The NIST Cybersecurity Framework (CsF) continues to gain traction as a tool for reporting on the effectiveness of an organization’s cyber related controls. The HITRUST CSF continues to gain adoption as a controls and reporting framework for information privacy and security across many industries both domestically and internationally. Although for some time the HITRUST CSF has incorporated the NIST Cybersecurity Framework (NIST CsF), with the release of HITRUST CSF v9, a HITRUST CSF assessment now includes the controls necessary to address the NIST CsF requirements, and an addendum to the HITRUST CSF Assessment report displays the HITRUST CSF controls through the lens of the NIST CsF Core Subcategories though a NIST CsF Scorecard.
What people continually misunderstand is that the NIST CsF is a framework that requires an organization to define their security controls within the Core Subcategories in the NIST CsF and then ensure there’s a comprehensive process to assess those controls. So, essentially, NIST CsF needs a controls framework and assurance process.
Fortunately, there is a good solution. The HITRUST CSF includes the controls necessary to implement the NIST CsF and now, through the CSF Assurance Program, provides a NIST CsF Scorecard with every HITRUST CSF assessment report. The Scorecard enables organizations to readily demonstrate how well they meet the objectives of the NIST CsF Core Subcategories and support a more data-driven estimate of their Core Implementation Tiers.
Additionally, this allows organizations to quickly and easily interpret assessment reports as they have the context of both the controls and the assurance level. By implementing and reporting against the HITRUST CSF, organizations and their stakeholders can rest assured their cybersecurity programs are fully aligned with the NIST CsF.
A NIST Cybersecurity Framework Scorecard provides:
Compliance ratings for each NIST CsF Core Subcategory
Approximate NIST CsF Tiers by Core Subcategory, Category and Function
Consistent reporting across all critical infrastructure industries
Organizations having adopted the HITRUST CSF will also be able to use their existing HITRUST CSF-based information protection programs and associated assessments to provide general assurances around the state of their cybersecurity programs and level of organizational reliance based on the Department of Homeland Security (DHS) Critical Resilience Review (CRR) cybersecurity criteria. This further enhances the common approach used by HITRUST to provide cybersecurity assurances via the NIST CsF Scorecard.
By leveraging the HITRUST CSF Assurance Program, an organization can perform one assessment against the HITRUST CSF framework to satisfy multiple reporting requests including HIPAA, SOC 2®, NIST Cybersecurity, MARS-E or one of the other regulations or standards incorporated into the HITRUST CSF. In short, it reduces costs, resource burdens and time via an assess once, report many approach.
Additional explanation on how the HITRUST CSF is a model implementation of the NIST CsF and provides support for an organization’s attestation of compliance with the NIST Cybersecurity Framework can be found on the Department of Homeland Security / US CERT website in the Healthcare Sector Cybersecurity Framework Implementation Guide.
HITRUST understands that you have questions about risk management and information security, and we want to remind you we’re here to help with guidance, information and innovative programs and services.