HITRUST CSF Certification will generally result in certification of an organization’s information security program against the NIST Cybersecurity Framework because the control requirements for both frameworks are essentially the same; they’re just mapped and aggregated differently. However, because they are mapped and aggregated differently, it is possible, but rare, to have a circumstance where an organization may achieve certification against one framework but not the other. It is important to note that both certifications are achieved via the same assessment. There is not a separate NIST CsF assessment from the HITRUST CSF assessment
HITRUST will issue a Letter of Certification for the NIST Cybersecurity Framework with a NIST CSF scorecard in the HITRUST CSF Assessment Report. HITRUST will also issue a separate Letter of Certification and scorecard that can be distributed separately from the HITRUST CSF Assessment Report.
HITRUST’s certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST CSF Assessment Report.
A scorecard and certification for the NIST Cybersecurity Framework can be generated against a prior assessment against HITRUST CSF v9 and v9.1. Cost of the additional scorecard is $500.
As part of the HIITRUST CSF Assurance Program, upon receiving a HITRUST CSF Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST CSF Certification status, which also includes certification of its cybersecurity program against the NIST Cybersecurity Framework and a scorecard detailing the assessment results based on the NIST Framework’s Core Subcategories.
Source: HITRUST Alliance FAQ
Contact: Ali Pabrai at Pabrai@ecfirst.com for a complimentary 29-minute, tailored Webinar on HITRUST: Fast Track to Certification.
Date: December 4, 2018