A recent Government Accountability Office (GAO) report, entitled Critical Infrastructure Protection: Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption,[1] supports prior guidance that the NIST Cybersecurity Framework requires specific control requirements to effectively implement the Framework’s cybersecurity objectives.

The report also “encourages the alignment of the NIST cybersecurity framework with existing cybersecurity guidelines currently in use within its respective sector. For example, the Healthcare and Public Health sector aligned the [HITRUST] Framework to the cybersecurity framework. This mapping fully incorporated the framework and provided for 135 individual security controls and 14 individual privacy controls that can be implemented by healthcare providers.”[2]

In addition,Department officials stated that the alignment of the framework to the HITRUST Framework allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing HITRUST Framework.”[3]

“We are pleased to be noted as a critical element in an organization’s adoption of the NIST Cybersecurity Framework and want to make sure industry understands the importance security controls play in its implementation,” said Dr. Bryan Cline, Vice President, Standards & Analysis, HITRUST.

While the GOA report highlights the need for control requirements when effectively implementing the NIST Cybersecurity Framework, there are also other things one should consider:

  • Robust maturity model – Supports an accurate and precise evaluation of your security controls and overall security posture
  • Comprehensive assurance methodology – Provides independent validation that you have effectively implemented the controls
  • Transparent assurance process – Ensures anyone reviewing an assessment understands the underlying evaluation and validation processes
  • Certification or accreditation against the NIST Cybersecurity Framework – Important if you intend to leverage your assessment with other parties, such as customers and regulators
  • “Assess Once Report Many” – Allows you to report against the NIST Cybersecurity Subcategories, as well as provide an indication of your compliance with the various US and International standards and regulations such as HIPAA, GDPR, PCI in one assessment, reducing costs, saving time and resources
  • Benchmarking – Allows organizations to compare themselves with others against the NIST Cybersecurity Subcategories

Through the HITRUST CSF and CSF Assurance program, HITRUST helps you address all of these considerations and more when implementing the NIST Cybersecurity Framework in your organization.

To learn more about how you can leverage the HITRUST CSF and CSF Assurance program, download the Healthcare Sector Cybersecurity Framework Implementation Guide from the US-CERT Website today, or contact us directly at info@HITRUSTalliance.net.


[1] U.S. Government Accountability Office (2018, February). Report to Congressional Committees on Critical Infrastructure Protection: Additional actions are Essential for assessing Cybersecurity Framework adoption (Publication No. GAO -18-211 Critical Infrastructure Protection). Author: Washington, D.C. Retrieved from the GAO Reports & Testimonies Web page: https://www.gao.gov/products/GAO-18-211
[2] Ibid, p. 15.
[3] Ibid.