NIST Cybersecurity Framework Scorecard
- Demonstrates Compliance
- With each HITRUST Risk-Based, 2-Year (r2) Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) issued, HITRUST includes a scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework.
Note: The NIST Cybersecurity Framework Scorecard is not available with a HITRUST Implemented, 1-Year (i1) Validated Assessment.
The NIST Cybersecurity Framework (CsF) provides a mechanism for assessing and maturing a cybersecurity program based on 98 objective-level Core Subcategories that describe intended cybersecurity outcomes. Designed as an overarching, industry-agnostic framework to help organizations apply risk management principles and best practices to help improve the security and resilience of critical infrastructure, the NIST CsF does not provide details on how to establish the underlying cybersecurity control requirements or assure they are implemented effectively. Instead of providing a controls framework, the NIST Cybersecurity Framework provides ‘informative references’ to external control frameworks like the HITRUST CSF framework, which may help an organization achieve its objectives.
The HITRUST CSF and the HITRUST Assurance Program complement the NIST CsF in two major ways: 1) the HITRUST CSF provides the details needed to implement each of the 98 cybersecurity objectives in a way that map to and meet many critical compliance and risk management standards in the most efficient way possible; and 2) the Assurance Program provides a standards-driven process to monitor, assess, and maintain those controls. Without the HITRUST CSF, organizations using the NIST CsF must create these standards and processes themselves.
The HITRUST CSF also supports reporting against the NIST CsF. Organizations participating in the HITRUST Assurance Program can view their information privacy and security programs through the lens of the NIST CsF. The NIST CsF Scorecard, provided in every HITRUST r2 Validated Assessment Report, details how well an organization meets the objectives specified by the NIST CsF Core Subcategories based on how well it has implemented the underlying HITRUST CSF controls.
Adding NIST CsF reporting and certification as part of HITRUST r2 Validated Assessments is core to the value proposition of HITRUST: the ability to map information security-related standards or regulations to the HITRUST CSF. Organizations are easily able to conduct a single HITRUST r2 Assessment and, based on that assessment, provide assurances around multiple regulations, standards, and best practice frameworks, including NIST CsF. This Assess Once, Report Many™ approach can be a tremendous savings of time and effort for every organization that must demonstrate NIST Cybersecurity Framework compliance in addition to its many other assurance reporting obligations.