Version 9.

6 Summary of Changes
Incorporates modifications to requirement statements and illustrative
procedures to support the introduction of the i1 Assessment and
refreshed NIST SP 800-53 revision 4 mapping

December 2021

© 2021 HITRUST. All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or
utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.
 December 2021

Fundamental to the HITRUST mission is the availability of a common security and privacy framework, the
HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance, and cross-references
to authoritative sources organizations globally need to be certain of their data protection compliance.
The initial development of the CSF leveraged nationally and internationally accepted security and privacy
related regulations, standards, and frameworks—including ISO, NIST, PCI, HIPAA, and COBIT—to ensure a
comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing
clarity and consistency, and reducing the burden of compliance.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating
the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.

In developing a framework that can meet the needs of organizations locally, nationally, and globally,
HITRUST recognizes that various organizations may have requirements imposed as a result of being part
of a smaller community—such as a subset of an industry group, a State Agency, or by a cooperative
sharing agreement. In many cases, these may not be new security or privacy controls but more specific
implementation requirements. HITRUST has established a mechanism in the HITRUST CSF, that is enabled
through the HITRUST MyCSF (MyCSF) for these requirements to be incorporated, harmonized, and
selected for inclusion during the assessment process and then included in the HITRUST Readiness
Assessment Report. The intent is to reduce any additional assessments by enabling organizations to
Assess Once, Report Many™. HITRUST CSF v9.6 includes such community standards, and we are
evaluating the inclusion of others based on market demand.

The HITRUST CSF v9.6 release includes changes based on feedback from the HITRUST community;
miscellaneous corrections; clarification and enhancement of certain illustrative procedures to ensure
alignment with the corresponding authoritative sources; modifications of certain requirement
statements and illustrative procedures in anticipation of the i1 release, as well as a refreshed NIST SP
800-53 revision 4 mapping and the inclusion of NIST SP 800-53 revision 4 as a selectable compliance
factor. These updates reflect HITRUST’s commitment to providing a framework fitting for any
organization globally. Organizations required or choosing to include NIST SP 800-53 revision 4
requirements can select them with other compliance factors under the Admin & Scoping section of the
MyCSF platform.

Minor administrative updates, such as correcting grammar or formatting errors, are generally not
reflected in the Summary of Changes. Simple mapping updates from one version of a source to a newer
version, which does not impact existing content, are also generally not reflected.

As detailed in HAA 2021-006, all new versions of the HITRUST CSF will be displayed in MyCSF using the
versioning syntax of v[Major].[Minor].[Errata]. The HITRUST CSF v9.6 release has been classified as a
minor release in line with HAA 2021-005 as it consists of adding, removing, or changes to Authoritative
Sources, related Regulatory/Compliance Factors, or mappings. To provide transparency into the updates
introduced in each new version of the CSF, MyCSF will allow Assessed Entities to preview the effects of
upgrading their assessment to a new CSF version. The MyCSF preview functionality provides a high-level
summary and a detailed report of all modifications that would result from upgrading the CSF version
utilized for a particular assessment. All content changes included within the HITRUST CSF v9.6 release can
be viewed through this MyCSF functionality.
© 2021 HITRUST. All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be
reproduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior
written permission.