HITRUST CSF v9.6.0 Summary of Changes
Fundamental to HITRUST’s mission is the availability of a common security and privacy framework, the HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance, and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance. The initial development of the CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks—including ISO, NIST, PCI, HIPAA, and COBIT—to ensure a comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.
HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.
In developing a framework that can meet the needs of organizations locally, nationally, and globally, HITRUST recognizes that various organizations may have requirements imposed as a result of being part of a smaller community—such as a subset of an industry group, a State Agency, or by a cooperative sharing agreement. In many cases, these may not be new security or privacy controls but more specific implementation requirements. HITRUST provides the capability for these requirements to be incorporated, harmonized, and selected for inclusion during the assessment process and then included in the HITRUST Readiness Assessment Report, utilizing the MyCSF platform. The intent is to reduce any additional assessments by enabling organizations to Assess Once, Report Many™. The HITRUST CSF includes such community-specific authoritative sources, referred to as supplemental requirements (SR) or community supplemental requirements (CSR). Organizations required or choosing to include community-specific authoritative sources may select them with other regulatory factors under the Admin & Scoping section of the MyCSF platform. HITRUST continues to evaluate the inclusion of others based on market demand.
The HITRUST CSF v9.6 release includes changes based on feedback from the HITRUST community; miscellaneous corrections; clarification and enhancement of certain illustrative procedures to ensure alignment with the corresponding authoritative sources; modifications of certain requirement statements and illustrative procedures in anticipation of the i1 release, as well as a refreshed NIST SP 800-53 revision 4 mapping and the inclusion of NIST SP 800-53 revision 4 as a selectable compliance factor. These updates reflect HITRUST’s commitment to providing a framework fitting for any organization globally. Organizations required or choosing to include NIST SP 800-53 revision 4 requirements can select them with other compliance factors under the Admin & Scoping section of the MyCSF platform.