HAA 2026-002 CSF Version 11.8.0 Release

Overview

The HITRUST CSF v11.8.0 framework (v11.8.0) is available within MyCSF and downloadable here as of May 8, 2026.  

The changes included in v11.8.0 consist of: 

• Continued requirement statement consolidation to reduce the volume of requirement statement overlap within the CSF
• Several new and refreshed Authoritative Sources

New and Refreshed Authoritative Sources 

v11.8.0 includes the following new Authoritative Sources:

• Added Commonwealth of Virginia Information Technology Resource Management Standard SEC530 (SEC530) mapping and selectable Compliance factor, “Commonwealth of Virginia SEC530”
• Added National Institute of Standards and Technology Special Publication 800-137 (NIST SP 800-137) mapping and selectable Compliance factor, “NIST SP 800-137”
• Added ISO/IEC 29100 Information Technology - Security Techniques - Privacy Framework 2024 (ISO/IEC 29100:2024) mapping and selectable factor, “ISO/IEC 29100:2024”
• Added Open Worldwide Application Security Project- Top 10 for LLM Applications 2025 (OWASP LLM v2025) mapping and selectable factor, “OWASP Top 10 for LLM Applications 2025” 

The following Authoritative Sources have been refreshed in v11.8.0: 

• Texas Medical Records Privacy Act mapping and selectable factor, “Texas Medical Records Privacy Act”
• PCI v4.0.1 mapping and selectable factor, “PCI DSS v4.0.1”
• AICPA SOC 2 TSC mapping 

e1 and i1 Assessment Baseline Impacts

With the release of v11.8.0, HITRUST is making changes to the e1 and i1 baselines. These. adjustments are the result of feedback from users of the HITRUST CSF.

Modifications in the Current e1/i1 Baseline:

0302.09o1Organizational.5 [1000.0] –

Current [1000.0]: “The organization protects and controls digital and non-digital media containing sensitive information during transport outside of controlled areas using cryptography, tamper-evident packaging, a securable container (e.g., locked briefcase) via authorized personnel if hand-carried, and a trackable receipt by commercial carrier if shipped. The organization: maintains accountability for information system media during transport outside of controlled areas; documents activities associated with the transport of information system media; and restricts the activities associated with transport of such media to authorized personnel.”

Updated [1000.1]: “The organization protects and controls digital media containing sensitive information during transport outside of controlled areas using cryptography. The organization: maintains accountability for digital and non-digital media containing sensitive information during transport outside of controlled areas; documents activities associated with the transport of digital and non-digital media; and restricts the activities associated with transport of such media to authorized personnel.”

14.05i1Organizational.3 [3207.0] –

Current [3207.0]: “The organization ensures all third-parties with access to the organization’s information or information systems meet contractual commitments for information security. The organization reviews independent assessments of all third-parties with access to its information or information systems to determine the suitability of the third parties’ information security practices (e.g. security certification, attestation, or audit report, verification) at least annually.”

Updated [3207.0]: “The organization ensures all third-parties with access to the organization’s information or information systems meet contractual commitments for information security. The organization reviews independent assessments or independent verifications of all third-parties with access to its information or information systems to determine compliance with contract provisions (e.g. security certification, attestation, audit report, or verification) at least annually.”

Additional Resources 

See HAA 2026-003 which sets the creation deadline for e1 and i1 assessments using CSF v11.7.0.  

For more information, see the HITRUST CSF v11.8.0 Summary of Changes. For additional questions please contact our Support team or a HITRUST Customer Success Manager (CSM).