The Health Information Trust Alliance (HITRUST Alliance) announced the launch of the new National Institute of Standards and Technology (NIST) cybersecurity certification on May 22, 2018. The formal launch was presented after the recent acknowledgement in a 2018 Government Accountability Office (GAO) report recognizing the comprehensive nature of  HITRUST CSF®—the framework already capable of allowing organizations the ability to demonstrate compliance with NIST.

For the first time, compliance with the NIST framework will be certifiable through the third-party HITRUST CSF Assurance Program with additional considerations and application of an assessment scorecard for the NIST framework. “Until now, there has been no certificate for a private sector organization to assert compliance with NIST,” said Wayne Will, executive director, advisory services division, for Digital Forge. Will performs HITRUST assessments and validations for the cybersecurity and risk management company and has been a compliance expert for over 20 years. “NIST is a comprehensive collection of controls to assure cybersecurity, and now organizations have a way to declare their compliance to it.”

By unifying efforts to achieve certification through HITRUST, which now fully encompasses the NIST Cybersecurity Framework through a subcategory format, organizations are offered a method to report to the standards and guidelines within, to effectively manage cybersecurity risk.

HITRUST remains the most widely adopted framework for its efforts to remain meticulous and forward-looking, creating an exhaustively comprehensive approach to privacy and data security. Certification to NIST standards through current HITRUST assessors will allow just one assessment to validate vital privacy and security controls that pertain to many industries. With the increased need for HITRUST CSF assessment and validation, aligning a program to include the NIST guidelines further enhances the comprehensive nature of a third-party assessment and increased security within organizations.

NIST Certification: A Two-Part Process

The certification program consists of two parts. The first uses a scorecard, developed by HITRUST to establish how well an organization’s current program for security aligns with the NIST CSF core subcategories. The second stage of the program is the assurance certification by HITRUST, to demonstrate that the NIST CSF requirements and controls are successfully being met.

The release by HITRUST provides some detail on a HITRUST CSF scorecard of the NIST framework:

  • Compliance ratings for each NIST Framework Core Subcategory,
  • Guidance for approximating NIST Framework Implementation Tiers based on the compliance ratings, and
  • Consistent reporting across all critical infrastructure industries.


The HITRUST CSF framework is updated each year, issuing a new release with considerations of industry changes and to account for the rapid changes that occur in security. For example, the interim release of V9.1, in January 2018, incorporates the new standards for the GDPR that went into effect May 25, 2018, as well as updated guidelines addressing New York State Cybersecurity Regulations.

The inclusion of a formal certification for NIST standards will significantly add to the credibility of HITRUST CSF certification which allows an organization to leverage a scaled single process to accomplish a more comprehensive and secure posture to proactively safeguard against cyber threats.