One Framework, One Assessment, Globally.

The foundation of all HITRUST programs and services is the HITRUST CSF, a certifiable framework that provides organizations globally a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management.

Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and compliance requirements.

HITRUST understands data protection compliance and the challenges of assembling and maintaining the many and varied programs, which is why our integrated approach ensures the components are aligned, maintained, and comprehensive to support your organization’s information security management program. Due to this, HITRUST CSF has become a widely adopted security and privacy framework across industries globally.

Download the HITRUST CSF v11.1.0 free of charge.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and GDPR–to ensure a comprehensive set of security and privacy controls, and continually incorporates additional authoritative sources. The HITRUST CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.

The commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new security and privacy regulations and risks are introduced.

For more on understanding and leveraging the HITRUST CSF, click here.

HITRUST CSF v11.1.0 Overview
The HITRUST CSF v11.1.0 release contains the following enhancements:

  • Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2”
    • The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable as of v11.1.
  • Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor, “IRS Pub. 1075 (Rev. 11-2021)”
    • The existing “IRS Pub. 1075” Compliance factor, will not be selectable as of v11.1.
  • Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”


Will v11.1.0 and v11.0.1 both be in HITRUST MyCSF?

Yes. Both will be accessible in MyCSF.

If an organization is in the process of starting an assessment in v11.0.1, should they re-evaluate and move to v11.1.0?

The reason an organization would move to v11.1.0 would be to take advantage of the enhancements listed above. The CSF Summary of Changes document offers additional details regarding CSF changes. MyCSF subscribers can utilize the preview functionality described in HAA 2021-006 to determine impact on an existing assessment prior to upgrading to v11.1.0 including a detailed look at the direct changes that will apply to the assessment.

How will this impact existing v11.0.1 assessments in process?

There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v11.1.0 are appropriate for the scope and requirements of the assessed entity. Assessments for v11.0.1 can still be generated despite the release of v11.1.0.

View Relevant Resources


Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.


Chat Now

This is where you can start a live chat with a member of our team