HITRUST CSF v11.1.0 Framework FAQs
Will v11.1.0 and v11.0.1 both be in HITRUST MyCSF?
Yes. Both will be accessible in MyCSF.
What’s different between HITRUST CSF v11.1.0 and v11.0.1?
The HITRUST CSF v11.1.0 release contains the following enhancements:
- Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2”
- The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable as of v11.1.
- Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor, “IRS Pub. 1075 (Rev. 11-2021)”
- The existing “IRS Pub. 1075” Compliance factor, will not be selectable as of v11.1.
- Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”
If an organization is in the process of starting an assessment in v11.0.1, should they re-evaluate and move to v11.1.0?
The reason an organization would move to v11.1.0 would be to take advantage of the enhancements listed above. The CSF Summary of Changes document offers additional details regarding CSF changes. MyCSF subscribers can utilize the preview functionality described in HAA 2021-006 to determine impact on an existing assessment prior to upgrading to v11.1.0 including a detailed look at the direct changes that will apply to the assessment.
How will this impact existing v11.0.1 assessments in process?
There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v11.1.0 are appropriate for the scope and requirements of the assessed entity. Assessments for v11.0.1 can still be generated despite the release of v11.1.0.
Why choose the HITRUST CSF over other frameworks (ISO, NIST, etc.)?
The HITRUST CSF integrates and harmonizes information protection requirements from many authoritative sources – including ISO, NIST, PCI, and HIPAA, and allows tailoring the requirements to an organization based on specific organizational, system, and compliance risk factors. The level of integration and prescriptiveness provided by the framework, along with the quality and rigor of the HITRUST Assurance Program and supporting HITRUST products and services, make the HITRUST CSF the easy choice for organizations in any industry.
How can I obtain a copy of the HITRUST CSF?
The latest version of the HITRUST CSF framework is available to download for FREE on the HITRUST website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving information protection, provided said organization does not offer security and/or privacy products or services. In addition, any federal, state, or local agency or department may be considered a qualified organization.
If you are not sure whether your organization is qualified, please contact firstname.lastname@example.org or call 855-HITRUST. HITRUST has the right to verify eligibility.
Download the HITRUST CSF free of charge for qualified organizations.
How do I get started adopting the HITRUST CSF framework?
The decision to adopt the HITRUST CSF should be made at the organizational level; after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by utilizing the HITRUST MyCSF SaaS solution. Once the information protection posture of the organization is understood, a risk management strategy and implementation timeline can be developed and communicated throughout the organization.
How is the HITRUST CSF structured?
The core structure of the HITRUST CSF is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.
The HITRUST CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories); however, adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management. HITRUST has also incorporated a 14th control category to address specific privacy practices, such as GDPR, that are otherwise not addressed in the previous 13 categories.
There are 156 security and privacy-related control specifications, with associated implementation requirements; of which, 21 specifically address privacy practices.
Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of factors including an organization’s type, size, systems, regulatory, and compliance requirements.
The HITRUST CSF risk-based approach applies security/privacy resources commensurate with the level of risk by defining multiple levels of implementation requirements – which increase in restrictiveness. Three levels of requirements are defined based on organizational and system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk.
To further tailor the control baseline, the compliance-based approach offered in the HITRUST r2 Assessment allows organizations to incorporate additional regulatory or compliance components which meet the organization’s needs and/or requirements.
Has the HITRUST CSF been adopted internationally?
Yes, organizations outside of the US have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST, and we expect this interest to grow as adoption continues to increase within the US.
For more information, refer to Understanding and Leveraging the CSF webpage.
Is the HITRUST CSF an industry standard for healthcare?
The HITRUST CSF is an information protection standard which can be effectively used by organizations across any industry – not just healthcare. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of information, including electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, and other sensitive information.
What is the relationship between the control categories of the HITRUST CSF and the assessment domains in MyCSF?
The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control requirements and group them into logical domains, based on common IT organizational structure. This is done to make performing an assessment more efficient as controls should be well-grouped around typical IT departments.