The HITRUST CSF was developed to address the multitude of security, privacy, and regulatory challenges facing organizations. By including federal and state regulations, standards, frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security and privacy controls.


  • Includes, harmonizes, and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, EU GDPR, NIST, and PCI;
  • Scales controls according to type, size, and complexity of an organization;
  • Provides prescriptive requirements to ensure clarity;
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds;
  • Allows for the adoption of alternate controls, when necessary;
  • Evolves according to user input and changing conditions in the standards and regulatory environment on an annual basis; and
  • Provides a unified approach for managing data protection compliance.

Qualified organizations can download the FREE version of HITRUST CSF v9.3.

HITRUST® also offers a risk assessment tool called MyCSF® to help in the implementation of the framework. MyCSF is a secure, web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.


Note: The latest version of the HITRUST CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving data protection, provided said organization does not offer security and/or privacy products or services. Additionally, any federal, state, or local agency or department may be considered a qualified organization. HITRUST has the right to verify eligibility.