HITRUST has released CSF version 11.8.0, continuing its ongoing refinement of the HITRUST framework and assurance program. While this is not a disruptive version change on the scale of a major framework overhaul, it is still important for organizations pursuing HITRUST certification, maintaining an existing HITRUST program, or using HITRUST as the backbone for broader compliance mapping.
HITRUST announced that CSF v11.8.0 is available in MyCSF and can be downloaded as of May 8, 2026. The release includes two primary categories of change:
- Continued consolidation of requirement statements to reduce overlap within the CSF.
- The addition or refresh of several authoritative source mappings.
What Changed in HITRUST CSF v11.8.0
The v11.8.0 release reflects HITRUST’s continued effort to make the CSF more efficient, better mapped to emerging compliance obligations, and easier to apply across different regulatory and risk environments. The most notable additions include new authoritative source mappings and selectable compliance factors for:
Commonwealth of Virginia SEC530
HITRUST added mapping for the Commonwealth of Virginia Information Technology Resource Management Standard SEC530, including a selectable compliance factor for organizations that need to align with Virginia-specific technology and security requirements.
NIST SP 800-137
HITRUST added mapping for NIST Special Publication 800-137, which focuses on information security continuous monitoring. This is especially relevant for organizations trying to demonstrate that security is not simply assessed at a point in time but actively monitored and managed over time.
ISO/IEC 29100:2024
HITRUST added mapping for the updated ISO/IEC 29100 privacy framework, which supports organizations seeking to better align privacy principles, governance, and control expectations within their security and compliance programs.
OWASP Top 10 for LLM Applications 2025
One of the most forward-looking updates is the addition of the OWASP Top 10 for Large Language Model Applications 2025. This provides organizations with a clearer path to align HITRUST control expectations with emerging AI and LLM application risks, including prompt injection, insecure output handling, model misuse, data exposure, and related governance concerns.
HITRUST also refreshed mappings for the Texas Medical Records Privacy Act, PCI DSS v4.0.1, and the AICPA SOC 2 Trust Services Criteria.
Impact on e1 and i1 Assessments
The most immediate operational impact is for organizations pursuing HITRUST e1 or i1 assessments. HITRUST has confirmed that, effective May 7, 2026, all new e1 and i1 assessment objects, including rapid assessments, must be created using CSF v11.8.0. The ability to create new e1 and i1 assessments using CSF v11.7.0 has been disabled.
For organizations that have already created e1 or i1 assessment objects under v11.7.0, HITRUST has stated that those existing assessments can continue to be submitted after May 7, 2026. HITRUST also noted that it will announce the submission deadline for v11.7.0 e1 and i1 assessments at least 90 days in advance.
This distinction matters. Organizations should not assume that all active assessment work must immediately convert to v11.8.0. The impact depends on whether the assessment object already exists in MyCSF, the assessment type, and the organization’s submission timeline.
Baseline Requirement Statement Updates
HITRUST identified minor changes to two requirement statements in the e1 and i1 baselines. The first change relates to media protection during transport. The updated language narrows the cryptography expectations to digital media while still maintaining accountability, documentation, and authorized personnel requirements for both digital and non-digital media containing sensitive information.
The second change relates to third-party assurance and contractual commitments. The updated language clarifies that organizations may review independent assessments or independent verifications to determine compliance with contractual security provisions, including certifications, attestations, audit reports, or verifications.
These changes appear targeted and clarifying rather than transformational. However, clients should still review existing control narratives, evidence expectations, vendor management procedures, and assessment workpapers to confirm alignment with the revised language.
Client Impacts for Existing HITRUST Customers
For organizations already engaged in a HITRUST assessment, the impact of v11.8.0 will vary based on assessment type, object creation date, and where the organization is in its readiness or validated assessment lifecycle.
- Existing v11.7.0 e1 and i1 assessment objects may continue, but timelines matter- If an e1 or i1 assessment object was already created in MyCSF under v11.7.0, HITRUST indicates that the organization can continue towards submission. However, because a future submission deadline will be announced with at least 90 days’ notice, organizations should avoid unnecessary delay. For clients already in fieldwork, evidence collection, remediation, or assessor validation, the key action is to confirm that the current assessment object remains valid and that the planned submission date is realistic.
- New e1 and i1 assessments must start on v11.8.0- Organizations planning to launch a new e1, i1, or rapid assessment now need to use CSF v11.8.0. That means readiness work, scoping, control narratives, testing plans, and evidence request lists should be reviewed against the new baseline before execution begins. This is particularly important for organizations that completed readiness work under v11.7.0 but had not yet created the official validated assessment object in MyCSF.
- Requirement statement consolidation may affect control interpretation- HITRUST continues to consolidate required statements to reduce overlap in the CSF. While this can improve efficiency over time, it may also require organizations to revisit how they map policies, procedures, evidence, and control ownership. In practical terms, clients should review whether prior evidence still fully supports the revised requirement language. Even minor language changes can affect how assessors evaluate sufficiency, especially where evidence is expected to show operational execution within the fieldwork period.
Third-party risk management evidence should be reviewed- The revised third-party language requirement is especially relevant for organizations that rely on vendors, cloud service providers, managed service providers, outsourced development, data processors, or other service providers supporting in-scope systems. Organizations should review whether their vendor management program can demonstrate annual review of independent assessments or verifications and whether those reviews are tied back to contractual information security commitments.
5. AI and LLM governance are becoming harder to ignore- The addition of OWASP Top 10 for LLM Applications 2025 mapping is an important signal. Even organizations not pursuing a dedicated AI assurance assessment should recognize that AI and LLM-related risks are becoming part of mainstream security and compliance conversations. Organizations using generative AI, AI-enabled SaaS platforms, internal copilots, chatbots, automated decision tools, or LLM-enabled customer-facing applications should begin evaluating whether their governance, risk management, privacy, secure development, and vendor oversight programs adequately address these risks.
6. Broader compliance mapping opportunities may improve- For organizations using HITRUST as a harmonized framework across multiple obligations, the new and refreshed authoritative source mappings may create opportunities to better align HITRUST work with other compliance drivers, including privacy, PCI, SOC 2, continuous monitoring, state-specific requirements, and AI security. This can strengthen the business case for HITRUST beyond certification alone. A well-designed HITRUST program can support customer assurance, regulatory alignment, vendor risk management, executive reporting, and internal security maturity measurement.
What Organizations Should Do Now
Organizations should take a structured approach to the v11.8.0 transition:
- Step 1– Confirm the current assessment version and object status in MyCSF. This determines whether the organization can continue under v11.7.0 or must proceed under v11.8.0.
- Step 2– Review assessment timelines. Clients with existing v11.7.0 e1 or i1 assessments should confirm whether submission remains achievable before HITRUST announces any future deadline.
- Step 3– Perform a targeted delta review. This should include the updated e1/i1 requirement language, newly added authoritative source mappings, refreshed mappings, and any downstream impacts to policies, procedures, control narratives, evidence requests, and testing plans.
- Step 4– Reassess third-party risk management evidence. Organizations should ensure that vendor reviews, independent assessments, attestations, certifications, audit reports, and contractual security reviews are current, documented, and mapped to assessment expectations.
- Step 5– Evaluate AI and LLM exposure. Organizations should identify whether AI-enabled systems, LLM applications, or third-party AI tools are in use and whether those technologies introduce new control, privacy, data protection, or secure development considerations.
How Accorian Assists
Accorian assists organizations at every stage of the HITRUST CSF v11.8.0 transition, from initial impact analysis through readiness, remediation, validated assessment support, and ongoing compliance program maturity.
- Version impact assessment- Accorian can help organizations determine whether their current assessment is affected by the v11.8.0 release, whether they can continue under an existing v11.7.0 object, and what changes are needed for new assessment objects.
- Readiness and gap analysis- For organizations preparing for e1, i1, or r2 assessments, Accorian can perform a targeted readiness review against the applicable HITRUST version, identify control gaps, and develop a prioritized remediation roadmap.
- Control and evidence mapping- Accorian can help update control narratives, evidence request lists, sampling strategies, and workpaper expectations to align with the v11.8.0 requirement language and authoritative source mappings.
- Third-party risk management alignment- Accorian can assess whether vendor management processes, contractual security reviews, and independent assurance reviews are sufficient to support HITRUST expectations, including the updated third-party requirement language.
- AI and LLM risk readiness- With the addition of OWASP Top 10 for LLM Applications 2025 mapping, Accorian can help organizations assess AI and LLM-related risk exposure, establish governance expectations, and map AI-related controls into broader security and compliance programs.
- Integrated compliance strategy- Accorian can help organizations use HITRUST as a harmonized compliance foundation across security, privacy, SOC 2, PCI, NIST, state-specific requirements, third-party risk, and customer assurance needs.
- Validated assessment support- As a HITRUST Authorized External Assessor, Accorian can support organizations through readiness, remediation, assessment planning, evidence validation, quality review, and submission preparation.
Final Thoughts
The HITRUST CSF v11.8.0 release is best viewed as an incremental but meaningful update. It does not appear to create broad disruption for most organizations, but it does introduce important changes that should not be ignored, especially for organizations preparing new e1 or i1 assessments, managing active v11.7.0 assessment timelines, relying heavily on third parties, or beginning to address AI and LLM-related risk.
For existing HITRUST clients, the immediate priority is version confirmation and timeline validation. For new clients, the priority is building readiness activities directly around v11.8.0. For organizations using HITRUST as part of a broader compliance strategy, the new mappings create an opportunity to strengthen alignment across privacy, continuous monitoring, AI security, PCI, SOC 2, and state-specific requirements.
Accorian can help organizations interpret the release, assess the impact, update implementation plans, and move forward with a HITRUST strategy that is practical, defensible, and aligned to both certification goals and broader business risk objectives.
