HITRUST CSF® Assessment together with NIST Cybersecurity Framework Subcategories becoming standard reporting approach for boards of directors

Frisco, TX – May 22, 2018 – HITRUST, a leading security and privacy standards development and accreditation organization, announced today its certification program for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the NIST Cybersecurity Framework (Framework). Through the HITRUST CSF Assurance Program and assessment scorecard for the NIST Framework, HITRUST offers organizations an effective and efficient means of assuring management, business partners, and regulators their compliance with the NIST Framework’s objectives.


By leveraging the HITRUST CSF — a controls-based risk management framework that aligns with and supports the NIST Framework — HITRUST is uniquely positioned to deliver on the goal of sector-specific Target Profiles envisioned by NIST, the Federal Communication Commission’s Communications Security, Reliability and Interoperability Council in the Communications Sector, Health and Human Services (HHS) in the Healthcare and Public Health (HPH) Sector, U.S. Coast Guard and National Highway Traffic Safety Administration in the Transportation Sector, the Financial Services Sector Coordinating Council in the Financial Sector, and others. The NIST Framework requires an organization to determine the security controls it needs to achieve the objectives defined by the Core Subcategories, i.e., its Target Profile, and ensure there is a comprehensive process to assess those controls.

The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework.

“There has been much discussion recently around the development of NIST industry-specific guidance for various industry sectors to help organizations implement the NIST Framework in a way that addresses their specific needs efficiently and effectively, similar to what HITRUST has done in the HPH sector. HITRUST CSF assessments, together with the NIST Framework subcategory reporting format, are being used broadly to communicate information privacy and security programs to boards of directors,” said Ken Vander Wal, Chief Compliance Officer, HITRUST.

The 2018 Government Accountability Office (GAO) Report to Congressional Committees on Critical Infrastructure Protection recognized “the alignment of the framework to the [HITRUST CSF] allows organizations to demonstrate compliance with NIST.” HITRUST also worked with the Department of Homeland Security and HHS to publish the Healthcare Sector Cybersecurity Framework Implementation Guide, helping healthcare organizations integrate all aspects of the NIST Framework into their cybersecurity programs. Building on this model, HITRUST has committed to developing additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors.

“The controls framework-based approach to specifying NIST Framework Target Profiles described in the healthcare sector’s implementation guide also helps one determine an industry-acceptable level of due care for the protection of sensitive health information, as required under the HIPAA Security Rule, as well as address the coming GDPR [General Data Protection Regulation] requirements,” said Dr. Bryan Cline, VP Standards and Analysis, HITRUST, and an author of the HPH sector guide.

A HITRUST CSF scorecard of the NIST Framework provides:

  • Compliance ratings for each NIST Framework Core Subcategory,
  • Guidance for approximating NIST Framework Implementation Tiers based on the compliance ratings, and
  • Consistent reporting across all critical infrastructure industries.

The HITRUST CSF Assurance Program can also help organizations understand and report their effectiveness against many other standards and leading practice frameworks. With just one assessment, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Framework, GDPR, International Organization for Standardization (ISO) 27001, Payment Card Industry (PCI) and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, and can even obtain a Service Organization Control (SOC) 2® report.

The HITRUST CSF is the most widely adopted controls framework in healthcare. “And our next release, version 10, will further streamline the HITRUST CSF to help organizations outside of healthcare and the United States more easily leverage the framework and achieve the same benefits for NIST Cybersecurity Framework implementation,” concluded Cline.

HITRUST offers a complete set of components for independent verification and certification that includes the HITRUST CSF, HITRUST CSF Assurance Program, and HITRUST MyCSF® – an integrated risk assessment and management tool that optimizes and harmonizes the HITRUST content and methodologies.

Organizations can obtain a HITRUST certification of their cybersecurity program’s implementation against the NIST Framework by submitting an assessment through the current HITRUST CSF Assurance Program.

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.

HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit www.hitrustalliance.net.

To view the press release, click here.