreshed Authoritative Sources
v11.2 includes the following new Authoritative Sources:
- Added NIST AI RMF v1.0, ISO/IEC 23894, and ISO 31000 mapping and selectable Compliance factor “Artificial Intelligence Risk Management”.
- Added Ontario Personal Health Information Protection Act mapping and selectable Compliance factor “Ontario Personal Health Information Protection Act”.
- Added Veteran Affairs Directive 6500 mapping and selectable Compliance factor, “Veteran Affairs Directive 6500”.
- Added ISO 27001:2022 mapping and added a selectable Compliance factor, “ISO 27001:2022”.
- Added ISO 27002:2022 mapping and added a selectable Compliance factor, “ISO 27002:2022”.
- Added NY OHIP Moderate-Plus v5 mapping and selectable Compliance factor, “NY OHIP Moderate-plus Security Baselines v5”.
- The existing NY OHIP Moderate-Plus Compliance factor, “NY OHIP Moderate-plus Security Baselines v3.” will not be selectable as of v11.2.
The following Authoritative Sources have been refreshed in v11.2:
- Refreshed 23 NYCRR 500 mapping and selectable Compliance factor, “23 NYCRR 500”.
- Refreshed FTC Red Flags Rule mapping and selectable Compliance factor, “FTC Red Flags Rule”.
- Refreshed NV Title 52 603A mapping and selectable Compliance factor, “NV Title 52 603A”.
Additionally, minor enhancements were made to the NIST SP 800-53 R5 mapping.
Changes to the r2 Assessment Baseline
One requirement statement (16.09l1Organizational.4) included in the r2 assessment baseline has been clarified in v11.2.
v11.2:
The organization maintains offline backups of
1. data.
v11.1:
The organization maintains offline backups of
1. data and
2. systems.
No other changes have been made to the baseline r2 assessment requirement statements between v11.1 and v11.2. See HAA 2023-012 – CSF v11.1 Creation Deadline for e1 and i1 Assessments for the impact to the e1 and i1 assessment requirement statements.
Additional resources
For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.