HITRUST CSF v11.1.0 Summary of Changes
Fundamental to HITRUST’s mission is the availability of a common security and privacy framework, the HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance, and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance. The initial development of the CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks—including ISO, NIST, PCI, HIPAA, and COBIT—to ensure a comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.
HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.
In developing a framework that can meet the needs of organizations locally, nationally, and globally, HITRUST recognizes that various organizations may have requirements imposed as a result of being part of a smaller community—such as a subset of an industry group, a State Agency, or by a cooperative sharing agreement. In many cases, these may not be new security or privacy controls but more specific implementation requirements. HITRUST provides the capability for these requirements to be incorporated, harmonized, and selected for inclusion during the assessment process and then included in the HITRUST Readiness Assessment Report, utilizing the MyCSF platform. The intent is to reduce any additional assessments by enabling organizations to Assess Once, Report Many™. The HITRUST CSF includes such community-specific authoritative sources, referred to as supplemental requirements (SR) or community supplemental requirements (CSR). When using a HITRUST r2 Assessment, organizations required or choosing to include community-specific authoritative sources may select them with other regulatory factors under the Admin & Scoping section of the MyCSF platform. HITRUST continues to evaluate the inclusion of others based on market demand.
The HITRUST CSF v11.1.0 release contains the following enhancements:
- Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2”
- The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable as of v11.1.
- Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor, “IRS Pub. 1075 (Rev. 11-2021)”
- The existing “IRS Pub. 1075” Compliance factor, will not be selectable as of v11.1.
- Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”