CSF Assurance Program Requirements
August 3, 2016
Policy/Program Change Details
This advisory reminds External Assessor Organizations of the addition of CSF control 01.e, Review of User Access Rights, and CSF control 01.t, Session Time-out, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. (See HAA 2016-003 and -004.) Failure to include CSF controls 01.e and 01.t will prevent organizations from submitting their assessments for HITRUST validation and certification against the CSF version 8 release. These two additional requirements increase the total number of CSF controls required for HITRUST CSF certification from 64 to 66.
See HAA 2016-003 and HAA 2016-004.
Timetable for Implementation
Effective Date: 1 July 2016