HITRUST Version 10 is Coming – Here’s What to Expect
By Christopher Shaffer, Director, Risk Advisory Services
HITRUST CSF version 10 is expected to be a monumental release. As a significant revision, it can be used across an array of industries—not just health care as has been the case. HITRUST is the only certification body for the NIST Cybersecurity Framework, and while HITRUST has traditionally been focused on health care organizations, version 10 moves toward a general security framework with optional regulatory factors (e.g., PCI, HIPAA) for specific industries that can be included. This should help the adoption of the CSF outside of the health care world by providing a certification option for organizations looking to provide assurance to their clients by undergoing a third-party validated assessment with certification.
CSF version 10 will require certification of all 135 control references, where currently version 9.2 requires only 75 of the 135 control references for certification. When you consider that the average number of individual requirement statements for a Level 1 assessment is around 250, and a Level 3 with normal system factors is 550-plus, you can see the increase in effort this may entail. For reference, when HITRUST moved from 66 control references required for certification to 75 following version 9’s release, it resulted in a 30-40 percent increase in the number of individual requirement statements.
So When is Version 10 Due?
Current wisdom puts version 10 at a mid-2020 release date at the absolute earliest. This is important given the potential increase in effort as all 135 control references will be required for certification. To help organizations with adoption, HITRUST has informally mentioned they will afford a 12-18-month adoption period before they are required to switch. Currently, organizations undergoing assessments have six months past the introduction of the latest version to finish.
In the interim, version 9.3 will be released to bridge the gap between the monumental changes version 10 will bring and the interim updates required to keep the CSF relevant with current standards. However, it will not be required for long as version 9 as a whole is current.
Are you considering adopting the HITRUST CSF and need assistance with your certification and assessment strategy? Contact Chris Shaffer, CISSP, CISA, CCSFP, QSA, for discussion of how we can help with readiness assessments, third-party validated reports for certification or general advisory needs.