Overview

The HITRUST CSF v11.4.0 framework (v11.4.0) is available within MyCSF and downloadable here as of December 06, 2024.  

• Continued requirement statement consolidation to reduce the volume of requirement statement overlap within the CSF 

• Several new and refreshed Authoritative Sources  

New, Refreshed and Removed Authoritative Sources 

 v11.4.0 includes the following new Authoritative Sources: 

• OWASP Machine Learning Top 10 mapping and selectable Compliance factor, "OWASP ML Top 10" 

• NIST Cybersecurity Framework 2.0 mapping and selectable Compliance factor, "NIST Cybersecurity Framework 2.0" 

• CMMC 2.0 mapping and selectable Compliance factor, "Cybersecurity Maturity Model Certification (CMMC) 2.0" 

• EU Digital Operational Resilience Act (DORA) mapping and selectable Compliance factor, "DORA" 

• ISO/IEC 29151:2017 mapping and selectable Compliance factor, "ISO/IEC 29151:2017" 

• CMS ARS v5.1 mapping and selectable Compliance factor, "CMS Acceptable Risk Safeguards (ARS) v5.1" 

• 16 CFR 314 mapping and selectable Compliance factor, "16 CFR 314" 

• NAIC 668 Insurance Data Security Model Law mapping and selectable Compliance factor, "NAIC 668 Insurance Data Security Model Law" 

• NIST SP 800-171 r3 mapping and selectable Compliance factor, “NIST SP 800-171 r3” 

The following Authoritative Sources have been refreshed in v11.4.0: 

• South Carolina Insurance Data Security Act (SCIDSA) mapping and selectable Compliance factor, "SCIDSA" 

• Texas Medical Records Privacy Act mapping and selectable Compliance factor, "Texas Medical Records Privacy Act" 

• Federal Information Security Management Act (FISMA) mapping and selectable Compliance factor, "FISMA" 

• 201 CMR 17.00 mapping and selectable Compliance factor, "State of Massachusetts Data Protection Act (201 CMR 17.00)" 

•  California Consumer Privacy Act § 1798 mapping and selectable Compliance factor, "California Consumer Privacy Act § 1798" 

• FDA 21 CFR Part 11 mapping and selectable Compliance factor, “21 CFR Part 11” 

• NIST SP 800-171 r2 mapping and selectable Compliance factor, “NIST SP 800-171 r2” 

• OWASP AI Exchange mapping and selectable Compliance factor, “OWASP AI Exchange” 

• MITRE ATLAS and selectable Compliance factor, “MITRE ATLAS” 

The following Authoritative Sources have been removed in v11.4.0: 

• DirectTrust mapping and selectable Compliance factor, "DirectTrust" 

• EHNAC mapping and selectable Compliance factor, “EHNAC” 

• Banking Requirements mapping and selectable Compliance factor, “Banking Requirements” 

• Title 1 Texas Administrative Code § 390.2 and selectable Compliance factor, “Title 1 Texas Administrative Code § 390.2” 

No changes have been made to the baseline r2 assessment requirement statements between v11.3.2 and v11.4.0  See HAA 2024-007 - CSF v11.3.2 Creation Deadline for e1 and i1 Assessments for the impact to the e1 and i1 assessment requirement statements.  

Additional Information 

For more information, see the HITRUST CSF v11.4.0 Summary of Changes. For additional questions please contact our Support team or a HITRUST Customer Success Manager (CSM).