HITRUST CSF v9.4 Summary of Changes

Fundamental to HITRUST’s mission is the availability of a common security and privacy framework, the HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance. The initial development of the CSF leveraged nationally and internationally accepted security and privacy related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and COBIT–to ensure a comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.

The HITRUST CSF v9.4 release includes changes based on feedback from the HITRUST community; miscellaneous corrections; added language to the glossary to better clarify terms found in the framework; and incorporation of Department of Defense (DoD) Cybersecurity Maturity Model (CMMC) version 1.0. These updates reflect HITRUST’s commitment to provide a framework fitting for any organization globally.

Minor administrative updates, such as the correction of grammar or formatting errors, are generally not reflected in the Summary of Changes. Simple mapping updates from one version of a source to a newer version, which do not impact existing content, are also generally not reflected.

Other Updates

The underlying logic concerning the automatic inclusion of requirement statements within MyCSF assessments has been updated.

With the HITRUST CSF v9.4 framework release, HITRUST has updated the underlying logic of the HITRUST MyCSF platform regarding how HITRUST CSF Assessments, which incorporate regulatory factors, are created. Now, the selection of an optional regulatory factor includes all relevant requirement statements, including those that map outside the controls required for HITRUST CSF Certification. This action was taken in response to feedback from stakeholders asking that we ensure complete coverage of requirement statements based on regulatory factor choices while excluding requirement statements that are not relevant.

Previously, requirement statements related to regulatory factors were only brought into the scope of a baseline assessment if they were related to one of the control references required for HITRUST CSF Certification. As of 6/22/2020, when a regulatory factor is selected, all associated requirement statements will be pulled into the assessment, even if they are related to a control reference that is not required for HITRUST CSF Certification. This change may increase the number of requirements included in an assessment but is necessary to ensure that both assessed entities and the parties relying upon them obtain the most accurate understanding of posture relative to a given regulatory requirement.

At the same time, HITRUST has also updated the MyCSF platform to support a reduction in requirement statements included in an assessment. Specifically, MyCSF no longer automatically pulls in additional regulatory factor-related requirement statements merely because they are associated with the same level (e.g., Level 2 or Level 3) as other requirement statements that may have previously been included, by default.

The result is that organizations will have greater certainty that their assessment contains all requirement statements necessary to provide proper assurances for their relevant regulatory factors, without the inclusion of superfluous requirement statements.

Download the HITRUST CSF v9.4 free of charge.