HITRUST CSF and NIST CSF FAQs
What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped to each Core Subcategory within a Category. However, no additional Corrective Action Plans (CAPs) are needed to support HITRUST’s certification of the NIST Cybersecurity Framework beyond what is required for HITRUST CSF certification.
What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.
Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. While the individual scores for each control requirement are the same, the scores are aggregated differently to support reporting against the HITRUST CSF Assessment Report domains and the NIST Cybersecurity Framework Core Categories.
How long is HITRUST Certification for the NIST Cybersecurity Framework valid?
The HITRUST Certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST Assessment Report.
What’s included in the HITRUST Certification Report for the NIST Cybersecurity Framework?
Each HITRUST r2 Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) includes a NIST Cybersecurity Framework Scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. HITRUST will issue a Letter of Certification for the NIST Cybersecurity Framework with a NIST CSF scorecard in the HITRUST r2 Assessment Report. HITRUST will also issue a separate Letter of Certification and scorecard that can be distributed separately from the HITRUST Assessment Report.
Is a HITRUST Assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST Certification for the NIST Cybersecurity Framework? If so, what is the cost?
Yes, a HITRUST r2 Assessment is a requirement for certification against the NIST Cybersecurity Framework. This is because the HITRUST CSF provides the detailed requirements an organization should implement to adequately address the cybersecurity objectives—what NIST refers to as “outcomes”—specified by the NIST Cybersecurity Framework Core Subcategories. Subsequently, HITRUST will only issue a certification for the NIST Cybersecurity Framework with a HITRUST r2 Assessment Report.
Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?
Yes, this is done automatically because the same control requirements evaluated by the HITRUST Assessor for HITRUST r2 Certification are also used for certification of the organization’s NIST Cybersecurity Framework implementation. The control requirements are simply mapped and aggregated differently for the NIST Framework’s scorecard.
If I am already HITRUST Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?
This is done automatically because the same control requirements evaluated by the HITRUST Assessor for HITRUST r2 Certification are also used for certification of the organization’s NIST Cybersecurity Framework implementation. The control requirements are simply mapped and aggregated differently for the NIST Framework’s scorecard.
If I am HITRUST Certified, am I also certified for the NIST Cybersecurity Framework?
HITRUST r2 Certification will generally result in certification of an organization’s information security program against the NIST Cybersecurity Framework because the control requirements for both frameworks are essentially the same; they’re just mapped and aggregated differently. However, because they are mapped and aggregated differently, it is possible, but rare, to have a circumstance where an organization may achieve certification against one framework but not the other. It is important to note that both certifications are achieved via the same assessment. There is not a separate NIST CsF assessment from the HITRUST r2 Assessment.
Who do I contact to better understand HITRUST’s Certification for the NIST Cybersecurity Framework?
Contact HITRUST by email at sales@hitrustalliance.net or by phone at 1.855.448.7878.
Is the HITRUST Certification for the NIST Cybersecurity Framework just for healthcare?
No, HITRUST Certification of an organization’s implementation of the NIST Cybersecurity Framework—just like HITRUST Certification—can be obtained by any organization, regardless of industry or whether they are US-based or international.
What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST Certification?
HITRUST Certification is based on an organization meeting specific scoring criteria for the assessed requirements aggregated into 19 topical domains, e.g., access control and wireless network security. The scorecard HITRUST uses to support certification of an organization’s security program against the NIST Cybersecurity Framework aggregates the scores by NIST Framework Core Subcategories.
What controls are included in both a HITRUST Certification and HITRUST’s Certification for the NIST Cybersecurity Framework?
An organization selects an appropriate set of security control requirements for its information protection program based on its organizational, system and regulatory risk factors, and it is this set of control requirements that constitute its NIST Cybersecurity Framework Target Profile. While the control requirements map to various NIST Framework Core Subcategories, the control requirements for an organization’s HITRUST Certification and certification of its NIST Cybersecurity Framework implementation are the same.
Does NIST recognize HITRUST as a certifying organization?
Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also includes conformity demonstrations such as certification. While it cannot endorse any commercial approach, NIST goes on to state it “will continue working with those who manage confidence mechanisms programs to assist industry in further leveraging these resources; and private and public-sector entities that have a need for conformity demonstration, to help understand how these organizations can leverage existing programs.”
Is HITRUST’s Certification for the NIST Cybersecurity Framework separate from HITRUST Certification?
Yes, one certification is for the organization’s implementation of the HITRUST CSF controls and is based on minimum scoring criteria for 19 topical control areas, such as access control and wireless network security. The other is a certification of an organization’s Current and Target Profiles based on the HITRUST CSF control requirements that map to each of the NIST Cybersecurity Framework’s Core Subcategories.
However, a HITRUST Certification will invariably result in a HITRUST Certification of an organization’s NIST Framework implementation.
What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.
Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.
Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.
How can an organization communicate it has obtained a HITRUST Certification for the NIST Cybersecurity Framework?
As part of the HIITRUST Assurance Program, upon receiving a HITRUST Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST Certification status, which also includes certification of its cybersecurity program against the NIST Cybersecurity Framework and a scorecard detailing the assessment results based on the NIST Framework’s Core Subcategories.
Email PR@HITRUSTAlliance.net for more information.
Why should my organization get a certification relating to the NIST Cybersecurity Framework?
There has been a marked increase in the level of interest by corporate Boards and executive management in using the NIST Cybersecurity Framework [“Framework”], which can provide a “Rosetta Stone” for internal and external stakeholders, regardless of industry or sector, to understand and communicate an organization’s current and future (intended) state of cybersecurity readiness.
Refer to the NIST Cybersecurity Framework Website at https://www.nist.gov/cyberframework/perspectives for more information.