HITRUST PORTAL CONTACT US
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages

One Framework, One Assessment, Globally.

The foundation of all HITRUST programs and services is the HITRUST CSF, a certifiable framework that provides organizations globally a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management.

Download the HITRUST CSF v11.0.0

Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and compliance requirements.

HITRUST understands data protection compliance and the challenges of assembling and maintaining the many and varied programs, which is why our integrated approach ensures the components are aligned, maintained, and comprehensive to support your organization’s information security management program. Due to this, HITRUST CSF has become a widely adopted security and privacy framework across industries globally.

Download the HITRUST CSF v11.0.0 free of charge.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and GDPR–to ensure a comprehensive set of security and privacy controls, and continually incorporates additional authoritative sources. The HITRUST CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.

The commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new security and privacy regulations and risks are introduced.

For more on understanding and leveraging the HITRUST CSF, click here.

HITRUST CSF v11.0.0 Overview
The HITRUST CSF v11.0.0 release contains the following enhancements:

  • Added NIST SP 800-53 revision 5 mapping and selectable Compliance Factor
  • Added Health Industry Cybersecurity Practices mapping and selectable Compliance Factor
  • Refreshed NIST SP 800-171 mapping
  • Refreshed NIST Cybersecurity Framework mapping
  • Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping
  • All evaluative elements have been moved from the Policy Illustrative Procedure to the Requirement Statement
  • Requirement Statement evaluative elements have been numbered in MyCSF
  • Updated all Illustrative Procedure content
  • Assorted errata updates consistent with the CSF Versioning Policy

FAQ

What has changed between v9.6 and v11?

The HITRUST CSF version 11 (v11) enables a fully traversable portfolio, which facilitates seamless movement between HITRUST assessments based on the use of common requirement statements to maximize reusability. As risk and compliance program maturity or information protection needs change, v11 allows organizations to use what they have already done to easily upgrade to higher levels of HITRUST assurance with just incremental effort. v11 enables cyber threat adaptive HITRUST Assessments across the portfolio that continuously evolve to address emerging threats such as ransomware and phishing.

The HITRUST CSF v11 framework includes new and refreshed Authoritative Sources powered by the speed and efficiency of Artificial Intelligence (AI). Plus, changes to Evaluative Elements and Illustrative Procedures that make it easier for MyCSF users to parse and score Requirement Statements.

v11 contains the following new and refreshed Authoritative Sources:

  • Added NIST SP 800-53 revision 5 mapping and selectable Compliance factor
  • Added Health Industry Cybersecurity Practices mapping and selectable Compliance factor
  • Refreshed NIST SP 800-171 mapping
  • Refreshed NIST Cybersecurity Framework mapping
  • Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping

For more details about HITRUST CSF v11, Refer to Advisory HAA 2023-001: CSF Version 11 Release.

Will v11 and v9.1-9.6 all be in the HITRUST MyCSF platform?

Yes, v11 and v9.1 – 9.6 are currently accessible in MyCSF.
However, v9.1 – v9.4 are transitioning to an end-of-life process for r2 assessments and i1 assessments will transition for v9.6.2 to v11.

r2 Assessments

  • On September 30, 2023, the ability to create new v9.1 – v9.4 r2 assessment objects in MyCSF is disabled.
  • On December 31, 2024, the ability to submit v9.1 – v9.4 r2 assessment objects in MyCSF is disabled.
  • On March 31, 2026, v9.1 – 9.4 libraries are removed from MyCSF.

v9.5 and v9.6 will continue to be available for r2 Assessments.

i1 Assessments

  • Between January 18, 2023 and April 30, 2023, i1 assessments may created using either v9.6.2 or v11.
  • On April 30, 2023, the ability to create new v9.6.2 i1 assessment objects in MyCSF is disabled.

On July 31, 2021, the ability to submit v9.6.2 and earlier i1 assessment objects in MyCSF is disabled.

How will the introduction of CSF v11 impact existing v9.1 – 9.6 r2 assessments in process?

There will be no impact to existing v9.1 – 9.6 r2 assessments in process unless an assessed entity chooses to upgrade an in-process assessment to v11. Note that existing v9.1 – 9.4 r2 assessments must be submitted to HITRUST by December 31, 2024.

How will this impact existing v9.6 i1 assessments in process?

In process i1 assessments using v9.6 or earlier must be submitted to HITRUST by July 31, 2023 or upgraded to v11 if not submitted by July 31, 2023.

View Relevant Resources

 

Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.

DOWNLOAD TODAY

Chat Now

This is where you can start a live chat with a member of our team