Everything you need to know about HITRUST v11

Erin Sullivan jpeg

Erin Sullivan

Consultant, HITRUST Assurance

Nicole Janko jpeg

Nicole Janko

Director, HITRUST, ISO, and SOC

Blog Images 2023 main post image hitrsut v11

Key takeaways:

  • On January 18, 2023, HITRUST released HITRUST CSF v11.
  • Current versions 9.1 to 9.4 will be able to create an object until September 30, 2023, and must submit by December 31, 2024.
  • The ability to create Version 9.6.2 i1 objects will be disabled on April 30, 2023, and all version 9.6.2 i1 objects must be submitted by July 31, 2023.
  • Versions 9.5 to 9.6.x r2 sunset date has yet to be officially announced.

HITRUST v11 is here.

HITRUST CSF v11 is available for download.

We are excited to see the significant updates to the HITRUST CSF that make evaluative elements more visible and provide better definition of scoping factors. The updates make specific control expectations in HITRUST easier to understand and address.

What changes can be expected with v11?

HITRUST has moved away from the 75 controls required for certification. In the v11 r2 baseline, this is replaced with the core requirement selection, which is the 182 i1 requirement statements. This means that new major or minor version releases will update the core requirement selection. Going forward, HITRUST does not expect significant changes in the core requirement selection from one version to the next.

HITRUST now offers three assessment types.

 e1: Essential practices (NEW)i1: Leading practicesr2: Expanded practices
44 requirement statements that address a curated set of cybersecurity controls generally viewed as fundamental essential cybersecurity practices or “essential cybersecurity hygiene.
182 requirement statements comprised of the 44 e1 requirement statements and an additional 138 requirement statements that address cybersecurity best practices and a broader range of active cyber threats than the e1 assessment.
182 i1 requirement statements as a baseline and additional requirements that are included through the assessment tailoring process.

Evaluative Elements have been moved from the Illustrative procedures to the requirement statement and are now individually numbered for more clarity.

HITRUST has added and refreshed the Authoritative Source mappings:

  • Added NIST SP 800-53 revision 5 mapping and selectable Compliance factor
  • Added Health Industry Cybersecurity Practices mapping and selectable Compliance factor
  • Refreshed NIST SP 800-171 mapping
  • Refreshed NIST Cybersecurity Framework mapping
  • Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping

The following Authoritative Sources have been removed in CSF v11:

  • CAQH CORE Phase 1 [CAQH Core Phase 1]
  • CAQH CORE Phase 2 [CAQH Core Phase 2]
  • Cloud Security Alliance (CSA) Cloud Controls Matrix Version 3.0.1 [CSA CCM v3.0.1]
  • Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) version 1.0 [CMMC v1.0]
  • Department of Homeland Security (DHS) Critical Resilience Review (CRR) v1.1 [DHS CISA CRR (2016)]
  • ISO/IEC 29151:2017: Information Technology – Security Techniques – Code of Practice for Personally Identifiable Information Protection [ISO/IEC 29151:2017]
  • Precision Medicine Initiative Data Security Policy Principles and Framework v1.0 (PMI DSP): Achieving the Principles through a Precision Medicine Initiative Data Security Policy Framework [PMI DSP Framework]

The new e1 assessment

HITRUST has a brand-new assessment type called the e1 assessment. This assessment is smaller than the i1 or the r2, at just 44 requirements. Like the i1, the e1 assessment only tests the implemented maturity level. However, some requirements are policy and procedure focused. The e1 assessment can be completed as a readiness test or validated.

The e1 assessment is a lower level of effort, but also provides a lower-level assessment. This assessment is ideal for assessed entities that have a lower risk profile, where a more in-depth assessment may not be necessary. The e1 assessment can also serve as a stepping stone to the higher-level assessments.

The e1 assessment focuses on "cyber hygiene," basic cybersecurity practices that all organizations can use to protect data, emphasizing controls that reduce the chances of an adverse cybersecurity event, data breach, or malware outbreak.

i1 updates

The updated i1 assessment now has 182 requirement statements and an option for rapid recertification.

The i1 rapid recertification can be completed every other year between i1 assessments, but assessed entities must show that the control environment has not materially degraded since the previous i1 was performed. The rapid recert can be used by organizations that meet the following requirements:

  • The assessed entity currently holds an i1 certification using CSF v11 or later
  • The same scope is being assessed
  • No significant changes have occurred since the previous i1 certification that may impact the organization's ability to meet the i1 requirements
  • The control environment has not materially degraded since the previous i1 Assessment
  • The organization has an available assessment object in MyCSF

The rapid recertification process requires four different areas to be assessed:

  1. All requirement statements within the current CSF that were not assessed in the previous i1 Assessment
  2. A sample of 60 requirements statements that were scored in the previous i1 Assessment
  3. Review of all requirement statements that were marked as N/A in the previous i1 Assessment
  4. All requirement statements that required a CAP during the previous i1 Assessment

If the assessor finds 2 or few instances of control degradation (lower CSF score), the assessment can be submitted for rapid recertification. If the assessor finds 3 or 4 instances, the assessed entity will need to assess an additional 60 requirement statements and have 5 or fewer instances to be submitted for rapid recertification. If the assessor finds 5 or more instances during the rapid recertification assessment process, a full i1 assessment must be completed.

Transition timeline to HITRUST v11

 Last day to create assessment objectLast day to submit object for certification
Currently certified against v9.1 to v9.49/30/202312/31/2024
Pursuing a v9.6.2 i1 certification4/30/20237/31/2023

The HITRUST QA Reservation system will not allow the selection of a submission date later than the above dates, and all unsubmitted objects will be marked with a MyCSF banner stating they cannot be submitted for processing.

What if the organization inherits controls from other assessed entities?

HITRUST has confirmed that External Inheritance will be possible between v11 assessments and v9.1 – v9.6.2 assessments. However, there may be requirement statements within v9.x assessments that are not present in v11 assessments and vice versa.

HITRUST has chosen to release a Community Supplemental Requirement (CSR) factor called “Legacy Inheritance Support” which will be introduced in v11 assessments to address these concerns. The Legacy Inheritance Support will include additional inheritable 9.x requirement statements into v11 r2 Assessments.

We look forward to assisting organizations on their HITRUST journey, ensuring their risk and compliance program is continuously evolving to adapt to emerging threats in cybersecurity. More information about the latest HITRUST Advisories can be found here.

About Coalfire HITRUST

Did you know Coalfire is one of the original HITRUST External assessor firms and one of few assessor firms appointed to the HITRUST External Assessor Council five years in a row? Our HITRUST Advisory services help clients fully understand the HITRUST CSF lifecycle so they can reduce time, costs, and resources. If you have any questions about the new updates or are looking for an assessor, fill out the contact form below, and one of our HITRUST experts will assist you.