Advisories

HAA 2024-002: CSF Version 11.3 Release

Written by HITRUST | Apr 16, 2024 1:18:51 PM

Overview

The HITRUST CSF v11.3 framework (v11.3) is available within MyCSF and downloadable here as of April 16, 2024.

The changes included in v11.3 consist of:

  • Continued requirement statement consolidation to reduce the volume of requirement statements that overlap within the CSF.
  • Several new and refreshed Authoritative Sources.

Benefits of Adding Authoritative Sources to the HITRUST CSF:

  • To remain current with evolving industry standards and regulations.
  • To keep the CSF comprehensive so it meets multiple organizational needs.
  • To include and harmonize emerging standards and mappings to stay ahead of cyber threats.
  • To satisfy market demand for additional HITRUST Insights Reports.

New and Refreshed Authoritative Sources 

v11.3 includes the following new Authoritative Sources:
  • Added FedRAMP r5 mapping and selectable Compliance factor, “FedRAMP r5”.
    • The existing FedRAMP Compliance factor, “FedRAMP” will not be selectable as of v11.3.
  • Added StateRAMP r5 mapping and selectable Compliance factor, “StateRAMP r5”.
  • Added TX-RAMP r5 mapping and selectable Compliance factor, “TX-RAMP r5”.
  • Added FFIEC CAT mapping and selectable Compliance factor, “FFIEC CAT”.
  • Added CIS v8 mapping and added a selectable Compliance factor, “CIS v8”.
    • The existing CIS v7.1 Compliance factor, “CIS CSC v7.1” will not be selectable as of v11.3.
  • Added MITRE Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) Mitigations, “MITRE ATLAS”.
  • Added OWASP AI Exchange mapping and added a selectable Compliance factor, “OWASP AI Exchange”.
  • Added NIST SP 800-172 and added a selectable Compliance factor, “NIST SP 800-172".
  • Added HHS Cybersecurity Performance Goals mapping and added a selectable Compliance factor, “HHS Cybersecurity Performance Goals”.
  • Added PCI DSS v4 mapping and selectable Compliance factor, “PCI DSS v4”.
    • The existing PCI DSS v3.2.1 Compliance factor, “PCI DSS v3.2.1” will not be selectable as of v11.3.
  • Added 23 NYCRR 500 Second Amendment mapping and selectable Compliance factor, “23 NYCRR 500 Second Amendment”.
    • The existing 23 NYCRR 500 Compliance factor, “23 NYCRR 500” will not be selectable as of v11.3.
  • Added HICP 2023 edition mapping and selectable Compliance factor, “HICP 2023”.
    • The existing HICP Compliance factor, “HICP” will not be selectable as of v11.3.

The following Authoritative Sources have been refreshed in v11.3:

  • Refreshed GDPR mapping and selectable Compliance factor, “GDPR”.
  • Refreshed Singapore PDPA mapping and selectable Compliance factor, “PDPA (Singapore)”.

Additionally, minor enhancements were made to the NIST SP 800-53 R5 mapping based on NIST SP 800-53 Release 5.1.1, which included one new control (IA-13) and three control enhancements.

 

Changes to the  r2 Assessment Baseline

One requirement statement (16.09l1Organizational.4) included in the r2 assessment has been clarified in v11.3.

  • v11.3: The organization maintains offline and/or immutable backups of data. 
  • v11.2: the organization maintains offline backups of data. 

No other changes have been made to the baseline r2 assessment requirement statements between v11.2 and v11.3. See HAA 2024-003 - CSF v11.2 Creation Deadline for e1 and i1 Assessments for impact to the e1 and i1 assessment requirement statements.

Additional Information
For more information, see the HITRUST CSF v11.3.0 Summary of Changes. For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.