By Andrew Russell, Vice President of Standards, HITRUST
CSF Version 9.6: Summary of Changes
The recently announced HITRUST CSF version 9.6 includes important modifications to requirement statements and illustrative procedures to support the introduction of the HITRUST i1 Implemented, 1-Year Validated Assessment + Certification. In addition, v9.6 includes refreshed NIST SP 800-53 revision 4 mapping, enabling selection as a compliance factor during the scoping process.
The most important v9.6 updates are establishing current i1 control requirements and developing the infrastructure to facilitate control adjustments in future CSF versions, so users can be confident that i1 assessments will evolve over time to include controls that effectively mitigate active and emerging threats.
i1 Assessments Deliver Next-Generation Assurances
As our team set out to create the i1 assessment, we found gaps in the existing cybersecurity frameworks and standards, including:
- Required controls are not always current or relevant.
- Key and recent cybersecurity risks (such as ransomware) are not always addressed.
- There is a low frequency of updates and many frameworks are updated only once every few years.
- There is a lack of prescriptiveness, so it is difficult to determine suitability or applicability.
There is a great deal of anticipation around the innovative HITRUST i1, which is a security best practices assessment. The i1 is a new class of information security assessment that delivers continuous cyber relevance. What the HITRUST community likes best about the i1 is that with comparable levels of time, effort, and cost, it provides higher levels of transparency, integrity, and reliability compared to other kinds of assurance reports, while being threat-adaptive.
Threat-adaptive Innovation Makes the i1 Special
What do we mean by saying the i1 is “threat-adaptive”? Simply stated, as the threat landscape evolves, the HITRUST CSF framework and i1 requirements will be updated to remain cyber relevant over time to reduce future risk. This “threat-adaptive” proactivity to adjust and refresh information security control requirements on a regular basis differs dramatically from most common frameworks, which often remain unchanged for many years.
The Process for Determining i1 Controls
Under CSF version 9.6, the i1 includes 219 pre-set controls that leverage security best practices and threat intelligence. The process HITRUST used to identify, evaluate, and select the i1 control set was extremely data-driven and threat-driven, based on real-world information. Using well-established cybersecurity principles covered in leading industry standards and regulatory factors across many sectors, the HITRUST Team added and required vendor and industry-agnostic controls that reflected good hygiene and leading practices.
Establishing Threat-adaptive i1 Control Selection Included the Following Steps:
- Initially, HITRUST analyzed Indicators of Compromise (IoCs) and Indicators of Attack (IoAs) from the prior 6 months as compiled by a leading cyber threat intelligence provider.
- This threat activity was mapped to TTPs (Techniques, Tactics, and Procedures) within the MITRE ATT&CK Framework.
- The MITRE Framework contains specific technical enterprise-level Mitigations and Detections (controls), which were mapped to HITRUST CSF requirements.
- These controls were then included in the threat-adaptive i1 Assessment.
Going Forward … HITRUST is Committed to Keeping the i1 Up-to-Date
- HITRUST will reperform this threat intelligence analysis quarterly and update the i1 requirements as deemed necessary.
- In addition to adding threat-adaptive requirements so that the i1 keeps pace with the latest cyberattack threats – including ransomware and phishing – HITRUST will also sunset requirements that are no longer justifiable (risk mitigation exceeds costs of an incident), which reduces unnecessary assessment effort.
- As a result of this design, all i1 assessments must use the then-current version of the HITRUST CSF (currently v9.6).
- Those with i1 assessments underway (object created), and those with a valid i1 Certification, will not be affected by updates to the i1 control selection until their next HITRUST assessment effort.
HITRUST is constantly innovating to make it easier for more organizations to obtain, maintain, and exchange quality information protection assurances. As just one example, the HITRUST CSF version 9.6 enhancements for the new i1 Assessments will help organizations maintain full information protection cyber-relevance, now and in the future.
About the Author
Andrew Russell, Vice President of Standards, HITRUST
Andrew leads the HITRUST Standards group. With deep levels of expertise in information security controls mapping, controls testing, automation, and data analytics, Andrew is responsible for development enhancements and ongoing maintenance of the HITRUST CSF framework. Andrew has a decade of “Big 4” audit experience covering a wide range of standards and a diverse mixture of projects.