Advisories

HAA 2025-001 HITRUST CSF Version 11.5.0 Release

Written by HITRUST | Apr 14, 2025 3:22:06 PM
Overview

The HITRUST CSF v11.5.0 framework (v11.5.0) is available within MyCSF and downloadable here as of April 14, 2025.  

The changes included in v11.5.0 consist of: 

  • Continued requirement statement consolidation to reduce the volume of requirement statement overlap within the CSF 
  • Several new and refreshed Authoritative Sources 
New and Refreshed Authoritative Sources 

v11.5.0 includes the following new Authoritative Sources: 

  • Abu Dhabi Healthcare Information and Cyber Security (ADHICS) mapping and selectable Compliance factor, "Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS)" 
  • Cyber Security Act of Singapore mapping and selectable Compliance factor, "Cybersecurity Act 2018 (Singapore)" 
  • Network and Information Security (NIS) Directive mapping and selectable Compliance factor, "Network and Information Security (NIS) Directive"   
  • NY DoH Title 10 NYCRR Section 405.46 mapping and selectable Compliance factor, "NY DoH Title 10 Section 405.46"   
  • Singapore Monetary Authority of Singapore (MAS) Notice on Cyber Hygiene mapping and selectable Compliance factor, "Singapore MAS Notice on Cyber Hygiene" 
  • Strategies to Mitigate Cybersecurity Incidents (Australia) mapping and selectable Compliance factor, “Strategies to Mitigate Cybersecurity Incidents (Australia)” 
  • Texas Identity Theft Enforcement and Protection Act, Chapter 521 of the Texas Business and Commerce Code mapping and selectable Compliance factor, "Texas Business and Commerce Code Chapter 521" 
  • UK Guidelines for Secure AI system development mapping and selectable Compliance factor, "UK Guidelines for Secure AI System Development" 
  • GovRAMP Readiness mapping and selectable Compliance factor, "GovRAMP Readiness" 

The following Authoritative Source has been refreshed in v11.5.0: 

  • COBIT mapping and selectable Compliance factor, "COBIT 2019" 

Other changes: 

  • Added selectable Compliance factor, “NY DOH System Security Plan v5 Critical Controls Attestation Overlay” 
  • The existing StateRAMP factor has been renamed “GovRAMP” consistent with the organization’s rebranding. 

No changes have been made to the baseline r2 assessment requirement statements between v11.4.0 and v11.5.0  See HAA 2025-002 - CSF v11.4.0 Creation Deadline for e1 and i1 Assessments for the impact to the e1 and i1 assessment requirement statements.


Additional Resources 

For more information, see the HITRUST CSF v11.5.0 Summary of Changes. For additional questions please contact our Support team or a HITRUST Customer Success Manager (CSM). 

 
View full post