In this issue, we explore significant updates to the HITRUST framework, emerging trends in risk management and compliance, and insights gained from the first half of the year. Whether you’re navigating your initial certification or maintaining an existing one, we’re here to keep you informed and prepared for what’s ahead.
On April 14, 2025, HITRUST officially released CSF version 11.5.0, now available in MyCSF. This latest update reflects HITRUST’s ongoing commitment to refining and expanding its framework to meet the evolving needs of global compliance and cyber risk management.
With the release of v11.5.0, all new e1 and i1 assessments must now use this latest version. In-progress assessments on earlier versions may continue, but the final submission deadline for those is still to be announced by HITRUST. We anticipate clarity on that date soon and will provide updates as they become available. If you’re planning an e1 or i1 assessment, you’ll need to align your efforts with v11.5.0 immediately.
Crowe has worked with several organizations navigating the complexity of cybersecurity frameworks, and we can say with confidence that the latest findings from HITRUST are not just impressive – they’re game-changing.
The Q4 2024 “HITRUST CSF Control Threat Analysis Cyber Threat Adaptive Quarterly Update” confirmed something we’ve long believed. HITRUST isn’t just about compliance; it’s about real security. Version 11.2+ of the HITRUST CSF now covers addressable MITRE ATT&CK® techniques, which validates that the HITRUST framework of controls directly correlates to how today’s adversaries operate.
What does that mean for you?
If you’re looking for reassurance that your organization is aligned with the threat landscape as it actually exists, not just how it was last year, HITRUST is the standard you can trust.
You might know it as StateRAMP, but moving forward, it’s GovRAMP. This rebrand reflects the program’s broader national focus and evolving role in securing public sector cloud solutions. And with that new name comes a powerful new offering called GovRAMP Core.
GovRAMP Core verifies the implementation of 60 priority NIST controls, selected for their real-world relevance via the MITRE ATT&CK framework and aligned to the moderate impact level. This status:
These factors make GovRAMP Core ideal for lower-risk or lower-value contracts or as a steppingstone toward full GovRAMP authorization.
If you’re already pursuing or maintaining HITRUST certification, there’s great news: You can achieve HITRUST certification and GovRAMP Core status in one unified effort. The updated HITRUST CSF (v11.5.0) includes GovRAMP Core mapping and enables organizations to assess their compliance with both frameworks simultaneously.
This dual benefit allows you to:
GovRAMP Core offers a faster path to public sector trust. And with HITRUST, you can get there with one integrated assessment.
If you didn’t catch our recent webinar featuring Erika Del Giudice, HITRUST consulting leader at Crowe, and Jay Mayfield, managing director at Crowe who specializes in ServiceNow solutions, now’s your chance to watch the recording and gain actionable insights into how HITRUST can transform your third-party risk management (TPRM) strategy.
Erika and Jay joined HITRUST specialists to dive into the HITRUST Assessment XChange® app, now available in the ServiceNow store. This powerful tool is designed to simplify, automate, and strengthen your TPRM processes using HITRUST-certified insights.
During the session, attendees:
Whether your goal is to reduce compliance complexity or enhance your organization’s TPRM processes, this webinar offered valuable takeaways. You can watch the webinar recording here.
As part of an Authorized HITRUST External Assessor firm with current HITRUST Authorized External Assessor Council members, the Crowe team is here to keep you apprised of the most current changes. We also regularly provide insights and participate in discussions concerning the growth and evolution of HITRUST.
Crowe has relationships with firms that can help with remediation of gaps and implementation of necessary controls identified during the readiness assessment and prior to the validated assessment. If you’re finding remediation time-consuming, we are happy to make an introduction.
Explore related insights