Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
home Insights

HITRUST® October 2025 Quarterly Newsletter 

Erika L. Del Giudice, Jared Hamilton
HITRUST
| 10/20/2025
Professional woman leading a discussion during a business meeting on HITRUST updates in Q3 2025.

As we move through the fourth quarter of 2025, we highlight key updates in the HITRUST program and reflect on the most impactful developments so far this year. 

The second half of 2025 is shaping up to be a turning point for risk, compliance, and the responsible use of AI. Organizations are increasingly turning to HITRUST’s offerings to build trust, strengthen resilience, and unlock long-term value in an AI-driven landscape.

In this quarter’s HITRUST newsletter, we cover HITRUST’s latest framework release and new user resources, and we break down what’s changed and why it’s important. We also explore how AI is reshaping compliance strategies.

Assurance program updates

HITRUST Common Security Framework® (CSF) version 11.6.0 released 

On Aug. 22, 2025, HITRUST officially released CSF v11.6.0, which is now available within MyCSF. This update highlights HITRUST’s commitment to advancing its framework to address today’s global compliance pressures and tomorrow’s cyber risk challenges.

What’s new in v11.6.0

  • Requirement consolidation: Overlapping requirement statements have been streamlined to make assessments less redundant. Importantly, the baseline requirement statements remain unchanged, and no new control requirements have been introduced. 
  • Authoritative source updates, including:
    • New: Centers for Medicare & Medicaid Services Acceptable Risk Controls for the Affordable Care Act, Medicaid, and Partner Entities
    • Removed: Minimum Acceptable Risk Standards for Exchanges v2.2 
    • Refreshed: Cybersecurity Maturity Model Certification Level 1 
  • New compliance factor: Introduction of GovRAMP Core to address evolving federal compliance needs. 

Important note for e1 and i1 assessments 

With the release of v11.6.0, all newly created e1 and i1 assessment objects must be completed on this latest version. Assessments already in progress on earlier versions can continue for the time being. However, HITRUST has not yet announced the final submission deadline. If you are in the early planning stages of an e1 or i1 assessment, ensure your efforts are aligned with v11.6.0 going forward. 

HITRUST user resource enhancements 

HITRUST has rolled out a series of enhancements to its user help tools, designed to make the assessment and certification process clearer and more efficient for organizations undergoing a HITRUST assessment. These resources are built to reduce uncertainty and provide support at every stage of compliance.

The enhanced help toolkit includes:

  • User guide: A road map for navigating the MyCSF tool’s key features and how to use them effectively  
  • Calculators: Interactive dashboards designed to help users better anticipate and plan for the demands of an assessment during key phases, including the:
    • Assessment Tailoring Calculator, which scopes environments by answering various factor questions, ultimately receiving a final count of applicable requirements that will be included in future assessments 
    • Inheritance Calculator, which provides the ability to model inheritance weights and maturity scores for each service provider to see potential outcomes, without submitting live requests in MyCSF 
    • Requirement Scoring Calculator, which provides the ability to explore scoring scenarios in real time by adjusting compliance with maturity levels and also outputs raw scores, PRISMA grades (for example, 2+, 1-), and HITRUST CSF compliance status  
    • Sampling Calculator for various sampling scenarios and frequencies, which can be used to generate sample selections for CSF requirements
    • ROI Calculator, which provides the ability to enter in personalized details and generate an estimate of return on investment (ROI) your organization could achieve with HITRUST certification
  • Form templates: A single hub where users can quickly download the most up-to-date versions of key documents, including the Management Representation Letter, Validated Report Agreement, and External Assessor QA Checklist 
  • Example reports: Illustrative reporting examples that enable organizations to evaluate assessment options and clearly understand expected deliverables, including certification reports, insights reports, and formal letters 
  • References: Links to HITRUST-developed resources, including Assessment and Risk Management Handbooks, AI Security Certification Specification, Factor Descriptions, the MyCSF User Guide, and a comprehensive Glossary of Terms and Acronyms 
  • Customer feedback integration: A central mechanism for submitting user feedback to strengthen HITRUST’s adaptability and alignment with the organization’s needs 

Crowe insights

Securing the future of AI: How HITRUST delivers trust and assurance 

AI is transforming every industry, but with rapid adoption comes new risks. HITRUST AI solutions empower organizations to showcase strong security practices to investors, boards, and customers, while staying ahead of evolving regulatory expectations. Further, these solutions help enable a proactive risk posture, helping teams move beyond reactive security measures.

HITRUST AI solutions include:

  • AI Security Assessment and Certification
    • 44 controls harmonized with more than 20 authoritative sources 
    • Certification specifically focused on the security of AI systems 
    • Can be added to an e1, i1, or r2 assessment 
    • Designed for AI developers and deployers who require a formal certification to share with customers, regulators, and partners; also ideal for organizations aiming to align their AI security controls with recognized frameworks, such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), the International Organization for Standardization (ISO) and International Electrotechnical Commission, and the Open Worldwide Application Security Project, while consolidating compliance efforts and reducing audit fatigue  
  • AI Risk Management Assessment 
    • 51 controls aligned with ISO 23894:2023 and NIST AI RMF v1.0 
    • Evaluates governance and oversight of AI risk management practices 
    • Stand-alone assessment or can be added to an e1, i1, or r2 assessment 
    • Best suited for AI users and producers who want a prescriptive mechanism to evaluate risks, organizations seeking a targeted approach to identify gaps, or teams looking to establish or refine an AI risk management program without pursuing formal certification just yet  

With flexible options designed specifically for AI, HITRUST offers these new AI assurance layers that combine actionable detail with independent validation, giving organizations the confidence to innovate and scale AI responsibly.

As you accelerate your AI journey, it’s worth asking: Is your team ready to scale AI securely and responsibly? And do you have a strategy for evaluating risk and proving trust in your systems? HITRUST AI solutions are available to help organizations maintain direction in an evolving landscape. 

HITRUST assessment services
Our collaborative, customizable HITRUST assessment services remove the guesswork from the process.
Explore our services

Contact our authorized assessors

As part of an Authorized HITRUST External Assessor firm with current HITRUST Authorized External Assessor Council members, the Crowe team is here to keep you apprised of the most current changes. We also regularly provide insights and participate in discussions concerning the growth and evolution of HITRUST.

We look forward to hearing your questions and comments.

Erika Del Giudice
Erika L. Del Giudice
Principal, HITRUST Consulting Leader
+1 630 575 4366
Jared Hamilton
Jared Hamilton
Managing Director, Cyber Consulting
+1 317 706 2724

Explore related insights