HITRUST, a security and privacy standards development and accreditation organization, announced its certification program for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the NIST Cybersecurity Framework (Framework). Through the HITRUST CSF Assurance Program and assessment scorecard for the NIST Framework, HITRUST offers organizations an effective and efficient means of assuring management, business partners, and regulators their compliance with the NIST Framework’s objectives.
By leveraging the HITRUST CSF a controls-based risk management framework that aligns with and supports the NIST Framework—HITRUST is positioned to deliver on the goal of sector-specific Target Profiles envisioned by NIST, the Federal Communication Commission’s Communications Security, Reliability and Interoperability Council in the Communications Sector, Health and Human Services (HHS) in the Healthcare and Public Health (HPH) Sector, U.S. Coast Guard and National Highway Traffic Safety Administration in the Transportation Sector, the Financial Services Sector Coordinating Council in the Financial Sector, and others. The NIST Framework requires an organization to determine the security controls it needs to achieve the objectives defined by the Core Subcategories, i.e., its Target Profile, and ensure there is a comprehensive process to assess those controls.
The HITRUST CSF’s integration of multiple industry-relevant statutory, regulatory, and best practice requirements into a single framework makes it easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress toward a cybersecurity program that fulfills the goals and objectives of the NIST Framework.
The 2018 Government Accountability Office (GAO) Report to Congressional Committees on Critical Infrastructure Protection recognized “the alignment of the framework to the [HITRUST CSF] allows organizations to demonstrate compliance with NIST.” HITRUST also worked with the Department of Homeland Security and HHS to publish the Healthcare Sector Cybersecurity Framework Implementation Guide, helping healthcare organizations integrate all aspects of the NIST Framework into their cybersecurity programs. Building on this model, HITRUST has committed to developing additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors.
A HITRUST CSF scorecard of the NIST Framework provides:
- Compliance ratings for each NIST Framework Core Subcategory;
- guidance for approximating NIST Framework Implementation Tiers based on the compliance ratings; and
- consistent reporting across all critical infrastructure industries.
The HITRUST CSF Assurance Program can also help organizations understand and report their effectiveness against many other standards and leading practice frameworks. With one assessment, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Framework, GDPR, International Organization for Standardization (ISO) 27001, Payment Card Industry (PCI) and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, and can obtain a Service Organization Control (SOC) 2 report.