What's New in HITRUST CSF 11.8.0 and Why It Matters for Your Organization

On May 7, 2026, HITRUST announced the release of CSF version 11.8.0. The HITRUST Common Security Framework (CSF) has become a cornerstone compliance standard for organizations across healthcare, financial services, and other regulated industries. By consolidating requirements from multiple frameworks like HIPAA, HITECH, and ISO 27001, HITRUST CSF provides a unified, risk-based approach to security and compliance that many organizations have built their entire control environments around.

Whenever a framework as foundational as HITRUST releases a new version, it is natural to wonder if your organization should use the new version going forward. In this blog post, we’ll highlight the changes from HITRUST CSF 11.8.0 to help you understand what it means for your organization.

Do You Need to Upgrade to CSF 11.8.0? 

The first question to ask is: “Do we have to use CSF version 11.8.0, and when?”  

According to HITRUST rules, r2 assessments can use any currently available CSF version 11. So, if you’re undergoing (or starting to think about) a HITRUST r2 assessment, it is not required to upgrade to 11.8.0, especially if your organization has based your work against a particular version.

If you are undergoing an e1 or i1 HITRUST assessment, the answer is a bit different. The HITRUST rules require an e1 or i1 to be assessed against the most current CSF version. According to advisory HAA-2026-003, if you created an object in MyCSF before May 7, 2026, you can continue to use version 11.7.0. If you have not already created your e1 or i1 object in MyCSF, version 11.8.0 must be used going forward. 

What Has Changed in CSF 11.8.0 

Now that you understand which version to use, it’s important to know what has actually changed. CSF 11.8.0 introduces several notable updates across authoritative sources and baseline controls.  

Updated Authoritative Sources and Framework Mappings

HITRUST has added and updated new authoritative sources that strengthen the framework’s relevance across industries. New sources include Commonwealth of Virginia Information Technology Resource Management Standard SEC530, NIST SP 800-137, ISO/IEC 29100:2024 and OWASP LLM v2025. Additionally, HITRUST has updated its mappings to Texas Medical Records Privacy Act, PCI DSS v4.0.1 and AICPA SOC 2 Trust Services Criteria.

HITRUST is constantly refreshing and updating its sources, which makes the HITRUST CSF a staple in many organizations’ internal and external risk assurance process. Undergoing a typical r2 HITRUST assessment will allow you to consolidate audits and assessments easier because of how HITRUST maps against other frameworks, standards and regulations. 

Performing a HITRUST r2 assessment won’t completely eliminate the need to have other audit reports and certifications, but it may reduce the burden of providing separate evidence for each report and certification.  

At Schellman, we are experts in aiding your de-duplication efforts across multiple audits and assessments. We can walk you through the HITRUST mapping and demonstrate ways in which we help reduce your internal efforts. 

Two Baseline Statement Updates in CSF 11.8.0 

The second major update in v11.8.0 involves two HITRUST baseline statements (controls).  The updates are significant for e1 HITRUST assessments, as they apply to baseline statement within those Domains. Understanding this change could mean the difference between getting a certification or not.  Since all baseline statements from the e1 are part of every i1 and r2 assessment as well, understanding these changes is critical across all assessment types. 

Domain 3: Portable Media Security Updates 

The first baseline statement update is from Domain 3, Portable Media Security. This control update moved the elements to create clearer, more logical structure for readers.  It provides much needed separation between what is required for digital portable media and non-digital portable media.  

Now, transported portable digital media requires encryption and accountability, whereas non-digital media (such as paper documents) require accountability. The changes affect the elements themselves and how the language is presented, but not the overall control structure. 

Domain 14: Third Party Assurance—A More Objective Standard 

The second baseline statement update is from Domain 14, Third Party Assurance, and is more significant than the first. Two important items were updated on this baseline statement.  

First, “independent verifications” was added to independent assessments, which allows the organization to assess its third parties even if they don’t have audited third-party reports.  Second, “the suitability of the third parties’ information security practices” was replaced with “compliance with contract provisions.”   

This shift is important as it updated wording that was previously subjective to wording that is objective. Now, to comply with this HITRUST requirement, organizations that allow third party access to their scoped systems or information are required to independently verify third party information security practices against contractual obligations at least annually.

Planning Your CSF 11.8.0 Strategy 

Now that you understand the requirements and changes, the question becomes: What does this mean for your organization? If you're operating under an r2 assessment, you have flexibility in your upgrade timeline. If you're planning an e1 or i1 assessment and haven't yet created your MyCSF object, version 11.8.0 is your path forward.

For detailed information on the CSF version 11.8.0 release, visit this link to HITRUST’s website: https://hitrustalliance.net/advisories/haa-2026-002-csf-version-11.8.0-release.  

If you want experts to walk you through your HITRUST journey, or need guidance on reducing audit fatigue by de-duplicating your internal compliance efforts, we’re here to help. Please reach out to us to discuss how we can support your CSF 11.8.0 adoption strategy.