2023 brings arguably the most dynamic set of changes to HITRUST to date. In January, HITRUST released full details on several new advisories and we have summarized the high points. While these updates are meant to streamline the HITRUST process and better fit your environment, they require a thoughtful approach and a long-term plan to ensure you meet your organization’s and business partners’ goals.
HAA 2023-001: CSF Version 11 Release
The long awaited next major release of the CSF is here! First, this version creates a truly traversable portfolio – meaning a seamless transition from the e1, which is a subset of the i1, which is a subset of the r2.
Version 11 also added, refreshed, and removed some authoritative sources. This is also the first use of AI processing technology for mapping efforts:
- Added NIST SP 800-53 revision 5 mapping and selectable Compliance factor,
- Added Health Industry Cybersecurity Practices mapping and selectable Compliance factor,
- Refreshed NIST SP 800-171 mapping,
- Refreshed NIST Cybersecurity Framework mapping,
- Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping.
Finally, version 11 updated requirement statement language to improve visibility by moving the evaluative elements from the policy level illustrative procedure to the requirement statement. In general, this will result in clearer evidence and testing requirements.
HAA 2023-002: CSF Version 9.1 – 9.4 Decommission Notice
With the introduction of version 11, the transition process from older versions begins. Two key dates to note are:
September 29, 2023 – This is the last day to create a MyCSF object for versions 9.1 through 9.4. All new assessment objects created on or after September 30, 2023, must be created using HITRUST CSF v9.5.x or later.
December 31, 2024 – This is the last day to submit a MyCSF object to HITRUST for versions 9.1 through 9.4.
Interim assessments will continue to utilize the same version used in the original r2 validated assessment. Internal and external inheritance will continue to be available from v9.1 through v9.4 assessment objects until their expiration (generally 2 years).
HAA 2023-003: CSF v9.6.2 Creation and Submission Deadlines for i1 Assessments
Similarly, there are key dates for i1 assessment versions as well.
April 29, 2023 – This is the last day to create new i1 assessments using CSF v9.6.2. All new i1 assessment objects created on or after April 30, 2023 will be CSF v11.
July 31, 2023 – This is the last day to submit i1 assessments using CSF v9.6.2 and earlier.
HAA 2023-004: e1 Assessment Introduction
In 2021, HITRUST introduced the i1 as a moderate level of assurance alternative to the traditional, two-year, r2 assessment. The e1 is HITRUST’s newest certification, and is considered a Cyber Hygiene assessment. It’s meant for an organization needing a lower level of assurance, and can serve as a stepping-stone for the more robust i1 and r2. This is also a great option for third-party risk management. The e1 assessment currently consists of 44 key baselines, using only implementation criteria; and can “carve-out” control requirements.
HAA 2023-005: i1 Rapid Recertification
Besides version 11, the new i1 rapid recertification is arguably the most impactful change. The introduction of the i1 in 2022 offered a reduced effort, second HITRUST certification option. However, the 1-year certification timeline also meant repeating the effort annually. The rapid recertification creates an accelerated way to obtain the year 2 i1 certification and can be used every other year between full assessments. To qualify, the following must be met:
- Prior full assessment must be v11 or later,
- Same scope as the prior full assessment,
- No significant changes have been made,
- No material degradation of the environment has occurred.
The i1 rapid certification will include a sample of 60 requirements, all not applicable requirements, and any requirements associated with corrective action plans. Additionally, it will include any new requirements that have been added with subsequent CSF version releases. You may be asking yourself, is this basically an i1 interim assessment? No, it’s not. The i1 Rapid Recertification Assessment results in the same assessment reports that are issued for a full i1 assessment.
LBMC’s HITRUST team is here to help
Whether you are starting your HITRUST journey or have been on this ride for years, LBMC is here to help you navigate these updates. As the leader of the “10-year club” of HITRUST assessors, LBMC stands as the longest-serving assessor in the business with the most experienced team in the industry. We have helped countless organizations reach their HITRUST CSF Certification goal. And, yes, we have learned many lessons along the way. In fact, we are assessor council members and assist the industry with education and outreach. We feel compelled, and are somewhat obligated, to offer some words of encouragement and advice to those that are embarking on this journey. Please reach out any time with how we can assist you on your journey!
Content provided by LBMC security professional, Robyn Barton.