HITRUST CSF v11: New Threat-Adaptive Portfolio, e1 Assessment and more  

January 2023, HITRUST releases the HITRUST CSF v11. This latest upgrade comes with a series of changes that are said to both increase effectiveness while reducing certification efforts by 45% from its predecessor CSF v9.6. The reduction in efforts toward HITRUST Certification through greater efficiency is because of improved control mappings and precision of specifications afforded through CSF v11.  

To achieve these added efficiencies, CSF v11 introduces a threat-adaptive portfolio of assessments which moves the r2 baseline to the i1 requirements and includes i1 requirements as ‘Core’ on an r2 assessment. These overlaps in requirements enable organizations to use work completed on lower assessments towards more robust ones in the future.  

CSFv11 also welcomes the addition of a cybersecurity essentials assessment and the i1 Rapid Assessment to the list of HITRUST services. Here is everything you need to know about the new CSF v11, along with its new assessments and guidelines for Third Party Risk Management (TPRM).  

The New Essentials, 1-year (e1) Assessment  

This new assessment is designed to enable low risk organizations of any size to assess the general cyber hygiene of their operations against new and emerging threats and demonstrate the implementation of any necessary controls. The e1 assessment certification carries 44 Curated Requirements from the HITRUST CSF and is good for one year and annual renewal. Organizations may obtain certification after completing the e1 assessment and necessary conditions are met.  

This new assessment includes:  

  • A readiness self-assessment   
  • Controls and mitigations designed to defend against new and emerging threats  
  • Notifications for assessed entities of relevant changes in control guidance and mitigations to evaluate the current effectiveness of specific control implementations  
  • A streamlined assurance program that minimizes the burden on assessed organizations   
  • The ability to electronically distribute results as opposed to requiring a PDF report   

To maintain an adaptive set of controls for this framework, HITRUST will leverage its Cyber Threat-Adaptive Approach that frequently evaluates current Indicators of Attack (IoA) and Indicators of Compromise (IoC) against the controls currently in place.  

Updates to the i1 Assessment CSF v11  

In addition to the new e1 Assessment, HITRUST announced a new version of the i1 Assessment, which includes a new i1 Rapid Assessment.  

The updated i1 Assessment under v11 will replace the existing i1 Assessment under v9.6 and will now include around 170 to 190 required control statements. This comes as a reduction in requirement statements from the existing i1 Assessment, which had 219 requirement statements.   

HITRUST explains the reasoning for this reduction comes from a refreshing of source mappings and from a better understanding of the current threat climate, allowing a more streamlined set of requirements that maintain a high level of security.  

The new i1 Assessment under v11 will have a Rapid Assessment option which provides an accelerated means for recertification by demonstrating your control environment has not materially degraded. Control degradation is defined by HITRUST as issues in the performance of a controlled operation of a control that exists when performing a rapid certification that was not present during the initial i1 assessment a year ago. Should any controls come back as degraded, you have options:  

  • For two or fewer below passing scores, you are allowed to renew and not deemed degraded  
  • For three or four below passing scores, you may expand your sample of requirement statements to try again or convert your rapid to a full i1 assessment   
  • For five or more below passing scores, you will need to convert your rapid assessment into a full i1 assessment.  

This new i1 rapid assessment option can only be used every other year. After being used for one year, the organization will need to complete a full i1 assessment.   

To be eligible for an i1 Rapid Assessment, organizations:  

  • Must hold an i1 certification using CSF v11 or later the previous year  
  • Must assess the same scope as their last assessment  
  • Must have no critical change in any security infrastructure from their last assessment  

New Third-Party Risk Management Quick-Start Guidelines in CSF v11  

The latest changes to the HITRUST Third-Party Risk Management guidelines are meant to simplify the assurance process for third parties and those who rely on them. The Quick-Start Guide helps organizations implement the information security-related components of a comprehensive third-party risk management program. It is designed to:  

  • Streamline usage of the HITRUST TPRM Methodology  
  • Distill the broader methodology into clear actionable steps  
  • Provide clear guidance on computing inherent risk, classifying vendors, and selecting the appropriate level of third-party assurance  
  • Summarize alternative approaches to satisfy requirements and associated risks   
  • Provide links to reference material for continuous education  

You can learn more about the HITRUST TPRM here.  

HITRUST Legacy CSF Version Sunsetting Timeline  

HITRUST also plans to sunset older versions of CSF Assessments in the coming years. Here is what to expect.  

For older r2 Assessments:  

  • September 30th, 2023: The ability to create a new v9.1 – v9.4 r2 Assessment will be disabled.   
  • December 31st, 2024: The ability to submit v9.1 – v9.4 Assessment objects will be disabled.  
  • March 31st, 2026: CSF v9.1 – v9.4 libraries will be removed from MyCSF. Note that CSF versions 9.5 and 9.6 will remain available in the CSF libraries.  

i1 Assessments will transition to v11 :

  • March 31, 2023: The ability to create a new v9.6.2 i1 Assessment objects will be disabled  
  • June 30th, 2023: The ability to submit v9.6.2 and earlier i1 Assessment objects will be disabled.   

Proper Planning = HITRUST Success  

With the constant changes to the digital threat landscape and the evolving HITRUST CSF updates, A-LIGN knows HITRUST certification better than anyone. As one of the top HITRUST assessors in the world, we’ve helped more than three hundred clients successfully achieve HITRUST certification.  From readiness to certification, A-LIGN can ensure your organization achieves HITRUST success. Get in touch today.