The HITRUST CSF framework is Cyber Threat Adaptive (CTA) to ensure organizations have controls in place to address current threats. As part of the CTA process, HITRUST regularly reviews current threat intelligence data that has been associated with MITRE ATT&CK techniques, and utilizes the MITRE ATT&CK mitigations to identify the controls within the CSF framework necessary for each assessment type. As cyber threats evolve over time, HITRUST may identify new threats as part of the CTA process. When a new urgent threat is identified which needs to be addressed through a new mitigation, HITRUST will expedite the consideration and inclusion of additional requirement statements within the HITRUST CSF through the Emerging Mitigation Process (EMP). Please note the EMP is not launched for each newly identified threat as most threats will have existing mitigations (and corresponding HITRUST requirements) within the HITRUST CSF. The EMP will only be launched when HITRUST identifies an urgent and serious threat requiring a prioritized response.
The introduction of new requirement statements initiated through the EMP will impact each Assessed Entity differently depending on where it is within its certification cycle. This chapter outlines the EMP steps and expectations for an Assessed Entity when HITRUST must introduce new requirement statements through the EMP process.
Please note the EMP is separate from HITRUST’s standard review and update process for the HITRUST CSF framework. If HITRUST identifies a new threat through EMP which is not currently addressed in the HITRUST CSF framework, it should be considered a situation where Assessed Entities must be mindful of the potential impact within its environment since the corresponding risk may not have previously been considered within its HITRUST assessment.
NOTE: For a more detailed discussion around HITRUST’s CTA approach, see A-4 Cyber Threat Adaptive Control Specification in the HITRUST Risk Management Handbook.
HITRUST Community Notification
Upon activation of the EMP, HITRUST would first notify the HITRUST community that a new mitigation was identified. As part of the mitigation, HITRUST would include detailed information on the threat, potential risks and additional requirement statement(s) being added to HITRUST assessments as part of the mitigation.
15.9.1 Upon receipt of the HITRUST notification, Assessed Entities should perform a self-assessment to determine susceptibility to the threat. If an Assessed Entity determines that it has an exposure to the threat, it should implement the new HITRUST requirement.
CSF Version Release Process
Activation of the EMP will result in any new requirement statement(s) being added as an errata release for each CSF version currently available for assessment creation (e.g.: v11.0.x, v11.1.x, v11.2.x). Due to the increased risk of a newly identified threat, HITRUST will impose a creation and submission deadline for prior CSF versions which do not include the requirement statement(s).
15.9.2 HITRUST will announce creation and submission deadlines for previous CSF versions which do not include the HITRUST requirement statement(s) added through the EMP. The following upgrade processes will be utilized:
- All new e1, i1, and r2 assessments created after the notification deadline will use an errata version that includes the requirement statement(s).
- Any existing e1, i1, and r2 assessments not yet submitted to HITRUST may optionally be upgraded to the new errata version. If these assessments are not submitted by the announced submission deadline, they must be upgraded to the new errata version.
- The new requirement statement(s) will also be included in any r2 interim assessments created after the community notification deadline.
- Existing interim assessments and interim assessments created prior to the announced deadline will not include the new requirement statement(s).
15.9.3 When any new requirement statement(s) related to the EMP release is assessed within an r2 interim assessment, the interim letter will include a statement indicating the requirement statement(s) was included in the interim assessment as well as the requirement statement score(s). If a new requirement statement related to the EMP release scored less than 62, HITRUST will require a CAP to be entered in MyCSF and state in the letter that a CAP was provided. For more information on CAPs, see Chapter 13.9 CAPs and Gaps..