HITRUST is issuing this request for comment to gather feedback on a proposed set of updates to select certification requirements in response to the rapidly evolving vulnerability identification and exploitation landscape made possible through frontier AI models. As the time between vulnerability disclosure, weaponization, and active exploitation continues to compress, HITRUST may clarify and strengthen certain HITRUST CSF requirements to better reflect current operational realities and risk expectations. These updates are also intended to help organizations address the “Defend” and “Thwart” focus areas reflected in the NIST Cyber AI Profile.
The proposed updates affect five requirements applicable to the e1 assessment type, fifteen requirements applicable to the i1 and r2 assessment types, and seven requirements applicable to only r2 assessment types. These changes span the following domains: Endpoint Protection, Configuration Management, Vulnerability Management, Audit Logging & Monitoring, Third Party Assurance, Incident Management, and Risk Management.
Request for Feedback
Through this request for comment, HITRUST invites assessors, MyCSF subscribers, and companies with TPRM programs participating in the HITRUST certification program to review the proposed changes and provide input directly in Manula, on their clarity, feasibility, and potential implementation impact. Feedback is particularly encouraged on whether the revised requirements appropriately address the increased speed and complexity of modern vulnerability exploitation while remaining practical and auditable across varying organizational environments.
Input from the assessors, MyCSF subscribers, and companies with TPRM programs community will help ensure the updated requirements improve the effectiveness of the certification program and support a consistent, risk-informed approach to assurance. Please be sure to provide all feedback before 7/1/2026.