The HITRUST CSF is a comprehensive cybersecurity framework that compiles various regulations’ controls into a single, streamlined compliance structure. The HITRUST Alliance updates the CSF frequently to accommodate trends in cybersecurity, such as emerging risks, community needs, and changes to other regulatory frameworks. HITRUST CSF v9.4 brought significant changes, along with smaller, incremental changes in versions 9.4.1 and 9.4.2.
Understanding the Biggest Changes Changes in HITRUST CSF V9.4
The HITRUST Alliance announced the availability of HITRUST CSF v9.4 in June 2020. The dedicated press release also highlights the substantial changes this version made to the framework; the most critical are:
- Integration of Cybersecurity Maturity Model Certification (CMMC) framework controls
- Inclusion of new, piloted resources for community-specific authoritative resources
Both changes build on the CSF’s comprehensiveness and the “Assess Once, Report Many” pillar of the overall HITRUST Approach. The same is true of subsequent, incremental changes in v9.4.1 (August 2020) and v9.4.2 (December 2020). We’ll also touch on these below.
Integration of the Cybersecurity Maturity Model Certification (CMMC)
The first considerable change highlighted in HITRUST CSF v9.4 is the inclusion of the new framework required for Department of Defense (DoD) contractors—the CMMC. The CMMC comprises 17 Domains that house 171 individual Practices. The HITRUST CSF now accommodates all of these, with specific mappings highlighted in the detailed CSF 9.4 Summary of Changes.
Note that the current CMMC is v1.02 (March 2020), whereas the CSF’s v9.4 updates correspond to v1.0 (January 2020). Therefore, any organization basing its CMMC compliance efforts around HITRUST CSF certification should confirm that all implementations of the former’s required practices adhere to current specifications.
CMMC compliance is overseen by the Office of the Under Secretary of Defense – Acquisition and Sustainment (OUSD(A&S)). Companies seeking compliance—and lucrative DoD contracts via achieving “preferred contractor” status—must work with a Certified Third-Party Assessor Organization (C3PAO) to verify their security fidelity. The release of CSF v9.4 means that HITRUST implementation helps facilitate CMMC compliance.
Updates to NIST SP 800-171 Implementation Implementation Mapping
The CMMC is a comprehensive guide itself. Similar to the HITRUST CSF, it collects controls from other regulatory frameworks and authoritative texts, including two primary sources:
- Defense Federal Acquisition Register Supplement (DFARS) Clause 252.204-7012
- National Institute for Standards and Technology (NIST) Special Publication 800-171 (r2)
Prior to the CMMC’s rollout, DFARS and NIST SP 800-171 regulations were the major applicable standards for all DoD contractors that make up the critical Defense Industrial Base sector (DIB).
These regulations still apply now, but CMMC mapping has streamlined contractors’ adherence.
Since many companies who need CMMC compliance are already following NIST SP 800-171 controls, HITRUST CSF v9.4 also incorporates detailed mapping from its NIST/DFARS-compliant controls onto corresponding Practices within the CMMC framework. These mappings exist within the MyCSF tool companies use to self-assess and verify their HITRUST certification.
Piloted Inclusion of Community-Specific Authoritative Resources
The other marked change initiated in HITRUST CSF v9.4 is the addition of new authoritative resources specific to community needs. These address difficult mapping questions for companies that rely on their CSF certification to streamline niche compliance efforts. The resources provide considerable assistance to companies that operate within industry cross-sections.
Each HITRUST Control in the CSF breaks down into several Implementation Levels, with Levels corresponding to control complexity or mapping requirements (e.g., “Level 1” and “Level CMMC”). HITRUST has also established two specific community guidelines that harmonize assessment for these controls (for both HITRUST and other frameworks) with plans for more.
Authoritative Resources Further Improve CSF Certification Benefits
The HITRUST CSF’s uniqueness stems from its applicability to enterprises spanning all industries and business activities.
Many regulatory frameworks apply to select sectors, such as healthcare entities’ compliance with the Health Insurance Portability and Accountability Act (HIPAA). Alternatively, some apply according to location, such as the California Consumer Privacy Act’s (CCPA) oversight of companies in the named state. While individual regulations are selective, many companies must comply with multiple frameworks simultaneously, compiling costs and complicating efforts for each.
The CSF’s inclusion of numerous regulations and frameworks simplifies organizations’ compliance efforts.
Major HITRUST Updates Since the Publication of HITRUST CSF v9.4
Since the publication of HITRUST CSF v9.4, there have been two subsequent editions. However, neither has introduced major changes, which are more likely to arrive in v9.5.
The v9.4.1 Summary of Changes document highlights specific updates to the CMMC and NIST mappings made in v9.4, along with community supplemental sources to augment the “Assess Once, Report Many” aim. However, v9.4.2 added new HITRUST CSF control specifications and supplemental resources to accommodate the New York State Department of Health (DOH) System Security Plan (SSP), detailed in the v9.4.2 Summary of Changes.
Maintain HITRUST Certification Throughout All Future Updates
The most significant changes added in HITRUST CSF v9.4 back in June 2020 were the inclusion of mapping for the CMMC framework (required for DoD contractors) and other community-based supplemental resources.
Given how dynamic the HITRUST CSF is and how often updates happen, many companies find maintaining certification easier with the help of professional HITRUST services, like RSI Security’s.
Contact us today to start!