Resources > News > HAA 2025-005 HITRUST CSF Version 11.7.0 Release

HAA 2025-005 HITRUST CSF Version 11.7.0 Release

Impacted Policy/Program Name HITRUST Assurance Program

Advisory Type Assurance Change

HITRUST Framework (CSF)

December 18, 2025

Overview

The HITRUST CSF v11.7.0 framework (v11.7.0) is available within MyCSF and downloadable here as of December 18, 2025.

The changes included in v11.7.0 consist of:

• Continued requirement statement consolidation to reduce the volume of requirement statement overlap within the CSF
• Several new and refreshed Authoritative Sources
• Changes to the e1 and i1 assessment baselines

New and Refreshed Authoritative Sources

v11.7.0 includes the following new Authoritative Source:

• BSI Cloud Computing Compliance Controls Catalogue (C5) mapping and selectable Compliance factor, “BSI Cloud Computing Compliance Controls Catalogue (C5)”
• APRA Cross-Industry Prudential Standards 230 mapping and selectable Compliance factor, “APRA CPS 230”
• FedRAMP 20x Key Security Indicators mapping and selectable Compliance factor, “FedRAMP 20x KSI”
• India Digital Personal Data Protection Act mapping and selectable Compliance factor, “India DPDPA”
• UK Cyber Assessment Framework mapping and selectable Compliance factor, “UK Cyber Assessment Framework”

• UK Data Security and Protection Toolkit mapping and selectable Compliance factor, “UK Data Security and Protection Toolkit”
  Minor updates to existing Authoritative source mappings:

• NIST SP 800-53 r5 mappings updated based on SP 800-53 Release 5.2.0 control revisions
  Other changes:

• Added selectable Compliance factor, “NIST IR 8374: Ransomware Risk Management”
  e1 and i1 Assessment Baseline Impacts

With the release of v11.7, HITRUST is making changes to the e1 and i1 baselines. These adjustments are the result of multiple analysis focused on optimizing the e1 and i1 assessments. More information on why these changes are being made can be found in our v11.7 Baseline Change FAQ.

As a result of these changes, the size of the e1 baseline for v11.7 is 43 requirement statements. The size of the i1 baseline remains 182 requirement statements. In v11.7, it is still true that all requirement statements in the e1 baseline are included in the i1 baseline and all requirement statements in the i1 baseline are included in the r2 baseline.

Modifications in the current e1/i1 baseline:

19180.09z1Organizational.2 [1103.0] –

Current [1103.0]: “ The organization designates individuals authorized to post information onto a publicly accessible information system and trains these individuals to ensure that publicly accessible information does not contain nonpublic information. ”

Updated [1103.1]: “ The organization trains individuals to ensure that publicly posted information does not contain nonpublic information. If the organization permits the posting of information onto a publicly accessible information system, it designates individuals authorized to post the information.”

16.09l1Organizational.4 [2326.0] –

Current [2326.0]: The organization maintains offline and/or immutable backups of data.

Updated [2326.0]: The organization maintains offline and/or immutable backups of data for an organization defined period of time.

Removal from the e1 baseline:

1223.09ac1System.1 [1203.1] – “ Access to audit trails / logs is safeguarded from unauthorized access and use.”

Replacement in the current e1 and i1 baselines:

CVID 0501.0 is being replaced with CVID 3207.0 in the HITRUST CSF.

1403.05i1Organizational.67 [0501.0] – “ Access granted to external parties is limited to the minimum necessary, limited in duration, and is revoked when no longer needed. ”

14.05i1Organizational.3 [3207.0] – “ The organization ensures all third-party organizations with access to the organization’s information or information systems meet contracted levels of information security. The organization reviews assessments or independent verifications of third-party organization compliance with contract provisions (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) at least annually.”

Additional Resources

Upon the release of CSF v11.7.0, HITRUST is announcing the deadline for creating and submitting e1 and i1 assessments using CSF v11.6.0 and earlier. See HAA 2025-006 - CSF v11.0 - v11.6 Creation Deadline for e1 and i1 Assessments for the detailed timeline.

For more information, see the HITRUST CSF v11.7.0 Summ ary of Changes. For additional questions please contact our Support team or a HITRUST Customer Success Manager (CSM).

You may also be interested in:

Jan 13, 2026

HAA 2026-001 - Assessment Handbook v1.2 Release

Read Now Dec 18, 2025

HAA 2025-006 HITRUST CSF v11.6 Creation Deadline for e1 and i1 Assessments

HITRUST Framework (CSF) Read Now Aug 22, 2025

HAA 2025-003 HITRUST CSF Version 11.6.0 Release

HITRUST Framework (CSF) Read Now << Back to News [Next

Advisory](/) >>

Subscribe to get updates,

news, and industry information.

Subscribe