HITRUST CSF v11.0.0 Summary of Changes
Fundamental to HITRUST’s mission is the availability of a common security and privacy framework, the HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance, and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance. The initial development of the CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks—including ISO, NIST, PCI, HIPAA, and COBIT—to ensure a comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.
HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.
In developing a framework that can meet the needs of organizations locally, nationally, and globally, HITRUST recognizes that various organizations may have requirements imposed as a result of being part of a smaller community—such as a subset of an industry group, a State Agency, or by a cooperative sharing agreement. In many cases, these may not be new security or privacy controls but more specific implementation requirements. HITRUST provides the capability for these requirements to be incorporated, harmonized, and selected for inclusion during the assessment process and then included in the HITRUST Readiness Assessment Report, utilizing the MyCSF platform. The intent is to reduce any additional assessments by enabling organizations to Assess Once, Report Many™. The HITRUST CSF includes such community-specific authoritative sources, referred to as supplemental requirements (SR) or community supplemental requirements (CSR). When using a HITRUST r2 Assessment, organizations required or choosing to include community-specific authoritative sources may select them with other regulatory factors under the Admin & Scoping section of the MyCSF platform. HITRUST continues to evaluate the inclusion of others based on market demand.
The HITRUST CSF v11.0.0 release contains the following enhancements:
- Added NIST SP 800-53 revision 5 mapping and selectable Compliance Factor
- Added Health Industry Cybersecurity Practices mapping and selectable Compliance Factor
- Refreshed NIST SP 800-171 mapping
- Refreshed NIST Cybersecurity Framework mapping
- Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping
- All evaluative elements have been moved from the Policy Illustrative Procedure to the Requirement Statement
- Requirement Statement evaluative elements have been numbered in MyCSF
- Updated all Illustrative Procedure content
- Assorted errata updates consistent with the CSF Versioning Policy