By Andrew Russell, Vice President of Standards, HITRUST
AI-based Standards Tooling Developed by HITRUST Accelerates Regulations and Standards Updates in the CSF Framework, Reduces Compliance Effort Waste, and Increases Assessment Efficiency.
As with any project, having the right tools in place leads to a better end-product in a fraction of the time. As part of the CSF v11 release, HITRUST built a new AI-based toolkit that precisely and efficiently performs mappings from the CSF to other standards and regulations. Previously these mappings were compiled manually, which is like trying to build a house with a hammer and a hand saw. You can get the job done however investing in power tools would have saved you considerable time and effort.
Faster, More Efficient Mapping
New tooling capabilities allow for Artificial Intelligence to perform the initial mapping more efficiently using natural language processing technology. Adding AI to populate the built-in NIST OLIR (Online Informative References) methodology for describing control relationships resulted in a 70% reduction in the level of effort needed for mappings and maintenance of the CSF library, which means HITRUST can add new Authoritative Sources to the CSF faster in the future.
What Is “Mapping” and Why Does it Matter?
Mapping, or the association between two or more unique authoritative sources, allows for assessed entities to “test once and report many” by leveraging testing across any framework they need to adhere to. Mappings allow organizations to be more efficient with their compliance resources by reusing testing previously performed.
With the release of CSF v11.0.0, HITRUST has mappings to dozens of different authoritative sources to enable a wide range of compliance coverage within r2 Assessments, which allows tailoring to select specific compliance and risk factors. This breadth of coverage is the culmination of years of mapping effort with hand-selected and curated requirements for each authoritative source.
So How Do the Tooling Investments Benefit r2 Users?
Natural Language Processing Technology reads the controls within an authoritative source and responds with the top HITRUST requirement statements that address those controls. Each of the AI responses is weighted based on the evaluative elements within the matched requirement statement, with a higher weight being assigned to requirement statements with a greater percentage of evaluative elements matched. This tiered weighting approach provides meaningful feedback for the human reviewers in the mapping process and allows them to consider which requirement(s) best provide(s) defensible coverage of the authoritative source control, without significantly exceeding the expectations of the control with extraneous evaluative elements. The result of this is less compliance effort waste for users of the HITRUST CSF framework. Why assess against four evaluative elements when three address your compliance needs?
How Does the NIST OLIR Come into Play?
Not only are tiered weights important, but there are also additional considerations that go into describing the HITRUST position on why we believe our mappings make sense. The NIST OLIR is a primary resource for this purpose. The NIST National Online Informative References (OLIR) program is designed to provide a standard format for expressing relationships between NIST documents, such as NIST SP 800-53 Revision 5, and frameworks, such as the HITRUST CSF. HITRUST adopted the NIST OLIR methodology within our own mapping process to clearly describe our opinion of the relationship type, strength, and rationale for each control mapping. For every mapping that we release, corresponding OLIR data is assigned and reviewed through a multi-tier human review process. This hands-on analysis is in addition to the application of AI tooling. Using a multi-pronged approach gives our mapping defensibility while increasing the efficiency of the assessment for customers.
HITRUST has already shown through the launch of v11 that the investment in this improved tooling has accelerated the rate that mappings can be released. With v11 we introduced two new authoritative source mappings, the highly anticipated NIST 800-53 Revision 5 and HICP (Health Industry Cybersecurity Practices), along with refreshes to the existing mappings for HIPAA, NIST CSF, and NIST 800-171. In the coming months, we plan to launch v11.1 which will allow customers to assess against MARS-E v2.2 along with other refreshed authoritative sources for which we have received requests. More mappings equal more reliance, a major win for HITRUST customers.
Stay tuned for more updates and insights into what we are working on as HITRUST continues to invest in tools, processes, and innovations that support the HITRUST CSF. We have several exciting enhancements in the works, but for now, we hope you can take full advantage of the existing investments by upgrading to v11.
For eligible organizations, the HITRUST CSF v11 is available to download free of charge.
About the Author
Andrew Russell, Vice President of Standards, HITRUST
Andrew leads the HITRUST Standards group. With deep levels of expertise in information security controls mapping, controls testing, automation, and data analytics, Andrew is responsible for development enhancements and ongoing maintenance of the HITRUST CSF framework. Andrew has a decade of “Big 4” audit experience covering a wide range of standards and a diverse mixture of projects.