The HITRUST CSF v11.7.0 framework (v11.7.0) is available within MyCSF and downloadable here as of December 18, 2025.
The changes included in v11.7.0 consist of:
v11.7.0 includes the following new Authoritative Source:
Minor updates to existing Authoritative source mappings:
Other changes:
e1 and i1 Assessment Baseline Impacts
With the release of v11.7, HITRUST is making changes to the e1 and i1 baselines. These adjustments are the result of multiple analysis focused on optimizing the e1 and i1 assessments. More information on why these changes are being made can be found in our v11.7 Baseline Change FAQ.
As a result of these changes, the size of the e1 baseline for v11.7 is 43 requirement statements. The size of the i1 baseline remains 182 requirement statements. In v11.7, it is still true that all requirement statements in the e1 baseline are included in the i1 baseline and all requirement statements in the i1 baseline are included in the r2 baseline.
Modifications in the current e1/i1 baseline:
19180.09z1Organizational.2 [1103.0] –
Current [1103.0]: “The organization designates individuals authorized to post information onto a publicly accessible information system and trains these individuals to ensure that publicly accessible information does not contain nonpublic information.”
Updated [1103.1]: “The organization trains individuals to ensure that publicly posted information does not contain nonpublic information. If the organization permits the posting of information onto a publicly accessible information system, it designates individuals authorized to post the information.”
16.09l1Organizational.4 [2326.0] –
Current [2326.0]: The organization maintains offline and/or immutable backups of data.
Updated [2326.0]: The organization maintains offline and/or immutable backups of data for an organization defined period of time.
Removal from the e1 baseline:
1223.09ac1System.1 [1203.1] – “Access to audit trails / logs is safeguarded from unauthorized access and use.”
Replacement in the current e1 and i1 baselines:
CVID 0501.0 is being replaced with CVID 3207.0 in the HITRUST CSF.
1403.05i1Organizational.67 [0501.0] – “Access granted to external parties is limited to the minimum necessary, limited in duration, and is revoked when no longer needed.”
14.05i1Organizational.3 [3207.0] – “The organization ensures all third-party organizations with access to the organization’s information or information systems meet contracted levels of information security. The organization reviews assessments or independent verifications of third-party organization compliance with contract provisions (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) at least annually.”
Upon the release of CSF v11.7.0, HITRUST is announcing the deadline for creating and submitting e1 and i1 assessments using CSF v11.6.0 and earlier. See HAA 2025-006 - CSF v11.0 - v11.6 Creation Deadline for e1 and i1 Assessments for the detailed timeline.
For more information, see the HITRUST CSF v11.7.0 Summary of Changes. For additional questions please contact our Support team or a HITRUST Customer Success Manager (CSM).