HITRUST CSF Version 11.4.0 Release

The most recent edition of the HITRUST CSF (Common Security Framework), version 11.4.0, was published in late 2024. The new update added a significant amount of new authoritative sources to the framework, primarily impacting its mapping and compliance coverage for military contractors and other organizations.

Is your organization ready for HITRUST certification in 2025? Request a consultation to find out!

 

What’s New in HITRUST CSF Version 11.4.0?

The HITRUST Common Security Framework (CSF) is a massive, comprehensive cyber defense guide that’s central to HITRUST certification and streamlined cybersecurity compliance. It takes concepts and requirements from many other regulatory frameworks, harmonizes them, and allows organizations to implement a unified set to satisfy wide-ranging compliance needs.

To understand the most recent update to the  HITRUST framework, you’ll need to know:

• Which changes introduced in HITRUST v11.4.0 are the most impactful
• What compliance looks like in terms of controls and assessments

Putting the framework to use and achieving HITRUST certification is a boon to cybersecurity governance at any organization—especially when working with a HITRUST advisory partner.

 

Notable Updates to Authoritative Sources

The HITRUST CSF is one of the most dynamic cybersecurity frameworks in existence, in part because of HITRUST’s commitment to frequent updates. A side effect of this iterative practice is that new versions (and sub-versions between them) don’t always come with drastic changes, such as swaths of new controls or framework-wide re-organization. Instead, new editions typically mean changes to underlying sources and mapping possibilities. Below, we’ll detail the formal additions mapping and selectable compliance factors, along with lower-stakes refreshes.

Another element to consider is that new editions of HITRUST sometimes remove integrations or selectable factors. These generally happen because a given source has become outdated or is not seeing consistent use, and stakeholders impacted can always refer to earlier versions if support is needed. Notable removals in v11.40 include selectable factors for “DirectTrust,” “EHNAC,” “Banking Requirements,” and “Title 1 Texas Administrative Code § 390.2.”

 

 

Sources and Framework Components Added

Arguably the most impactful change in most HITRUST updates, and certainly in v11.4.0, is the addition of new authoritative sources. The way this works is that regulatory frameworks’ rules are added to Implementation Level specifications within the framework so that they can be selected for in certification assessments—This lets organizations “assess once, report many.”

Version 11.4.0 of the CSF has added mapping and selectable compliance factors for:

• 16 Code of Federal Regulations (CFR) Part 314, Standards for Safeguarding Customer Information, part of the Gramm-Leach-Bliley Act applicable to financial institutions.
• The Cybersecurity Maturity Model Certification (CMMC) version 2.0, applicable to Department of Defense (DoD) contractors in the Defense Industrial Base (DIB).
• The Centers for Medicare & Medicaid Services (CMS) Acceptable Risk Safeguards (ARS) v5.1, applicable to CMS contractors, stakeholders, and other healthcare entities.
• The European Union’s (EU) Digital Operational Resilience Act (DORA), applicable to financial institutions and their third-party partners operating within the EU and without.
• The International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 29151:2017, an internationally recognized security standard.
• The National Association of Insurance Commissioners (NAIC) 668 Insurance Data Security Model Law, applicable to insurers, insurance agents, and related parties.
• The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, a voluntary framework used across public and private sectors to guide cybersecurity best practices.
• NIST Special Publication (SP) 800-171 r3, currently in final draft form and anticipated to apply broadly across government contractors, but not yet officially enforced.

These additions make the CSF even more comprehensive than it was in prior editions.

 

Mapping and Other Configurations Refreshed

Another impactful update in all new versions of HITRUST is the work done to refresh existing authoritative guides. Similar to the additions above, these changes ensure that HITRUST CSF assessments remain compatible with compliance frameworks that were previously supported.

Version 11.4.0 of the CSF has refreshed mapping and selectable factors for:

• The Food and Drug Administration’s (FDA) 21 CFR Part 11, Electronic Records; Electronic Signatures – Scope and Application, applicable to FDA-regulated entities.
• The Federal Information Security Management Act (FISMA) regulation, applicable to federal agencies, contractors thereof, and other organizations handling federal data.
• MITRE’s Adversarial Threat Landscape for Artificial Intelligence Systems (ATLAS), a widely recognized database used by security professionals across various industries.
• NIST SP 800-171 r2 specifications, critical to the implementation of CMMC 2.0.
• The Open Worldwide Application Security Project’s (OWASP) AI Exchange, an internationally recognized repository of strategic planning around AI security risks.
• The South Carolina Insurance Data Security Act (SCIDSA), applicable to entities licensed or authorized to operate in insurance-related capacities in South Carolina.
• The Texas Medical Records Privacy Act, applicable to healthcare concerns in Texas.
• The California Consumer Privacy Act (CCPA) § 1798, and The State of Massachusetts Data Protection Act (201 CMR 17.00), applicable to organizations that collect or process personal data of CA or MA residents, respectively, irrespective of the entities’ location.

Organizations looking to re-up certification with these and other frameworks covered by the HITRUST CSF can fulfill most or all of their compliance requirements from within HITRUST.

 

Implementation and Assessment in v11.4.0

As with prior editions of the HITRUST framework, certification has two primary components: organizations first need to implement controls from the CSF and then conduct assessments to verify their security deployment. And, since changes in v11.4.0 have been primarily about new and refreshed support for authoritative sources, the control schema is much the same as it has been for years. Assessments are also mostly the same, with a few new versions now available.

 

 

HITRUST v11.4.0 Controls and Objectives

The HITRUST CSF comprises 14 Control Categories corresponding to over-arching areas of cybersecurity—these are analogous to Requirement Families in NIST’s frameworks. Categories all contain one or more Objective Names, which are the primary points of emphasis within them, and Objectives break down further into Control References. References also break down into Implementation Levels and other granular specifications, totaling thousands of requirements.

For the purposes of understanding what it takes to implement HITRUST CSF v11.4.0, Categories and Objectives provide an accurate overview of the scope of the framework:

• Control Category 0.0: Information Security Management Program

• • • Objective 0.01: Information Security Program Requirements

• Control Category 01.0: Access Control

• • • Objective 01.01: Business Requirements for Access Control
    • Objective 01.02: Authorized Access to Information Systems
    • Objective 01.03: User Security Responsibilities
    • Objective 01.04: Control Over Network Access
    • Objective 01.05: Control Over Operating System Access
    • Objective 01.06: Control Over Application and Information Access
    • Objective 01.07: Secure Mobile Computing and Teleworking

• Control Category 02.0: Human Resources Security

• • • Objective 02.01: Secure Processes Before Employment
    • Objective 02.02: Secure Processes During Onboarding
    • Objective 02.03: Secure Processes Throughout Employment
    • Objective 02.04: Secure Processes During Employment Changes

• Control Category 03.0: Risk Management

• • • Objective 03.01: Risk Management Program Requirements

• Control Category 04.0: Security Policy

• • • Objective 04.01: Information Security Policy Requirements

• Control Category 05.0: Organization of Information Security

• • • Objective 05.01: Internal Organization Requirements
    • Objective 05.02: Requirements for External Parties

• Control Category 06.0: Compliance

• • • Objective 06.01: Compliance with Legal Requirements
    • Objective 06.02: Compliance with Technical Policies and Standards
    • Objective 06.03: Considerations for Information System Audits

• Control Category 07.0: Asset Management

• • • Objective 07.01: Asset Responsibility Requirements
    • Objective 07.02: Information Classification Requirements

• Control Category 08.0: Physical and Environmental Security

• • • Objective 08.01: Requirements for Secure Areas
    • Objective 08.02: Equipment Security Requirements

• Control Category 09.0: Communications and Operations Management

• • • Objective 09.01: Operating Procedure Documentation
    • Objective 09.02: Third Party Service Delivery Controls
    • Objective 09.03: System Planning and Acceptance
    • Objective 09.04: Protection Against Malicious Code
    • Objective 09.05: Information Back-Up Requirements
    • Objective 09.06: Network Security Management
    • Objective 09.07: Media Handling Requirements
    • Objective 09.08: Secure Exchange of Information
    • Objective 09.09: Secure Online Transactions
    • Objective 09.10: Monitoring Requirements

• Control Category 10.0: Acquisition, Development, and Maintenance

• • • Objective 10.01: Information Systems Security Requirements
    • Objective 10.02: Secure Processing for Applications
    • Objective 10.03: Controls for Cryptographic Systems
    • Objective 10.04: System File Security Assurance
    • Objective 10.05: Secure Development and Support Processes
    • Objective 10.06: Technical Vulnerability Management

• Control Category 11.0: Information Security Incident Management

• • • Objective 11.01: Reporting for Incidents and Weaknesses
    • Objective 11.02: Incident Management and Improvements

• Control Category 12.0: Business Continuity Management

• • • Objective 12.01: Information Security in Continuity Management

• Control Category 13.0: Privacy Practices

• • Objective 13.01: Transparency Controls
  • Objective 13.02: Secure Individual Participation
  • Objective 13.03: Purpose Specifications
  • Objective 13.04: Minimization of Data
  • Objective 13.05: Limitation of Use
  • Objective 13.06: Data Quality and Integrity Assurance
  • Objective 13.07: Accountability and Auditing Requirements

As noted above, organizations can expect to implement anywhere between 44 and 360 requirements, depending on the kind of assessment and certification they’re seeking.

 

 

HITRUST Assessments and Certifications

HITRUST assessments ensure that an organization’s control deployment is functioning as expected and delivering the security assurance it intends to. All assessments leverage the HITRUST software as-a-service (SaaS) platform, MyCSF, which facilitates self-assessment along with third-party oversight and verification to satisfy certain regulatory requirements.

At present, there are four verified (i.e., certifiable) assessments available from HITRUST: 

• HITRUST e1 Assessment – One-year validated assessments featuring just 44 “Foundational Cybersecurity” controls, intended for smaller, newer organizations.

• HITRUST i1 Assessment – One-year validated assessments featuring 182 “Leading Security Practices,” intended for organizations seeking moderate security assurance.

• HITRUST r2 Assessment – Two-year validated assessments featuring up to 250 “Expanded Practices” controls, intended for organizations seeking maximum security.

• HITRUST AI Security Assessment – An optional module added to e1, i1, or r2 assessments to evaluate AI-specific risks. Not a standalone certification.

Additionally, organizations can take advantage of several other assessments and reports that speak to both broad cybersecurity issues and specialized compliance concerns. Examples include the HITRUST AI Risk Management Assessment, HITRUST Insights Reports, and HITRUST NIST CSF 2.0 Certification, all of which can also be conducted via MyCSF.

 

Streamline Your HITRUST Certification

The new edition of the HITRUST CSF, version 11.4.0, does not feature any major changes to the actual framework itself. Instead, the majority of changes are in the new and refreshed authoritative sources that are used to map controls onto other regulatory compliance needs.

RSI Security has helped countless organizations achieve certification with HITRUST and streamline their overall compliance programs. We’re committed to service and helping your teams rethink their cyber defense strategies for efficacy and efficiency. We’ll help you plan for and implement as many HITRUST controls as you need, then assess and report seamlessly.

To learn more about our HITRUST CSF advisory services, contact RSI Security today!

 

Contact Us Now!