HITRUST Common Security Framework v11
Comprehensive security framework widely adopted in healthcare, integrating requirements from HIPAA, NIST 800-53, ISO 27001, PCI DSS, and other standards. 14 control categories covering information security management, access control, human resources security, risk management, security policy, organisation of information security, compliance, asset management, physical and environmental security, communications and operations management, information systems development, incident management, business continuity, and privacy practices. Supports three assessment types: e1 (essential), i1 (implemented), and r2 (risk-based validated).
AC (17) AT (5) AU (12) CA (6) CM (11) CP (9) IA (7) IR (9) MA (3) MP (8) PE (19) PL (8) PM (22) PS (8) PT (7) RA (7) SA (11) SC (15) SI (12) SR (6)
AC Access Control
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 01.a04.a |
| AC-02 | Account Management | 01.a02.c |
| AC-03 | Access Enforcement | 01.a01.c13.e |
| AC-04 | Information Flow Enforcement | 01.b09.e |
| AC-05 | Separation Of Duties | 01.a |
| AC-06 | Least Privilege | 01.a13.c13.e |
| AC-07 | Unsuccessful Login Attempts | 01.c |
| AC-08 | System Use Notification | 01.c |
| AC-09 | Previous Logon Notification | 01.c |
| AC-10 | Concurrent Session Control | 01.c |
| AC-11 | Session Lock | 01.c |
| AC-12 | Session Termination | 01.c |
| AC-16 | Automated Labeling | 07.b |
| AC-17 | Remote Access | 01.b01.d05.c |
| AC-18 | Wireless Access Restrictions | 01.b |
| AC-19 | Access Control For Portable And Mobile Devices | 01.b01.d05.c |
| AC-20 | Use Of External Information Systems | 01.b01.d05.c |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 04.a09.g |
| AU-02 | Auditable Events | 09.g |
| AU-03 | Content Of Audit Records | 09.g |
| AU-04 | Audit Storage Capacity | 09.g |
| AU-05 | Response To Audit Processing Failures | 09.g |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 09.g11.b |
| AU-07 | Audit Reduction And Report Generation | 09.g |
| AU-08 | Time Stamps | 09.g |
| AU-09 | Protection Of Audit Information | 09.g11.c |
| AU-11 | Audit Record Retention | 06.b09.g11.c |
| AU-12 | Audit Record Generation | 09.g |
| AU-14 | Session Audit | 09.g11.c |
CA Security Assessment and Authorization
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | 04.a06.c |
| CA-02 | Security Assessments | 00.b04.b06.c12.c |
| CA-03 | Information System Connections | 05.b |
| CA-05 | Plan Of Action And Milestones | 00.b03.b06.c |
| CA-07 | Continuous Monitoring | 00.b00.c03.b04.b06.c11.b12.c |
| CA-08 | Penetration Testing | 06.c |
CM Configuration Management
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 04.a09.a |
| CM-02 | Baseline Configuration | 09.a |
| CM-03 | Configuration Change Control | 09.a10.d |
| CM-04 | Monitoring Configuration Changes | 09.a10.d |
| CM-05 | Access Restrictions For Change | 09.a |
| CM-06 | Configuration Settings | 09.a |
| CM-07 | Least Functionality | 09.a |
| CM-08 | Information System Component Inventory | 05.c07.a10.e |
| CM-09 | Configuration Management Plan | 07.a |
| CM-12 | Information Location | 07.a |
| CM-13 | Data Action Mapping | 07.a |
CP Contingency Planning
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 04.a09.d12.a |
| CP-02 | Contingency Plan | 09.b09.d12.a12.b |
| CP-03 | Contingency Training | 12.b12.c |
| CP-04 | Contingency Plan Testing And Exercises | 12.b12.c |
| CP-06 | Alternate Storage Site | 09.d12.b |
| CP-07 | Alternate Processing Site | 12.b |
| CP-08 | Telecommunications Services | 12.b |
| CP-09 | Information System Backup | 09.d12.b |
| CP-10 | Information System Recovery And Reconstitution | 09.d12.b |
IA Identification and Authentication
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 01.a04.a |
| IA-02 | User Identification And Authentication | 01.a01.c |
| IA-04 | Identifier Management | 01.a02.c |
| IA-05 | Authenticator Management | 01.a01.c |
| IA-06 | Authenticator Feedback | 01.c |
| IA-07 | Cryptographic Module Authentication | 10.c |
| IA-11 | Re-authentication | 01.c |
IR Incident Response
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 04.a11.a |
| IR-02 | Incident Response Training | 11.a |
| IR-03 | Incident Response Testing And Exercises | 11.a |
| IR-04 | Incident Handling | 11.a11.b11.c |
| IR-05 | Incident Monitoring | 11.a11.b |
| IR-06 | Incident Reporting | 11.a11.b |
| IR-07 | Incident Response Assistance | 11.a |
| IR-08 | Incident Response Plan | 11.a |
| IR-09 | Information Spillage Response | 11.b |
MA Maintenance
MP Media Protection
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| MP-01 | Media Protection Policy And Procedures | 04.a09.f |
| MP-02 | Media Access | 07.b09.f |
| MP-03 | Media Labeling | 07.b09.f |
| MP-04 | Media Storage | 07.b09.d09.f |
| MP-05 | Media Transport | 07.b09.f |
| MP-06 | Media Sanitization And Disposal | 06.b09.f |
| MP-07 | Media Use | 01.d09.f |
| MP-08 | Media Downgrading | 09.f |
PE Physical and Environmental Protection
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 04.a08.a |
| PE-02 | Physical Access Authorizations | 02.c08.a |
| PE-03 | Physical Access Control | 08.a |
| PE-04 | Access Control For Transmission Medium | 08.a |
| PE-05 | Access Control For Display Medium | 08.a |
| PE-06 | Monitoring Physical Access | 08.a |
| PE-07 | Visitor Control | 08.a |
| PE-08 | Access Records | 08.a |
| PE-09 | Power Equipment And Power Cabling | 08.b |
| PE-10 | Emergency Shutoff | 08.b |
| PE-11 | Emergency Power | 08.b09.b |
| PE-12 | Emergency Lighting | 08.b |
| PE-13 | Fire Protection | 08.b |
| PE-14 | Temperature And Humidity Controls | 08.b09.b |
| PE-15 | Water Damage Protection | 08.b |
| PE-16 | Delivery And Removal | 08.b09.f |
| PE-17 | Alternate Work Site | 01.d05.c |
| PE-18 | Location Of Information System Components | 08.a |
| PE-20 | Asset Monitoring and Tracking | 08.b |
PL Planning
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| PL-01 | Security Planning Policy And Procedures | 00.a04.a05.a13.a |
| PL-02 | System Security Plan | 00.a00.c03.b04.a04.b06.a |
| PL-04 | Rules Of Behavior | 00.a02.a02.b04.a |
| PL-07 | Concept of Operations | 10.a |
| PL-08 | Security and Privacy Architectures | 10.a |
| PL-09 | Central Management | 05.a |
| PL-10 | Baseline Selection | 00.a |
| PL-11 | Baseline Tailoring | 00.a |
PM Program Management
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| PM-01 | Information Security Program Plan | 00.a00.c04.a05.a13.a |
| PM-02 | Information Security Program Leadership Role | 00.a04.a05.a13.a |
| PM-03 | Information Security and Privacy Resources | 00.a04.a |
| PM-04 | Plan of Action and Milestones Process | 03.b11.b |
| PM-05 | System Inventory | 00.a00.c04.b07.a |
| PM-06 | Measures of Performance | 00.a00.c04.b06.c |
| PM-07 | Enterprise Architecture | 00.a |
| PM-08 | Critical Infrastructure Plan | 06.a12.a |
| PM-09 | Risk Management Strategy | 00.a00.b03.a03.b12.a |
| PM-10 | Authorization Process | 00.a03.b05.a |
| PM-11 | Mission and Business Process Definition | 00.a06.a12.a |
| PM-13 | Security and Privacy Workforce | 02.b |
| PM-14 | Testing, Training, and Monitoring | 00.c02.b04.b06.c12.c |
| PM-18 | Privacy Program Plan | 13.a |
| PM-19 | Privacy Program Leadership Role | 13.a |
| PM-20 | Dissemination of Privacy Program Information | 13.a13.b |
| PM-21 | Accounting of Disclosures | 13.b13.d |
| PM-22 | Personally Identifiable Information Quality Management | 13.b13.d |
| PM-24 | Data Integrity Board | 05.a |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | 06.b13.c13.e |
| PM-26 | Complaint Management | 06.b13.c13.d |
| PM-28 | Risk Framing | 00.b03.a |
PS Personnel Security
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 02.a04.a |
| PS-02 | Position Categorization | 02.a |
| PS-03 | Personnel Screening | 02.a |
| PS-04 | Personnel Termination | 02.c |
| PS-05 | Personnel Transfer | 02.c |
| PS-06 | Access Agreements | 01.a02.a02.b |
| PS-07 | Third-Party Personnel Security | 02.b05.a05.b |
| PS-08 | Personnel Sanctions | 02.b |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| PT-01 | Policy and Procedures | 04.a06.a06.b13.a13.e |
| PT-02 | Authority to Process Personally Identifiable Information | 06.a06.b13.a13.c13.e |
| PT-03 | Personally Identifiable Information Processing Purposes | 06.a13.a13.c |
| PT-04 | Consent | 06.b13.b13.e |
| PT-05 | Privacy Notice | 06.b13.b13.d |
| PT-06 | System of Records Notice | 13.c13.d |
| PT-07 | Specific Categories of Personally Identifiable Information | 13.c |
RA Risk Assessment
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | 00.b03.a04.a |
| RA-02 | Security Categorization | 00.b03.a07.a07.b |
| RA-03 | Risk Assessment | 00.b03.a |
| RA-05 | Vulnerability Scanning | 03.a06.c09.c10.e |
| RA-07 | Risk Response | 00.b03.a03.b |
| RA-09 | Criticality Analysis | 00.b03.a07.a12.a |
| RA-10 | Threat Hunting | 09.c10.e |
SA System and Services Acquisition
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 04.a10.a |
| SA-02 | Allocation Of Resources | 10.a |
| SA-03 | Life Cycle Support | 09.b10.a10.d |
| SA-04 | Acquisitions | 05.b06.a09.b10.a |
| SA-08 | Security Engineering Principles | 09.b10.a10.d |
| SA-09 | External Information System Services | 05.b |
| SA-10 | Developer Configuration Management | 09.a10.d |
| SA-11 | Developer Security Testing | 09.b10.b10.d |
| SA-15 | Development Process, Standards, and Tools | 10.b10.d |
| SA-16 | Developer-Provided Training | 10.d |
| SA-17 | Developer Security and Privacy Architecture and Design | 10.b10.d |
SC System and Communications Protection
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 04.a09.e |
| SC-05 | Denial Of Service Protection | 09.e |
| SC-07 | Boundary Protection | 01.b01.d05.c09.e |
| SC-08 | Transmission Integrity | 01.b09.e09.f10.c |
| SC-10 | Network Disconnect | 01.b |
| SC-12 | Cryptographic Key Establishment And Management | 10.c |
| SC-13 | Use Of Cryptography | 01.c10.c |
| SC-16 | Transmission Of Security Parameters | 07.b |
| SC-17 | Public Key Infrastructure Certificates | 10.c |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | 09.e |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | 09.e |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | 09.e |
| SC-23 | Session Authenticity | 01.b |
| SC-28 | Protection of Information at Rest | 01.d09.f10.c13.e |
| SC-44 | Detonation Chambers | 09.c |
SI System and Information Integrity
| Control | Name | HITRUST CSF v11 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 04.a |
| SI-02 | Flaw Remediation | 09.c10.e |
| SI-03 | Malicious Code Protection | 09.c |
| SI-04 | Information System Monitoring Tools And Techniques | 09.c09.e09.g11.a11.c |
| SI-05 | Security Alerts And Advisories | 09.c10.e11.a |
| SI-06 | Security Functionality Verification | 10.d |
| SI-07 | Software And Information Integrity | 09.c11.c |
| SI-08 | Spam Protection | 09.c |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | 10.b |
| SI-11 | Error Handling | 10.b |
| SI-12 | Information Output Handling And Retention | 06.b13.c |
| SI-15 | Information Output Filtering | 10.b |