Tackling HITRUST version changes
HITRUST is continually updating the Common Security Framework (CSF) based on updates to currently mapped and newly added frameworks and authoritative sources. These updates can cause changes to the number and applicability of HITRUST CSF requirement statements in your currently generated assessment objects. In general, the change in new requirement statements will not represent new controls to implement, but rather split current requirement statements to make them more granular and concise.
What does this mean for your organization? Whether you're already certified or preparing for a validated assessment, consider the following actions whenever HITRUST releases a new version:
Ask HITRUST support to back up your object. This is crucial to preserve work performed prior to refreshing your current assessment object. Once this object is backed up, you should be able to access the previous version object going forward.
Refresh your assessment object, and perform a gap analysis of new and modified requirement statements. Fortunately, the MyCSF tool will identify the differences for you. Remember, as long as you don't change any scoping factors, it isn't a major version change, or the threat landscape hasn't changed drastically, there should be few (if any) brand new requirements to deal with.
Reevaluate relevant project timelines based on the gap analysis. Preparing for a validated assessment? You have six months from the time the new version is released to the public to initiate an assessment against the previous version. Organizations getting ready for a validated assessment should review their current timeline and ensure a certified validated assessment is achievable within six months of a new version release.
Currently certified? You'll remain certified to that version for the full two years. This means your interim assessment will be performed against the version you certified against. It's important not to refresh your assessment object between certification and interim assessment to ensure you're assessed against the correct version. However, with HITRUST's assistance, you can develop a new object based on your initial object, update to the most current version, and begin working on gaps to ensure your organization is ready for the recertification assessment. This assessment must be done to the most current version in effect at the time.
A HITRUST assessor can address your organization's unique situation. Don't be shy about asking questions to help clarify the steps your organization should take.