866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What You Should Know About HITRUST CSF v11.3 Blog Feature
Michael Seegel

By: Michael Seegel

Print/Save as PDF

What You Should Know About HITRUST CSF v11.3

Healthcare Assessments | HITRUST

Though HITRUST released v11 of the HITRUST CSF back in January 2023, as of April 16, 2024, HITRUST released CSF v11.3. Standard practice is for HITRUST to update their CSF annually—at a minimum—and this v11.3 is a relatively minor revision with two main differences:

  1. Consolidation and reduction of requirement statements, and
  2. Additional and modification to mapped Authoritative Sources.

Even if these changes within v11.3 are considered small, those pursuing HITRUST certification must account for the updates to achieve compliance. As well-established external assessors for HITRUST, we’re going to offer some insight.

In this blog post, we’ll dive into both those changes from HITRUST so that you can get to work making any necessary adjustments to achieve and/or maintain compliance.

 

What are the 2 Changes in HITRUST CSF v11.3?

1. Reduced Requirement Statements

One of the long-time barriers for organizations attempting to implement HITRUST with a risk-based r2 assessment has been the intimidating number of requirement statements they’ve had to satisfy. Historically, the number of requirement statements often increased between versions—sometimes even significantly. So does v11.3 really reduce the amount of requirement statements you’ll have to account for?

To help determine this, we performed multiple test cases to ascertain a reasonable level of requirement statement reduction you can expect and whether a transition to v11.3 might be beneficial for those considering upgrading or undergoing initial certification.

In doing this, we generated three fictional scenarios that organizations with different risk profiles might enter into MyCSF. Here are our discovered changes in requirements from v11.2 to v11.3:

v11.2 Requirement Statement Amounts

v11.3 Requirement Statement Amounts

Difference

275

271

-4

537

490

-44

617

579

-38

Right away, you can see that the scenarios we ran for fictional organizations that—according to risk factor responses—had a higher risk profile (and therefore had more statements required of them) saw a higher reduction in the number of requirement statements.

But in general, of these scenarios that we generated, no assessments increased their number of requirements when upgrading from v11.2 to v11.3, which is good news for organizations that want to adopt the HITRUST CSF as the basis for their information security program.

2. Updated Authoritative Sources

HITRUST also added and modified their mapped Authoritative Sources in CSF v11.3. Here are a few notable changes:

  1. StateRAMP r5 and TX-RAMP r 5 Compliance Factors are Now Added
    • During HITRUST Collaborate in October 2023, many organizations expressed their interest in StateRAMP—in response, HITRUST has now included these as optional regulatory factors in v11.3.
  2. Artificial Intelligence (AI) Risk Management, OWASP AI Exchange, and MITRE ATLAS Compliance Factors are Now Added
  3. A NIST SP 800-172 Compliance Factor is Now Added
    • Previous optional NIST compliance factors included NIST SP 800-53 r4 and r5, as well as NIST SP 800-171 r2, and now NIST SP 800-172 can also be selected—an addition that further solidifies how prevalent various NIST frameworks are embedded within the HITRUST CSF.
    • NOTE: While not a selectable factor, HITRUST also incorporates a NIST Cybersecurity Framework Validated Assessment Report that is included with your HITRUST CSF Risk-Based, r2 Report—however, this is not available for the e1 or the i1.

HITRUST v11.3 Small Revision Regarding Offline Backups

 

In the interest of full transparency regarding all the changes in CSF v11.3, HITRUST also updated some wording to clarify its position on offline backups:

v11.2

The organization maintains offline backups of data.

v11.3

The organization maintains offline and/or immutable backups of data.

Though prior to this change, HITRUST still informally accepted immutable backups as well as offline backups, HITRUST has now made it clear through this revised wording that immutable backups meet the requirement.

 

Next Steps with HITRUST—v11.3 or Otherwise

However relatively minor these updates might seem, they’ll affect you particularly if your organization opts for an e1 or i1 assessment, as the use of v11.3 is now required for those assessments.

One way to ease your HITRUST compliance journey amidst these and other changes is to select an assessor who has significant experience performing these assessments. Your trusted partner and their level of expertise could be the difference between your organization presenting the correct or incorrect information to HITRUST, which could, in turn, have a significant impact on scores, timelines, and certification.

We at Schellman would love to help you not only with your HITRUST journey but also help you formulate a plan in which the information you put together for HITRUST can also be leveraged across other compliance audits and assessments you are already undergoing. Reach out to us today to speak more about how we can help streamline your compliance portfolio while maximizing its value, and in the meantime, check out our other content that can further simplify HITRUST:

About Michael Seegel

Michael Seegel is a Senior Manager with Schellman. Prior to joining Schellman in August 2018, Michael worked as an IT Audit Manager, specializing in managing SOC 1 & 2 Type II engagements. Michael also has prior experience performing HITRUST assessments, ISO 27002 audits, IT SOX compliance, and ERP implementations. As a manager at Schellman, Michael primarily focuses on performing HITRUST assessments for organizations in or doing business with healthcare organizations. Michael currently holds the CPA, CISSP, CISA, and CCSFP certifications.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.