7 HITRUST Factors to Consider for Federal Compliance
Our discussion of HITRUST regulatory factors continues with a focus on federal compliance and their influence on HITRUST. Here are 7 HITRUST regulatory factors to consider for federal compliance, and our recommendations on how to address them.
This article is Part Two of a Four-part Series on the HITRUST Framework
Part One: 7 HITRUST Regulatory Factors to Consider for Healthcare
Part Two: 7 HITRUST Regulatory Factors to Consider for Federal Compliance
Part Three: 5 HITRUST Regulatory Factors to Consider for International and State-level Privacy Compliance
Part Four: 4 Miscellaneous HITRUST Regulatory Factors to Consider
In our last blog, we focused on HITRUST regulatory factors related to healthcare since HITRUST historically was based on HIPAA. HITRUST is composed of many authoritative sources, such as NIST 800-53, ISO 27001, PCI DSS, etc. As we continue our discussion of HITRUST regulatory factors, it is a logical progression to focus on federal compliance – both because of the depth and breadth of these requirements, as well as their influence on HITRUST. What follows are the seven HITRUST regulatory factors to consider for federal compliance, and A-LIGN’s recommendations on how to address them.
FISMA Compliance (NIST SP 800-53)
First Introduced in HITRUST 2.0 – January 2010
The Federal Information Security Modernization Act of 2014 (FISMA 2014) requires federal organizations to implement a cybersecurity program that reviews controls and authorizes their use by the government. NIST SP 800-53 is a catalog of various security controls that a federal organization or its partners can use to develop its control baseline, while NIST SP 800-37 outlines how federal organizations and its partners implement these controls to meet FISMA requirements. There are recommended baselines (low/moderate/high) in the appendix of 800-53 that most federal organizations use, which serves as the basis for FISMA assessments.
The A-LIGN Bottom Line: FISMA compliance is incredibly important for U.S. federal agencies and contractors. However, depending on the objectives of an organization and the demands of its stakeholders, it may be better to conduct a full FISMA assessment and report instead of adding it to a HITRUST assessment since HITRUST does not provide a separate FISMA report. Organizations interested in FISMA compliance are still advised to conduct these assessments in parallel to create a singular audit process.
NIST SP 800-171 Rev. 2
First Introduced in HITRUST 9.3 – October 2019
NIST SP 800-171 Rev. 2 is a framework developed under the authority of FISMA to protect controlled unclassified information (CUI) in nonfederal systems and organizations, such as contractors or data processors. The requirements are derived from the “moderate” baselines for NIST SP 800-53, although NIST notes that “organizations should not assume that satisfying those particular requirements will automatically satisfy the security requirements and controls in…SP 800-53.”
The A-LIGN Bottom Line: Many HITRUST requirements are already based on NIST. In 2018, even before NIST SP 800-171 Rev. 2 was introduced as a regulatory factor, HITRUST became authorized to issue NIST certifications because of the significant overlap between the controls. As a result, every HITRUST validated report includes a NIST Cybersecurity Framework report, even without adding it as a regulatory factor. Based on that, any organization that had been considering NIST SP 800-171 Rev. 2 would be better served by shifting attention to the recently introduced Cybersecurity Maturity Model Certification (CMMC), which will become a requirement for U.S. defense contractors.
Cybersecurity Maturity Model Certification (CMMC)
First Introduced in HITRUST 9.4 – June 2020
The Cybersecurity Maturity Model Certification (CMMC) is a security framework designed to protect the Department of Defense and defense industrial base (DIB) contractors, with a particular focus on CUI. CMMC encompasses five increasingly stringent control levels. Level 1 is roughly equivalent to FAR 48 CFR 52.204-21. Level 3 is based on NIST SP 800-171. Level 5 is based on Draft NIST SP 800-172. Since CMMC is based on existing security frameworks, most organizations won’t have to start from scratch, but they will need to conduct a gap analysis to determine what is missing. CMMC will soon become a contractual requirement for organizations wishing to do business with the Department of Defense.
The A-LIGN Bottom Line: CMMC is likely to become the most important federal compliance framework, since organizations will be unable to compete for government contracts without it. However, adding CMMC to a HITRUST assessment does not provide CMMC certification. Despite that, adding CMMC to a HITRUST assessment provides organizations with a way to benchmark preparedness for CMMC or as an exercise to become comfortable for future assessments.
FedRAMP Certification
First Introduced in HITRUST 9.0 – September 2017
The Federal Risk and Authorization Management Program (FedRAMP) certifies that cloud service providers have adopted a standardized approach to security assessment, authorization and monitoring. FedRAMP maintains a framework of controls and processes that vendors must implement to ensure cloud security for the government. Organizations that achieve FedRAMP certification receive a significant competitive advantage because their product or service becomes listed on the FedRAMP marketplace.
The A-LIGN Bottom Line: FedRAMP certification is incredibly valuable for vendors selling to the U.S. government; however, adding FedRAMP to a HITRUST assessment is not the equivalent of achieving FedRAMP certification. It may be better to conduct a full FedRAMP certification and report with an approved 3PAO firm instead of adding it to a HITRUST assessment, since HITRUST does not provide a separate FedRAMP certification or report. Organizations that are interested in pursuing FedRAMP certification could consider adding it to their HITRUST assessment to benchmark whether they are prepared and to mature their controls as needed.
CRR v2016
First Introduced in HITRUST 9.0 – September 2017
The Department of Homeland Security Cyber Resilience Review (CRR) is available as a free self-assessment framework for organizations to benchmark its cybersecurity maturity. Organizations are under no obligation to follow this framework. The CRR includes a crosswalk comparison between its controls and the NIST framework, which may be useful for organizations preparing for a NIST assessment.
The A-LIGN Bottom Line: CRR is a worthwhile exercise for organizations in the early stages of a federal compliance program since it is voluntary and complementary, and maps to NIST; however, there is no reason to add this to a HITRUST assessment since it can be conducted as a no-cost self-assessment.
IRS Pub 1075 Compliance
First Introduced in HITRUST 7.0 – January 2015
IRS Pub 1075 is a framework designed to protect federal tax information (FTI) and is required by all agencies and contractors that come in contact with FTI.
The A-LIGN Bottom Line: This is a niche framework that is specific to identity theft and only applies to federal, state and local government agencies. Any organization could adopt this framework to demonstrate it has an identity theft program, but most frameworks already have these controls in place.
21 CFR Part 11
First Introduced in HITRUST 9.0 – September 2017
The Federal Register 21 CFR Part 11 is a regulation from 1997 that requires the FDA to adopt electronic records and electronic signatures.
The A-LIGN Bottom Line: This is a niche framework intended for the FDA and food/drug/cosmetic suppliers. Since this regulation is more than 20 years old, there are mature tools that exist today that make it very easy to adopt electronic records and electronic signatures.
UP NEXT: State and International Privacy Regulatory Factors – Part 3 of 4
