HITRUST June 2025 Quarterly Newsletter

Erika L. Del Giudice, Jared Hamilton
HITRUST
| 6/23/2025
HITRUST June 2025 Newsletter

As we move through the second quarter of 2025, we highlight key updates in the HITRUST program and reflect on the most impactful developments from the beginning of the year. 

In this issue, we explore significant updates to the HITRUST framework, emerging trends in risk management and compliance, and insights gained from the first half of the year. Whether you’re navigating your initial certification or maintaining an existing one, we’re here to keep you informed and prepared for what’s ahead.

Assurance program updates

HITRUST CSF® version 11.5.0 released

On April 14, 2025, HITRUST officially released CSF version 11.5.0, now available in MyCSF. This latest update reflects HITRUST’s ongoing commitment to refining and expanding its framework to meet the evolving needs of global compliance and cyber risk management.

What’s new in v11.5.0 

  • Requirement consolidation: Further reduction of overlapping statements to streamline assessments and minimize redundancy
  • Expanded global coverage: Introduction of several new authoritative sources, including:
    • Abu Dhabi’s Healthcare Information and Cyber Security Standard
    • Singapore’s Cybersecurity Act and the Monetary Authority of Singapore’s notice on cyber hygiene
    • Australia’s strategies to mitigate cybersecurity incidents
    • The European Union’s directive on security of network and information systems
    • The Texas Identity Theft Enforcement and Protection Act
    • UK guidelines for secure AI system development
    • GovRAMP readiness (formerly StateRAMP)
  • Refreshed sources: Updated COBIT 2019 mapping
  • New compliance factors: Including New York Department of Health (NY DOH) System Security Plan v5 Overlay 

Important note for e1 and i1 assessments

With the release of v11.5.0, all new e1 and i1 assessments must now use this latest version. In-progress assessments on earlier versions may continue, but the final submission deadline for those is still to be announced by HITRUST. We anticipate clarity on that date soon and will provide updates as they become available. If you’re planning an e1 or i1 assessment, you’ll need to align your efforts with v11.5.0 immediately.

HITRUST: A proven defense against today’s top cyberthreats

Crowe has worked with several organizations navigating the complexity of cybersecurity frameworks, and we can say with confidence that the latest findings from HITRUST are not just impressive – they’re game-changing.

The Q4 2024 “HITRUST CSF Control Threat Analysis Cyber Threat Adaptive Quarterly Update” confirmed something we’ve long believed. HITRUST isn’t just about compliance; it’s about real security. Version 11.2+ of the HITRUST CSF now covers addressable MITRE ATT&CK® techniques, which validates that the HITRUST framework of controls directly correlates to how today’s adversaries operate.

What does that mean for you?

  • By pursuing HITRUST certification, your organization isn’t just checking boxes. You’re putting in place a defense strategy that can counter the most prevalent tactics used in real-world attacks. From credential access to lateral movement and data exfiltration, the controls are layered, current, and, most importantly, effective.
  • Even better, the HITRUST framework evolves quarterly through its Cyber Threat Adaptive program to help organizations stay ahead of attackers. That’s something no static checklist or one-size-fits-all assessment can provide. 

If you’re looking for reassurance that your organization is aligned with the threat landscape as it actually exists, not just how it was last year, HITRUST is the standard you can trust.

Crowe insights

New! GovRAMP Core: A streamlined path to public sector readiness

You might know it as StateRAMP, but moving forward, it’s GovRAMP. This rebrand reflects the program’s broader national focus and evolving role in securing public sector cloud solutions. And with that new name comes a powerful new offering called GovRAMP Core.

What is GovRAMP Core?

GovRAMP Core verifies the implementation of 60 priority NIST controls, selected for their real-world relevance via the MITRE ATT&CK framework and aligned to the moderate impact level. This status:

  • Is compatible with HITRUST certification starting with v11.5.0
  • Includes quarterly continuous monitoring
  • Grants formal visibility on the GovRAMP Authorized Product List

These factors make GovRAMP Core ideal for lower-risk or lower-value contracts or as a steppingstone toward full GovRAMP authorization.

How HITRUST fits in

If you’re already pursuing or maintaining HITRUST certification, there’s great news: You can achieve HITRUST certification and GovRAMP Core status in one unified effort. The updated HITRUST CSF (v11.5.0) includes GovRAMP Core mapping and enables organizations to assess their compliance with both frameworks simultaneously.

This dual benefit allows you to: 

  • Minimize assessment fatigue and duplicative efforts
  • Expand eligibility for public sector contracts
  • Strengthen your security posture with validated, adaptive controls 

GovRAMP Core offers a faster path to public sector trust. And with HITRUST, you can get there with one integrated assessment. 

Streamlining the TPRM process with HITRUST and the ServiceNow® platform

If you didn’t catch our recent webinar featuring Erika Del Giudice, HITRUST consulting leader at Crowe, and Jay Mayfield, managing director at Crowe who specializes in ServiceNow solutions, now’s your chance to watch the recording and gain actionable insights into how HITRUST can transform your third-party risk management (TPRM) strategy.

Erika and Jay joined HITRUST specialists to dive into the HITRUST Assessment XChange® app, now available in the ServiceNow store. This powerful tool is designed to simplify, automate, and strengthen your TPRM processes using HITRUST-certified insights.

During the session, attendees:

  • Explored the app’s features, including its user-friendly interface and integration with ServiceNow solutions
  • Watched a live demo showing how the app supports setup, reporting, and HITRUST-based TPRM workflows
  • Gained best practices for aligning the app with organizational risk strategies and improving assessment efficiency
  • Got answers to frequently asked questions and practical tips on maximizing the app’s functionality

Whether your goal is to reduce compliance complexity or enhance your organization’s TPRM processes, this webinar offered valuable takeaways. You can watch the webinar recording here.

HITRUST assessment services
Our collaborative, customizable HITRUST assessment services remove the guesswork from the process.

Contact our authorized assessors 

As part of an Authorized HITRUST External Assessor firm with current HITRUST Authorized External Assessor Council members, the Crowe team is here to keep you apprised of the most current changes. We also regularly provide insights and participate in discussions concerning the growth and evolution of HITRUST.

Crowe has relationships with firms that can help with remediation of gaps and implementation of necessary controls identified during the readiness assessment and prior to the validated assessment. If you’re finding remediation time-consuming, we are happy to make an introduction.

Erika Del Giudice
Erika L. Del Giudice
Principal, HITRUST Consulting Leader
Jared Hamilton
Jared Hamilton
Managing Director, Cyber Consulting