What You Should Know About HITRUST CSF v11.3
Though HITRUST released v11 of the HITRUST CSF back in January 2023, as of April 16, 2024, HITRUST released CSF v11.3. Standard practice is for HITRUST to update their CSF annually—at a minimum—and this v11.3 is a relatively minor revision with two main differences:
- Consolidation and reduction of requirement statements, and
- Additional and modification to mapped Authoritative Sources.
Even if these changes within v11.3 are considered small, those pursuing HITRUST certification must account for the updates to achieve compliance. As well-established external assessors for HITRUST, we’re going to offer some insight.
In this blog post, we’ll dive into both those changes from HITRUST so that you can get to work making any necessary adjustments to achieve and/or maintain compliance.
What are the 2 Changes in HITRUST CSF v11.3?
1. Reduced Requirement Statements
One of the long-time barriers for organizations attempting to implement HITRUST with a risk-based r2 assessment has been the intimidating number of requirement statements they’ve had to satisfy. Historically, the number of requirement statements often increased between versions—sometimes even significantly. So does v11.3 really reduce the amount of requirement statements you’ll have to account for?
To help determine this, we performed multiple test cases to ascertain a reasonable level of requirement statement reduction you can expect and whether a transition to v11.3 might be beneficial for those considering upgrading or undergoing initial certification.
In doing this, we generated three fictional scenarios that organizations with different risk profiles might enter into MyCSF. Here are our discovered changes in requirements from v11.2 to v11.3:
v11.2 Requirement Statement Amounts |
v11.3 Requirement Statement Amounts |
Difference |
---|---|---|
275 |
271 |
-4 |
537 |
490 |
-44 |
617 |
579 |
-38 |
Right away, you can see that the scenarios we ran for fictional organizations that—according to risk factor responses—had a higher risk profile (and therefore had more statements required of them) saw a higher reduction in the number of requirement statements.
But in general, of these scenarios that we generated, no assessments increased their number of requirements when upgrading from v11.2 to v11.3, which is good news for organizations that want to adopt the HITRUST CSF as the basis for their information security program.
2. Updated Authoritative Sources
HITRUST also added and modified their mapped Authoritative Sources in CSF v11.3. Here are a few notable changes:
- StateRAMP r5 and TX-RAMP r 5 Compliance Factors are Now Added
- During HITRUST Collaborate in October 2023, many organizations expressed their interest in StateRAMP—in response, HITRUST has now included these as optional regulatory factors in v11.3.
- Artificial Intelligence (AI) Risk Management, OWASP AI Exchange, and MITRE ATLAS Compliance Factors are Now Added
- Given that AI has been a hot topic since 2023, HITRUST now allows organizations to demonstrate compliance with AI using optional compliance factors.
- While we did note that there were still additions of AI into a few of the v11.3 requirement statements if you didn’t select these compliance factors, AI did not appear to be the focal point of any one requirement unless the compliance factor was selected.
- A NIST SP 800-172 Compliance Factor is Now Added
- Previous optional NIST compliance factors included NIST SP 800-53 r4 and r5, as well as NIST SP 800-171 r2, and now NIST SP 800-172 can also be selected—an addition that further solidifies how prevalent various NIST frameworks are embedded within the HITRUST CSF.
- NOTE: While not a selectable factor, HITRUST also incorporates a NIST Cybersecurity Framework Validated Assessment Report that is included with your HITRUST CSF Risk-Based, r2 Report—however, this is not available for the e1 or the i1.
HITRUST v11.3 Small Revision Regarding Offline Backups
In the interest of full transparency regarding all the changes in CSF v11.3, HITRUST also updated some wording to clarify its position on offline backups:
v11.2 |
The organization maintains offline backups of data. |
v11.3 |
The organization maintains offline and/or immutable backups of data. |
Though prior to this change, HITRUST still informally accepted immutable backups as well as offline backups, HITRUST has now made it clear through this revised wording that immutable backups meet the requirement.
Next Steps with HITRUST—v11.3 or Otherwise
However relatively minor these updates might seem, they’ll affect you particularly if your organization opts for an e1 or i1 assessment, as the use of v11.3 is now required for those assessments.
One way to ease your HITRUST compliance journey amidst these and other changes is to select an assessor who has significant experience performing these assessments. Your trusted partner and their level of expertise could be the difference between your organization presenting the correct or incorrect information to HITRUST, which could, in turn, have a significant impact on scores, timelines, and certification.
We at Schellman would love to help you not only with your HITRUST journey but also help you formulate a plan in which the information you put together for HITRUST can also be leveraged across other compliance audits and assessments you are already undergoing. Reach out to us today to speak more about how we can help streamline your compliance portfolio while maximizing its value, and in the meantime, check out our other content that can further simplify HITRUST:
About Michael Seegel
Michael Seegel is a Senior Manager with Schellman. Prior to joining Schellman in August 2018, Michael worked as an IT Audit Manager, specializing in managing SOC 1 & 2 Type II engagements. Michael also has prior experience performing HITRUST assessments, ISO 27002 audits, IT SOX compliance, and ERP implementations. As a manager at Schellman, Michael primarily focuses on performing HITRUST assessments for organizations in or doing business with healthcare organizations. Michael currently holds the CPA, CISSP, CISA, and CCSFP certifications.