CLIMBERS take many different paths to elevate to their summit. Going above and beyond for our clients and fellow CLIMBERS is recognized through the annual value awards at CLIMB, A-LIGN’s annual training and team-building event. “Featured CLIMBER:
Many organizations understand encryption is the key to keeping sensitive information secure, but there are several options like modules and algorithms to choose from – many without an established standard. “FIPS 140-2 and FedRAMP: A 3PAO Perspective”
The new normal is anything but normal, but before we join in the chorus of “uncertain times” let’s take a moment to reflect on how standards organizations have responded to COVID-19 to enable remote audits so that organizations can continue to demonstrate trust. “The New Normal:
Fully-Enabled Remote Audits”
The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. “Federal Compliance Definitions: A Glossary of Terms”
Federal assessments like FedRAMP, FISMA and NIST 800-171 help mitigate the risk of data breaches to important federal government agencies and departments, making them mandatory assessments used for federal security standards. “Protecting the Nation: How to Achieve Federal Compliance”
Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.
What is the HITRUST CSF?
The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.
Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.
Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.
CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.
Incorporation with the California Consumer Privacy Act
One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).
Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.
Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.
Other Important Updates to CSF v9.3
Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:
- The Federal Risk and Authorization Management Program (FedRAMP)
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
- Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- South Carolina’s Bill 4655, the Insurance Data Security Act
Who Should Migrate to CSF v9.3
If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.
By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.
The A-LIGN Difference
A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.
Compliance examination reports are more than an attestation of your commitment to quality and security; they can drive revenue, build client trust and position your organization as a cybersecurity leader in your industry.
The Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, released FedRAMP Tailored on September 28, 2017. This new Baseline was designed and developed for Cloud Service Providers (CPS) with Low-Impact Software-as-a-Service (LI-SaaS) Systems, supporting emerging technology as low cost and low-risk industry solutions.
What is the Purpose of FedRAMP Tailored?
After collaboration with government digital service teams, the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), the Joint Authorization Board (JAB) and third-party vendors, FedRAMP recognized the need to increase the existing program’s flexibility for quicker authorization and implementation of low-risk solutions.
FedRAMP Tailored is a policy and set of requirements to create a more efficient process for LI-SaaS providers to achieve a FedRAMP Agency Authorization to Operate (ATO), by achieving these three objectives:
- Streamline the authorization process for low-risk solutions including collaboration tools, project management applications, and open-source coding tools
- Standardize officials’ approach for measuring risks affiliated with authorizing LI-SaaS cloud applications
- Leverage cloud solutions for government use while ensuring security and privacy
Which Organizations Qualify?
To determine if an organization can be considered for FedRAMP Tailored, the CSP must first qualify as an LI-SaaS provider.
As defined by Federal Information Processing Standards Publication (FIPS PUB) 199 – Standards for Security Categorization of Federal Information and Information Systems, the CSP must categorize as low impact. Agencies and CSPs can identify and verify the impact level based on the information type currently used within the cloud environment.
Low impact level cloud service systems are only permitted to have the minimum personally identifiable information (PII), which is needed for login capabilities. This PII includes username, email address, and password; any other information disqualifies the CSP as an LI-SaaS.
If a CSP offers login capabilities, FedRAMP recommends using an existing ATO-covered agency directory to ensure login-related PII is not contained in the LI-SaaS.
In addition, the LI-SaaS needs to either provide its own cloud infrastructure or host within a FedRAMP-authorized Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).
What are the Baseline Controls and Associated Tailoring Criteria?
FedRAMP Tailored provides a minimum set of control requirements, however by law, the Agency Authorizing Officials have the final decision to require additional controls if deemed necessary to maintain compliance with policies and procedures.
FedRAMP currently utilizes the NIST Risk Management Framework (RMF) in determining security control baselines for organizations of all levels of impact. FedRAMP then uses NIST SP 800-37 to specify additional sets of security controls for LI-SaaS services based on the type of use and information placed within the system.
There are six categories of FedRAMP Tailored LI-SaaS Baseline controls based on the FedRAMP Low Impact Baseline that are required to be addressed by the CSP:
- FED – The control is typically the responsibility of the Federal Government, not the CSP.
- NSO – FedRAMP has determined the control does not impact the security of the Cloud SaaS.
- Document and Assess (Required) – The control must be documented in Appendix B (FedRAMP Tailored Mandatory Templates), and independently assessed. This does not mean that a vendor will necessarily have each control fully implemented or implemented as stated. A vendor must address how they meet (or do not meet) the intent of the control so that it can be independently assessed and detail any risks associated with the implementation.
- Document and Assess (Conditional) – If the condition exists, the control must be documented in Appendix B and independently assessed as above. If the condition does not exist, the CSP must attest to this in Appendix E (FedRAMP Tailored Self-Attestation Requirements).
- Inherited – Controls FedRAMP determined to be inherited from the underlying infrastructure provider (i.e., FedRAMP authorized IaaS/PaaS) for Low Impact Cloud SaaS).
- Attest – The control must exist; however, the CSP may attest to its existence in Appendix E. (No documentation or independent assessment is required).
Within those six categories, there are 128 FedRAMP tailoring criteria for the FedRAMP Low Impact Baseline controls, which is also listed with details in Appendix A (FedRAMP Tailored Security Controls Baseline) as noted above. The tailoring process of baseline controls is only permitted within NIST SP 800-53 Revision 4.
When agencies are selecting the appropriate set of controls, it’s important to keep in mind that there are only two criteria for eliminating a security control from the baseline. The control is either exclusively federal, meaning it is the responsibility of the Federal Government, or the control does not directly impact the security of the LI-SaaS, which is determined by FedRAMP.
The release of FedRAMP Tailored is another step towards efficiently and effectively addressing the security of cloud environments and the increasing growing market. Through FedRAMP Tailored, government agencies can leverage emerging industry services and improve agility while maintaining security compliance.
As an accredited 3PAO, A-LIGN can help CSPs understand, navigate, and implement FedRAMP assessments based on their organization’s type and initiatives regardless of their readiness.
If you have any questions or if you would like to learn more about FedRAMP Tailored, please reach out to one of A-LIGN’s experienced assessors at firstname.lastname@example.org or 1-888-702-5446.
On March 1, 2017, HITRUST announced its roadmap for 2017, which included improvements to the HITRUST CSF and a renewed focus on smaller healthcare organizations.
The roadmap focuses on combating cyber threats and information risks while advancing protection standards regarding healthcare data through CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and CSF Assurance Program v9.
CSF Basic Assurance and Simple Institution Cybersecurity, or CSFBASICs, makes it easier for smaller businesses to realistically meet regulatory demands, in addition to protecting against cyber threats. These requirements are streamlined and make it easier to understand, enabling smaller companies to provide regulatory assurance to regulators and third-parties.
This update is scheduled for availability in Q3 of 2017.
HITRUST CSF v8.1
HITRUST CSF v8.1 was made available February 6, 2017. Updates include support for PCI DSSv3.2 and MARS-E v2.
HITRUST CSF v9
The HITRSUST CSF v9 update includes OCR Audit Protocol v2, FedRAMP Support for Cloud and IaaS Service Providers, and FFIEC IT Examination Handbook for Information Security.
The controls for HITRUST CSF version 9 will increase from 66 to 75. Clients that wish to certify against version 8.0 or 8.1 will need an assessment object already in MyCSF before the release of version 9. Then, the assessment must be submitted for processing within six months. There will be no exceptions to this policy.
HITRUST is ensuring relevant CSF control requirements align with the language of the Office for Civil Rights Audit Protocol. In addition, FedRAMP requirements will be incorporated. Version 9 includes new authoritative sources such as the Federal Financial Institutions Examination Council’s IT Examination Handbook – Information Security requirements, and the Department of Homeland Security’s Cyber Resilience Review (CPR). The HITRUST Threat Catalogue will fully integrate with v10 in 2018.
HITRUST CSF v9 is scheduled to be available in July 2017.
CSF Assurance Program v9
The CSF Assurance Program v9 changes so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification, which includes auditable documentation in addition to a HIPAA risk assessment.
This program is scheduled for availability in Q3 2017.
Addressing Your HITRUST Needs
Unsure of how these updates could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Please reach out today to discuss how CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and the CSF Assurance Program v9 could affect your organization in 2017 and beyond.