HITRUST™ announced that version 9 of the HITRUST CSF™ is now available. The updated version of the HITRUST CSF™ includes 75 controls required for HITRUST CSF™ Certification, an increase of nine controls from the 66 previously required under version 8.1.
Taking a closer look at the increase in the controls required for HITRUST CSF™ Certification, HITRUST™ has actually removed 10 controls that were previously required for certification under version 8/8.1 and then added 19 controls as required that were previously not required.
Version 9 now integrates several additional regulatory requirements and industry frameworks, the most notable being the option to complete a NIST Cybersecurity Framework (CsF) assessment. The NIST CsF assessment allows an organization to assess against 185 control requirements, which align with HITRUST CSF™ control requirements, that are required to address the NIST CsF Core Subcategories. The addition of the NIST CsF assessment option will likely be the most globally applicable and relevant of the changes incorporated into version 9, as cybersecurity continues to be a highly scrutinized area for all organizations, regardless of organization size or industry.
Version 9 also incorporates additional updates to address the following specific requirements:
Organizations that are currently in the process of certifying may continue to submit their validated assessment against version 8.1 for another six months (February 2018). However, organizations that have not already created their validated assessment object within MyCSF, or that will not be completed with their procedures and ready to submit to HITRUST™ within the six-month timeframe, will now generate their assessment and control requirements using version 9.
Baker Tilly can help organizations determine the impact of the version 9 release to their HITRUST™ CSF assessment scope and certification timelines. For further assistance with your organization’s HITRUST™ efforts, please contact our HITRUST services advisors.