Advisories

HAA 2024-009 - HITRUST Issued NIST Cybersecurity Framework (CSF) v2.0 Certification Report

Written by HITRUST | Dec 6, 2024 4:48:16 PM
Overview

HITRUST now offers a new NIST Cybersecurity Framework (CSF) v2.0 Certification Report as an optional add-on to HITRUST r2 validated assessments created using v11.4.0 and later of the HITRUST CSF. The new HITRUST issued NIST CSF v2.0 report is based upon the Core Functions specified in the NIST CSF v2.0 and contains significant upgrades to the report layout, content, and format. 

Key Characteristics 

  • NIST CSF v2.0 redefines the cybersecurity framework taxonomy including the addition of a new Govern function. 
  • The NIST CSF v2.0 Certification Report is an optional add-on to the r2 assessment, available by selecting the NIST Cybersecurity Framework 2.0 compliance factor on the Factors page in MyCSF. 
  • The enhanced report provides clearer and more detailed mappings between the HITRUST CSF requirement statements and NIST CSF v2.0 identified controls at the NIST CSF core category and its sub-category level.  
  • Relevant observations and the associated risk treatment, if specified by the Assessed Entity, are now included in the report for relying parties to evaluate. 

A sample of the enhanced NIST CSF v2.0 report can be found here. 

 

Details

Listed below are the changes that enable the new HITRUST issued NIST CSF v2.0 report:  

Eligibility 

The HITRUST issued NIST CSF v2.0 Certification Report will only be available for r2 validated assessments utilizing HITRUST CSF version 11.4.0 or later.  

r2 validated assessments created using HITRUST CSF version 11.3.2 or earlier will continue to receive complimentary reports based upon NIST CSF v1.1.  

Factors Page 

The Factors page on r2 validated assessments using HITRUST CSF version 11.4.0 or later will include an additional compliance factor title, NIST Cybersecurity Framework 2.0. This factor must be selected in order to obtain a HITRUST issued NIST CSF v2.0 report.  

 

Figure 1

Report Credit 

If an organization chooses to include the NIST Cybersecurity Framework 2.0 compliance factor within their r2 validated assessment, they will be required to purchase a NIST CSF v2.0 Certification report credit prior to submission of their completed assessment to HITRUST.  

 An additional report credit is not required to obtain the NIST Cybersecurity Framework v1.1 Certification Report from HITRUST for r2 validated assessments using HITRUST CSF version 11.3.2 or earlier. 

 For more information regarding NIST CSF v2.0 Certification report credit, please contact your Customer Success Manager (CSM) or email our support team. 

QA Reservation 

An Assessed Entity is able to reserve a QA block using only their r2 validated assessment report credit. The NIST CSF v2.0 Certification report credit is only required prior to submission of the completed assessment to HITRUST.  

Reporting 

When the NIST Cybersecurity Framework 2.0 compliance factor is included in an r2 validated assessment and a NIST CSF v2.0 report credit is available, HITRUST will issue either a certified report or a validated-only report over NIST CSF v2.0. 

Note that the criteria to achieve the NIST CSF certification has not changed. To learn more about the criteria visit HITRUST Assessment Handbook section 15.1 HITRUST Reporting. 

 

Implementation Timeline

The ability to receive a HITRUST issued NIST CSF v2.0 Certification Report is available as of the release of this advisory for r2 validated assessments created on HITRUST CSF v11.4.0 and any future version.  

 
Additional Resources

For any additional questions, please contact our Support team or a HITRUST Customer Success Manager.