Comparing the NIST Cybersecurity Framework and HITRUST Common Security
Framework The NIST Cybersecurity Framework (NIST CsF) continues to gain traction as a tool for reporting on the maturity and effectiveness of an organization’s cyber related controls. At the same time, the HITRUST CSF continues to gain adoption as a controls and reporting framework for information privacy and security across many industries both domestically and internationally. The NIST CsF and HITRUST CSF are complementary tools and can be used together to satisfy many needs within and across organizations.
How are the NIST CsF and HITRUST CSF related?
The NIST CsF is provides a mechanism for assessing and maturing a cybersecurity program based on 98 objective-level Core Subcategories that describe intended cybersecurity outcomes. The HITRUST CSF and its Assurance Program complement the NIST CsF in two major ways: 1) the HITRUST CSF provides the details needed to implement each of the 98 cybersecurity objectives in a way that map to and meet many critical compliance and risk management standards in the most efficient way possible; and 2) the Assurance Program provides a standards-driven process to monitor, assess, and maintain those controls. Without the HITRUST CSF, practitioners using the NIST CSF must create these standards and processes themselves.
How has HITRUST enabled current NIST CsF users to get started?
With the release of HITRUST CSF v9, organizations participating in the HITRUST CSF Assurance Program can view their information privacy and security programs through the lens of the NIST CsF. The NIST CsF Scorecard, now provided in every HITRUST CSF assessment report, details how well an organization meets the objectives specified by the NIST CsF Core Subcategories based on how well it has implemented the underlying HITRUST CSF controls. And for those that do not undergo an assessment under the HITRUST CSF Assurance Program, organizations can prepare a similar report using a publicly-available cross-reference between the HITRUST CSF controls and the NIST CsF Core Subcategories.
About the HITRUST CSF Assurance Program
By leveraging the HITRUST CSF Assurance Program, an organization can perform one assessment against the HITRUST CSF framework to satisfy multiple reporting requests including HIPAA, SOC 2®, NIST Cybersecurity, MARS-E or one of the other regulations or standards incorporated into the HITRUST CSF. In short, it reduces costs, resource burdens and time via an assess once, report many approach.
Additional explanation on how the HITRUST CSF is a model implementation of the NIST CsF and provides support for an organization’s attestation of compliance with the NIST Cybersecurity Framework can be found on the Department of Homeland Security / US CERT website in the Healthcare Sector Cybersecurity Framework Implementation Guide.
You may be interested
“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management CollaborationLacy Deatrich - Sep 11, 2019
By Jeremy Huval, Vice President, Compliance & Internal Audit Completing HITRUST CSF Assessments will now require less time and fewer…
HITRUST® Submits Application to be an Accountability Agent for APEC CertificationLacy Deatrich - Aug 14, 2019
By Anne Kimbol, Chief Privacy Officer, HITRUST HITRUST has submitted its application to be recognized as an Accountability Agent under…
HITRUST Shared Responsibility Program Helps Organizations and Cloud Service Providers Collaborate to Protect Data in the CloudLacy Deatrich - Jul 08, 2019
By Becky Swain, Director, Standards Development Your cloud provider is certified to comply with all the major regulations for protecting…