Up to 44 added requirements
As of version 11.4.0 of the HITRUST CSF (to be released in Nov. 2024), the assessment needed to achieve the HITRUST AI Cybersecurity Certification consists of up to 44 HITRUST CSF requirement statements. See this page for a breakdown of these 44 requirement statements by AI security topic.
However, please consider the following:
- These 44 requirement statements cannot be assessed in isolation. Instead, they must be added into a HITRUST e1, i1, or r2 assessment. As a result, the total number of requirement statements in the overall assessment will be more than 44 requirements.
For example:- A combined assessment featuring a HITRUST e1 assessment with the cybersecurity for AI deployers factor will include the 44 requirement statements that comprise the HITRUST e1 and up to 44 additional requirement statements needed for the HITRUST cybersecurity assessment and certification.
- A combined assessment featuring a HITRUST i1 assessment with the cybersecurity for AI deployers factor will include the 182 requirement statements that comprise the HITRUST i1 and up to 44 additional requirement statements needed for the HITRUST cybersecurity assessment and certification.
- Affected by tailoring: Not all 44 requirement statements will be included in each assessment in MyCSF. Instead, the assessment is tailored to include only a subset of these 44 based on the organization’s responses to tailoring questions. This is true regardless of the type of HITRUST assessment (e1, i1, r2) the AI security assessment is being appended to.
- Allowance for control deficiencies: All 44 will not need to be fully implemented to achieve the HITRUST AI security certification. Just like HITRUST’s other certifications, there is an allowance for control deficiencies.
- Will change over time: The HITRUST CSF is constantly updated in light of changes to the cybersecurity threat landscape and in response to changes in the underlying authoritative sources we harmonize. As a result, future versions of the HITRUST CSF may include a different number of requirement statements in the HITRUST cybersecurity assessment and certification.
Post your comment on this topic.