Significant standards added to industry-leading security framework enhance compliance process
The HITRUST Framework, or HITRUST CSF, is a comprehensive, scalable, efficient framework for information risk management, cybersecurity, and regulatory compliance. It is designed to help organizations all over the world, in any industry or sector, earn the trust of stakeholders by demonstrating their commitment to widely accepted information security standards.
The newest version, HITRUST CSF 11.3.0, was released earlier this month and is available for downloading by organizations who have adopted the HITRUST Framework.
Safeguard Your Organization and Data with HITRUST CSF
As headlines and news articles constantly remind us, every organization is vulnerable to costly data breaches, cyberattacks, ransomware, and other security incidents that 
jeopardize our sensitive information, whether it’s personally identifiable information, protected health information, intellectual property, or other confidential data.
One of the great challenges of the digital age is the effective protection of data as we conduct business across the internet at lightning speed. Cybercrime is a profitable business and is constantly adapting, resulting in steadily rising data breach costs. As quickly as technology advances and security and privacy regulations are updated to reflect new threats, so the threat landscape itself evolves.
One of the most effective ways to meet these challenges is by implementing the single, certifiable framework that has become an industry standard—the HITRUST CSF.
The release of v11.3.0 in April 2024 reaffirms the HITRUST commitment to providing organizations with a comprehensive, up-to-date framework that addresses evolving cyberthreats and regulatory requirements and meets the needs of organizations of all sizes and types.
Important Authoritative Sources Added in HITRUST CSF 11.3
Version 11.3 has introduced important new authoritative sources to the HITRUST Framework, along with further streamlining, according to the HITRUST press release.
- Three new authoritative sources have been added to the framework to provide a standardized approach ensuring that assessed entities who do business with the government comply with applicable information security requirements.
- The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- StateRAMP offers a standardized approach to the cybersecurity requirements that must be met by organizations who provide services to state and local governments.
- The Texas Risk and Authorization Management Program provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing firms who process data for Texas state agencies.
- The NIST SP 800-172 has been integrated into the HITRUST CSF to enhance protections for Controlled Unclassified Information (CUI) and for supporting organizations with high-risk profiles according to their HITRUST r2 Assessment tailoring.
- CMMC Level 3 requirements are based on stringent NIST standards, and the new CSF provides a foundation to help prepare organizations for new compliance requirements.
- The MITRE Adversarial Threat Landscape for Artificial-Intelligence Systems (MITRE ATLAS) mitigations have been integrated in the new version to further address security requirements for safeguarding AI systems.
- Release of HITRUST CSF 11.0 in January 2023 enabled i1 Assessments to serve as the baseline for r2 Assessments, an enhancement designed to significantly reduce the number of controls in the r2 scope. Version 11.3 continues to streamline the assessment process by reducing redundancy to further decrease the average r2 assessment size without compromising control coverage.
Benefits to HITRUST CSF Adopters
Three important advantages are provided with the release of HITRUST CSF 11.3.0, including staying current with regulations, comprehensive adaptation to cyberthreats, and increased efficiencies. For example:
- By integrating and normalizing the latest industry standards and requirements, CSF 11.3.0 ensures organizations remain aligned with current and emerging regulations.
- The inclusion of cutting-edge authoritative sources like NIST SP 800-172 and MITRE ATLAS ensures the framework meets the challenges of today's dynamic threat landscape.
- Consolidation efforts continue to streamline the assessment process, reducing the effort and time organizations must invest in meeting one or more regulatory compliance requirements and pursuing successful HITRUST certification.
How HITRUST Assessments are Affected by CSF 11.3.0
With the launch of v11.3.0, the HITRUST Essentials 1-year Assessment (e1) and Implemented 1-year Assessment (i1) have been aligned with the updated framework to ensure that users benefit from the latest cybersecurity and compliance advancements.
Also according to the press release, assessments currently underway against version 11.2.0 requirements can be completed so that the new CSF release does not impede certification efforts already in progress.
Offering the highest level of security assurance, the HITRUST Risk-Based 2-Year Assessment (r2) requires significantly more effort than the 1-year assessments. Version 11.3 continues to streamline the assessment process by reducing redundancy and enabling r2 assessments to build on i1 assessments to further decrease the average r2 assessment size without compromising control coverage.
The HITRUST website has been updated to reflect the changes resulting from v11.3.0. For example, new e1 and i1 assessment objects that use v11.2, including i1 rapid recertification assessments, have been disabled in the MyCSF portal.
HITRUST CSF 11.3 is available for download now and all organizations are encouraged to transition to take full advantage of its enhanced protections and efficiencies.
For organizations seeking assistance in preparing for a HITRUST assessment, HITRUST Readiness Services are available from authorized readiness licensees such as 24By7Security.
Applicability to Healthcare
For members of the healthcare industry, achieving full HIPAA compliance does not result in any form of HIPAA certification. Instead, the reward is a robust cybersecurity program that complies with mandatory HIPAA Rules, including the Security Rule and Privacy Rule.
HITRUST changes this for healthcare entities who adopt the HITRUST CSF and undergo an assessment that leads to HITRUST certification. This may be the most effective way to achieve HIPAA compliance and maintain it on a current basis, since assessments must be completed either annually or biannually.
Summary
The HITRUST CSF is a robust and compelling solution for organizations large and small, local and global, who are required to comply with one or more federal and industry regulations. The HITRUST Framework incorporates and cross-references existing standards and regulations all in one place, in a single framework. As its name suggests, the HITRUST CSF is designed to help organizations earn the trust of customers, investors, suppliers, and other stakeholders by demonstrating their commitment to this globally accepted cybersecurity, compliance, and risk management framework.
With HITRUST CSF 11.3, new authoritative sources have been incorporated, including FedRAMP, StateRAMP, and TX-RAMP, NIST SP 800-172, MITRE ATLAS, and CMMC Level 3 requirements. Like its predecessors, v11.3 demonstrates the ongoing adaptability of the framework to new and emerging cyberthreats and the regulations designed to address them.
