HITRUST CSF 9.3 adds CCPA, SCIDSA, and NIST SP 800-171 authoritative sources

HITRUST, a leading data protection standards development and certification organization, announced the availability of version 9.3 of the HITRUST CSF information risk and compliance management framework, further delivering on its mission of One Framework, One Assessment, Globally.


HITRUST CSF version 9.3 now incorporates and harmonizes 44 authoritative sources, most recently adding one new data privacy-related and two new security-related authoritative sources, as well as updating six existing sources as compared to the previous release.

As security and privacy requirements change in response to new and updated laws and regulations, or breaches and other cyber events, HITRUST is committed to maintaining and expanding the relevancy and applicability of the HITRUST CSF to meet the evolving regulatory and risk management landscape and associated control requirements.

HITRUST CSF v9.3 updates include:

  • The California Consumer Privacy Act (CCPA) 1798 – requiring qualifying organizations to protect consumer data in specific ways as well as that consumers be able to opt-out sharing of their data;
  • The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – requiring qualifying organizations have a comprehensive information security program and the reporting of cybersecurity events;
  • NIST SP 800-171 R2 (DFARS) – providing guidance on protecting controlled unclassified information in nonfederal systems and organizations; and
  • Updating various authoritative sources to latest versions, specifically AICPA 2017, CIS CSC v7.1, ISO 27799:2016, CMS/ARS v3.1, IRS Publication 1075 2016, and NIST Cybersecurity Framework v1.1.

Further enhancements include:

  • Updates to the glossary to better clarify terms found in the HITRUST CSF,
  • Adjusted authoritative source mappings to more fully harmonize requirements across industries and sectors, and
  • Adjusted selected risk and regulatory factors to ensure that only controls appropriate to a given assessment are included, streamline the required questions.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session.

Businesses of various sizes, industries, and privacy and security maturity levels must comply with the CCPA starting January 1, 2020.

There is still much confusion in the market about what CCPA compliance means, and HITRUST is committed to helping organizations meet the challenge.

HITRUST will continue to enhance the CCPA work in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law by reviewing the draft rules released by the California Attorney General’s Office and the new ballot initiative proposed by Californians for Consumer Privacy and related legislation.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance.

The HITRUST CSF is a key component of the HITRUST Approach, which provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

HITRUST recognizes that many organizations prefer the reporting structure defined in the NIST Cybersecurity Framework. HITRUST has been actively supporting the development and implementation of the NIST Cybersecurity Framework since its initial release.

In fact, a 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework, as the HITRUST CSF provides a reasonable and appropriate set of controls and assessment of those controls via the HITRUST CSF Assurance Program.

In addition, organizations can subsequently receive a certification of its implementation of the NIST Cybersecurity Framework by HITRUST.

HITRUST developed the Healthcare Sector Cybersecurity Framework Implementation Guide. The Sector Guide helps healthcare organizations integrate all aspects of the NIST Cybersecurity Framework into their cybersecurity program leveraging HITRUST’s approach to control framework-based risk analysis.

Building on this model, HITRUST has committed to developing and maintaining additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors. The next guide is expected in early 2020.

Looking forward to the next major release of the HITRUST CSF v10, which has a targeted release date of Q4 2020, HITRUST is preparing to evolve the framework to be even more complete, efficient, and intuitive.

“HITRUST understands the challenges of managing information risk and compliance – no matter what industry you are in,” said Sarah Phillips, Senior Manager of Standards for HITRUST.

“We help organizations address these challenges by providing the depth and breadth of controls needed, while eliminating redundancies and the need for organizations to interpret and harmonize a multitude of global frameworks, standards and regulations.”


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss