HITRUST CSF 9.4: Incorporating authoritative sources of any security and privacy framework

HITRUST announced the availability of version 9.4 of the HITRUST CSF information risk and compliance management framework, further delivering on its mission of One Framework, One Assessment, Globally.

HITRUST CSF version 9.4 now incorporates and harmonizes the largest number of authoritative sources of any security and privacy framework, most recently adding the CMMC framework and two community-specific standards, as well as updating existing sources for continued relevancy.

As security and privacy requirements change in response to new and updated global laws and regulations, or breaches and other cyber events, HITRUST is committed to maintaining and expanding the relevancy and applicability of the HITRUST CSF to meet the continually evolving regulatory and risk-management landscape and associated control requirements.

HITRUST CSF v9.4 related updates include:

  • Integrating the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v1.0,
  • Updating the NIST SP 800-171 r2 mappings to ensure continued alignment,
  • Piloting the inclusion of community-specific authoritative sources to further extend the Assess Once, Report Many benefits of the HITRUST Approach, and
  • Enabling HITRUST MyCSF platform functionality which provides DoD CMMC customers the ability to select CMMC Maturity Level specific CSF requirements in support of compliance pursuits.

“HITRUST recognizes the complexity of managing information risk and compliance—no matter what industry you are in,” said Sarah Phillips, Senior Manager of Standards for HITRUST.

“We are committed to helping organizations address these challenges through maintaining the relevance of the HITRUST CSF by adding and updating authoritative sources, providing the depth and breadth of controls needed, while eliminating redundancies and the need for organizations to interpret and harmonize a multitude of global frameworks, standards, and regulations.”

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST CSF is a key component of the HITRUST Approach, which provides organizations an integrated information risk management and compliance solution that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

In developing a framework that can meet the needs of organizations locally, nationally, and globally, HITRUST recognizes that various organizations may have requirements imposed as a result of being part of a smaller community—such as a subset of an industry group, a State Agency, or by a cooperative sharing agreement.

In many cases these may not be new security or privacy controls, but more specific implementation requirements. HITRUST has established a mechanism in the HITRUST CSF, that is enabled through MyCSF for these requirements to be incorporated, harmonized, and selected for inclusion during the assessment process and then included in the HITRUST CSF Assessment Report.

The intent is to reduce any additional assessments by enabling organizations to Assess Once, Report Many. HITRUST CSF v9.4 includes two such community standards and we are evaluating the inclusion of others based on market demand.

“The HITRUST CSF maps to CMMC requirements and we have developed a white paper to help organizations understand and instill confidence in the HITRUST Approach,” explained Dr. Bryan Cline, Chief Research Officer, HITRUST.

“Organizations utilizing HITRUST to operationalize CMMC as part of their existing information protection program can quickly assess CMMC Practice and Process maturity with accuracy and precision.”

More about

Don't miss