The HITRUST Alliance recently released HITRUST CSF version 9.4. This iteration of HITRUST v9 further delivers on the organization's mission to provide "One Framework, One Assessment, Globally" by incorporating and streamlining the largest number of authoritative sources of any security and privacy framework.

This article explains the added HITRUST CMMC and NIST mapping aspects of this new version.

What is the HITRUST CSF?

The HITRUST Cybersecurity Framework (CSF) is a tool developed by the HITRUST Alliance to simplify organizations’ compliance efforts. A large number of data protection regulations in effect today can make it difficult for an organization to design a comprehensive, coordinated, and compliant strategy for meeting its regulatory and contractual obligations.

The HITRUST CSF is designed to integrate the requirements of many different regulations into a succinct collection of cybersecurity best practices. Version 9.4 of the HITRUST CSF advances this goal by adding support for additional regulations and enabling organizations to easily map the security controls recommended under the HITRUST CSF to the requirements of applicable regulations.


New Regulatory Coverage in HITRUST CSF Version 9.4

Version 9.4 of the HITRUST CSF is designed to enable the framework to more effectively support an organization’s compliance needs. Modifications include incorporation of the Cybersecurity Maturity Model Certification (CMMC), updates to NIST 800-171 r2, and the addition of support for community-specific standards.

Note: If you need help with HITRUST as it relates to HIPAA compliance, reach out to start the conversation.


Department of Defense Cybersecurity Maturity Model Certification

The United States Department of Defense (DoD) CMMC mandates that contractors wishing to bid and execute on DoD contracts undergo a third-party audit to demonstrate that they have implemented the required security controls and processes for the CMMC level required by a certain contract.

The CMMC is designed to strengthen the cybersecurity of the defense industrial base (DIB) by moving from a certification model based upon self-assessments to one requiring third-party audits.

While the process for CMMC certification has not yet been defined, the requirements of the various CMMC levels have been made publicly available. Version 9.4 of the HITRUST CSF incorporates these requirements. This HITRUST CMMC mapping enables an organization to “assess once, report many”. The organization has also released a whitepaper explicitly mapping CMMC requirements to the HITRUST CSF.

Related reading: Achieve Secure Cloud Adoption Using HITRUST


NIST 800-171 r2

NIST 800-171 is a standard developed by the National Institute of Standards and Technology (NIST). The standard is titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.

While a current version of the standard has been published, a second revision (NIST 800-171 r2) is currently in draft status. Version 9.4 of the HITRUST CSF updates the HITRUST NIST mapping between the CSF and NIST 800-171 r2 to reflect recent changes in the NIST draft and to ensure accuracy.


HITRUST CSF Version 9.4 community-specific Standards

The HITRUST CSF is primarily designed to help organizations achieve, maintain and demonstrate compliance with global and national regulatory standards. However, many organizations may be subject to state and local compliance and reporting requirements.

Version 9.4 of the HITRUST CSF adds the ability to support these new standards and includes mappings to two such standards. Future versions are expected to include additional community-specific standards with priority given based upon market demand.


The Most Comprehensive Compliance Management Framework in Existence

A number of different cybersecurity frameworks exist; however, the HITRUST CSF stands out as the one providing the most support for an organization’s compliance program. With Version 9.4, the HITRUST CSF now incorporates more authoritative sources than any other cybersecurity framework.

HITRUST is designed to allow an organization to perform a single assessment and use it for reporting compliance with a number of different regulations. This is extremely valuable as the regulatory landscape and organizations’ reporting obligations expand with the passage of new laws and standards.

To find out more about the HITRUST consulting, reach out to Avertium, a Certified HITRUST Assessor.

Chat With One of Our Experts

NIST CSF Frameworks & Standards HITRUST CSF HITRUST Consulting GRC Blog