While the release of CSF version 11 has reduced redundancies and streamlined the journey to higher levels of assurance, it has also introduced new and expanded expectations for HITRUST certification. Assessed entities can engage external assessors to perform a delta assessment to evaluate both the impact of transitioning from prior CSF versions and the organization’s preparedness to meet these expanded expectations.

At this year’s HITRUST Collaborate conference, LBMC partnered with a client who had completed a delta assessment to demonstrate how such an analysis can be used to effectively prepare for and execute the transition to v11. Here are some key takeaways from the presentation.

Understanding HITRUST CSF v11

HITRUST CSF v11 introduced several important changes to the framework meant to lower redundancy and simplify the certification process. A successful transition depends on a knowledge of these changes.

v11 Release and v9 Decommission

HITRUST released version 11 of the CSF in January 2023 and is currently on version 11.3, as of April 2024. HITRUST is also in the process of decommissioning the version 9.x series, with the goal of having every assessment use version 11 by mid-2025.

Key Improvements

The new version delivers threat adaptive assessments, expands and aligns the assessment portfolio, enables a traversable assessment journey, decreases redundancy in requirement statements and illustrative procedures, includes new and refreshed Authoritative Sources, and ultimately reduces the level of effort required to achieve and maintain certification.

Offering a more streamlined and comprehensive framework that addresses present and future threats,  HITRUST CSF v11 marks a major development in cybersecurity standards.

The Impact of v11 Changes

Organizations must be aware of and ready for the shift to v11 since it brings more strict criteria and revised control needs.

Stricter Criteria

v11 makes it more difficult for companies to achieve and keep compliance since it presents stricter requirements in the form of evaluative elements that must be fulfilled to get a full score on every requirement.

New and Updated Control Requirements

The version also comes with new and updated requirement statement language and illustrative procedures to address the new and refreshed Authoritative Sources and align with the latest industry standards, ultimately creating a more comprehensive and rigorous framework.

Continuously Evolving Standards

e1 and i1 assessments are designed to be threat-adaptive through the selection of requirement statements that address active cyber security threats based on HITRUST’s quarterly reconciliation of cyber threat intelligence to the HITRUST CSF requirements. This means the requirement statements are reviewed quarterly at a minimum and updated as necessary to maintain the threat responsive nature of the framework.

Highlighting the need for careful planning and an understanding of the new requirements, the changes made in v11 require businesses to meet higher standards of cybersecurity and compliance.

Best Practices for Making the Transition to v11

The smooth transition to v11 depends on careful planning. This involves determining the delta between your v9 and v11 requirements, completing a readiness assessment on that delta, and planning the transition timeline.

Determine Your v9 to v11 Delta

First, you should create a detailed comparison report in MyCSF outlining the key changes to the assessment triggered by the version update. Either ask your external assessor to clone your current v9 object, update to the latest version, and then download the report, or you can get in touch directly to HITRUST and have them pull it for you.

Perform a Delta Assessment

Once you determine the delta between versions for your specific assessment, perform some level of evaluation/testing against the delta. If gaps are identified, make plans to remediate to ensure you can evidence compliance with any new or updated requirements. An external assessor like LBMC can assist with this process by performing a delta assessment on your behalf, thus freeing up your resources to focus on your core competencies.

Timing is Everything

It is never too early to begin a delta assessment – the earlier you start, the more time you will have to account for remediation. And if it is feasible, try to perform your delta assessment concurrently with other audits/assessments to reduce the amount of evidence gathering and avoid audit fatigue. Just remember HITRUST’s 90-day incubation period requirement – i.e. all controls established by the Assessed Entity in support of each of the HITRUST requirement statements, including newly implemented controls or controls remediated due to deficiencies, must be implemented and operating in their current state for a minimum of 90 days prior to testing.

Determining where the changes will be to your requirement set, evaluating your readiness to show any new or revised needs, and creating the correct schedule to complete everything will help you have a smooth and successful transition to version 11.

Benefits of Leveraging an External Assessor

Many benefits can be realized by involving an external assessor like LBMC in this process that go beyond simply performing the delta assessment on your behalf.

Identification of Immaterial Changes

Since the detailed comparison report pulls ALL changes made to the assessment, including grammar updates, there are many line items that do not represent a material change to the requirement set that needs to be considered. External assessors can leverage their HITRUST knowledge in combination with their experience running delta reports to quickly filter out these immaterial changes, saving your organization time and effort.

Reporting Findings by Priority

Also, if you engage an external assessor to perform the delta assessment, they can help you prioritize the gaps that need to be remediated based on their knowledge of how impactful each gap will be to domain scores.

Analyzing Scope Expansions or Changes

Since making the transition to version 11 is such a major lift, this is also an ideal time to re-evaluate the scope of your assessment. External assessors can assist with this evaluation to ensure you arrive at a scope that is complete and accurate and does not create unnecessary additional work for you and your team.

Remediation Assistance

External assessors can also identify gaps in your ability to meet the new and updated requirements and can even assist with remediation efforts as long as these activities remain independent (i.e. the team helping with remediation must be separate from the team performing the v11 validated assessment).

Ultimately, leveraging an external assessor like LBMC during any part of the transition will not only introduce time and effort savings, but also add value to the delta assessment process that will leave your company better prepared to make the transition.

Case Study – A Client’s Successful Transition to v11

A digital behavioral health company that recently leveraged LBMC to perform a delta assessment on their behalf experienced these benefits firsthand and provides a practical example of how to navigate the changes and make the transition successfully.

Delta Assessment Results

When LBMC initially pulled the detailed comparison report from MyCSF, it indicated that 84% of the assessment had changes due to v11. However, after LBMC performed an analysis, it became clear that only 54% of the changes were true. LBMC performed a delta assessment on those changes and provided the client with a report outlining where gaps were identified as well as recommendations for remediation.

Lessons Learned

The client point of contact cited many benefits from the assessment – time and cost savings, increased buy-in to the value of HITRUST across the organization, reduction in audit fatigue by performing the delta assessment and the interim assessment concurrently, to name a few.

This client’s transition to v11 demonstrates the importance of early preparation, conducting a delta assessment, leveraging the expertise of external assessors, and remediating where needed to ensure compliance and success.

In Conclusion

Transitioning to HITRUST CSF v11 is a challenge needing careful planning and implementation, and understanding of the new requirements. Using a delta assessment, your external assessor, and thorough preparation of the transition schedule can help ensure a smooth successful transfer to v11.

Whether you are starting your HITRUST journey or have been on this ride for years, LBMC is here to help you navigate these updates. As the leader of the “10-year club” of HITRUST assessors, LBMC stands as the longest-serving assessor in the business with the most experienced team in the industry and offers comprehensive services to assist organizations in transitioning to HITRUST CSF v11, including delta assessments, policy and procedure reviews, readiness testing, and remediation support. Our team of experts can help you make the transition and reach your HITRUST CSF Certification goal.

Contact LBMC today to learn more about our HITRUST services and how we can help your organization achieve and maintain certification.

Content provided by LBMC Senior Cybersecurity Consultant Katelyn Stansfield.

Privacy settings

Decide which cookies you want to allow. You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function. Learn more about the cookies we use.

With the slider, you can enable or disable different types of cookies:

  • Block all cookies with personal data
  • Essentials
  • Functionality
  • Analytics
  • Advertising

This website will:

This website won\'t:

  • Remember which cookies group you accepted
  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location
  • Remember your login details
  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location
Save & Close