diff --git a/content/what-is/what-is-hitrust.md b/content/what-is/what-is-hitrust.md
index 424155023914..befa04f3c35d 100644
--- a/content/what-is/what-is-hitrust.md
+++ b/content/what-is/what-is-hitrust.md
@@ -1,110 +1,195 @@
 ---
 title: What is HITRUST?
-meta_desc: |
-    Understand what HITRUST is, its Common Security Framework (CSF), benefits for healthcare organizations, and how it helps with regulatory compliance.
+meta_desc: "HITRUST CSF is a certifiable security framework that harmonizes HIPAA, NIST, ISO 27001, and more into one assessment. Learn the levels, scope, and process."
 meta_image: /images/what-is/what-is-hitrust-meta.png
 type: what-is
 page_title: "What is HITRUST?"
 authors: ["asaf-ashirov"]
 ---
 
-HITRUST, or the Health Information Trust Alliance, is a private company that provides a certification and framework called the [HITRUST CSF (Common Security Framework)](https://hitrustalliance.net/hitrust-framework) to help organizations manage data, information risk, and compliance, particularly in the healthcare sector. HITRUST aims to provide a standardized approach for managing risk and demonstrating compliance with various regulations, including HIPAA and the HITECH Act.
+**HITRUST is an independent organization that maintains the HITRUST CSF, a certifiable security and privacy framework that consolidates the requirements from dozens of regulations and standards (HIPAA, NIST, ISO 27001, PCI DSS, GDPR, state laws) into a single set of prescriptive controls.** An organization completes one HITRUST assessment against the CSF and uses the resulting report to demonstrate compliance with all the underlying frameworks at once, rather than running separate audits for each.
 
-Before HITRUST, healthcare organizations often struggled with multiple overlapping [compliance frameworks and requirements](/compliance). Each regulatory body and business partner might require different security assessments, creating inefficiencies and redundancies. HITRUST was established to provide a unified, comprehensive framework that incorporates and harmonizes requirements from multiple regulations and standards.
+HITRUST started in 2007 inside the healthcare industry as a way to bring order to the overlapping audit demands placed on covered entities and their vendors. It has since expanded well beyond healthcare and is widely used in financial services, public sector, and SaaS. HITRUST itself does not perform the audits; assessments are run by independent External Assessors (CPA firms, consultancies) and reviewed and certified by HITRUST.
 
-In this article, we'll explore four key aspects of HITRUST:
+In this article, we'll cover the key questions about HITRUST:
 
-* [What is HITRUST and why is it important?](#what-is-hitrust-and-why-is-it-important)
-* [The HITRUST CSF and its key components](#the-hitrust-csf-and-its-key-components)
-* [Benefits of HITRUST certification](#benefits-of-hitrust-certification)
-* [Challenges in achieving HITRUST compliance](#challenges-in-achieving-hitrust-compliance)
+* Why does HITRUST matter?
+* What is the HITRUST CSF?
+* What does the HITRUST CSF harmonize?
+* What are the HITRUST assessment types?
+* How are HITRUST controls scored?
+* How is HITRUST different from HIPAA, SOC 2, and ISO 27001?
+* What does HITRUST certification involve?
+* How does infrastructure as code support HITRUST controls?
+* Frequently asked questions about HITRUST
 
-## What is HITRUST and why is it important?
+## Why does HITRUST matter?
 
-HITRUST is a private organization founded in 2007 with a mission to champion programs that safeguard sensitive information and manage information risk for global organizations across all industries. Its most notable contribution is the HITRUST CSF, a certifiable framework that helps organizations demonstrate compliance with various regulations.
+For a healthcare or healthtech vendor, HITRUST is often the most direct path to selling into US health plans, hospital systems, and large pharmacy benefit managers. Customer security teams ask for it by name in vendor questionnaires, and the certification short-circuits a lot of bespoke security review. Three forces drive its adoption:
 
-The importance of HITRUST stems from the increasing regulatory pressure on healthcare organizations and their business associates to protect sensitive patient information. With the digitization of health records and the growing number of data breaches, organizations need a structured approach to:
+* **One audit, many frameworks.** Instead of separate audits for HIPAA, NIST 800-53, and ISO 27001, a single HITRUST r2 assessment maps to all of them. For vendors selling into regulated buyers, that's a sizable reduction in audit toil.
+* **Demonstrably lower breach rate.** HITRUST publishes that fewer than 1% of HITRUST-certified environments report a security breach in a given year, compared with much higher double-digit rates across the broader industry. Whether that's selection bias or the controls themselves, the number is what buyers cite.
+* **Predictable contractual gate.** Large healthcare buyers increasingly require HITRUST CSF certification (or evidence of an active assessment) as a precondition of executing a business associate agreement. Without it, deals stall.
 
-* Ensure compliance with HIPAA and other regulatory requirements
-* Protect sensitive patient data from security threats
-* Demonstrate their security posture to business partners and regulators
-* Manage the complex landscape of information security requirements
+## What is the HITRUST CSF?
 
-HITRUST has become particularly important in healthcare because it incorporates requirements from HIPAA and the HITECH Act, making it easier for covered entities and business associates to demonstrate compliance with these regulations.
+The HITRUST CSF (Common Security Framework) is a prescriptive, certifiable set of security and privacy controls. Unlike HIPAA, which describes outcomes without specifying technical controls, the CSF spells out concrete requirement statements that an organization either implements or doesn't.
 
-## The HITRUST CSF and its key components
+The framework is structured around:
 
-The HITRUST CSF is a comprehensive, certifiable framework that incorporates nationally and internationally accepted standards including:
+* **14 control categories** that cover the breadth of an information security program (access control, vulnerability management, business continuity, etc.).
+* **49 control objectives** that describe what each category is trying to achieve.
+* **156 control references** that name specific controls.
+* **More than 1,900 requirement statements** distributed across **19 assessment domains**, which is where the actual audit testing happens.
 
-* ISO 27001/27002
-* NIST SP 800-53
-* PCI DSS
-* HIPAA
-* HITECH Act
-* Various state regulations and industry best practices
+The CSF is **risk-based and scalable**. The requirements that apply to your organization depend on factors like industry, organization size, geographic footprint, data sensitivity, and the systems in scope. A small health-tech SaaS gets a different requirement set than a national hospital network. The framework also has a *threat-adaptive* layer that updates control requirements based on observed threat intelligence and breach data.
 
-The framework is organized into 14 control categories with over 150 control specifications that can be tailored based on an organization's specific risk factors including:
+## What does the HITRUST CSF harmonize?
 
-* Organization type
-* Size of the organization
-* Geographic location
-* Data sensitivity
-* Systems and regulatory requirements
+The point of the CSF is to roll many compliance regimes into one. The latest CSF versions cross-reference 60+ major authoritative sources (HITRUST's marketing site totals "over 70" when you count sub-standards), including:
 
-The HITRUST CSF employs a maturity model approach, evaluating controls across five maturity levels:
+* **Healthcare:** HIPAA, HITECH, 42 CFR Part 2
+* **US federal:** NIST SP 800-53, NIST SP 800-171, FedRAMP, CMMC
+* **International:** ISO/IEC 27001, ISO/IEC 27002, ISO 27799, GDPR
+* **Payment:** PCI DSS
+* **Cloud:** Cloud Security Alliance CCM, FedRAMP cloud controls
+* **State laws:** New York DFS Cybersecurity Regulation, Texas Health & Safety Code, MA 201 CMR 17.00, and others
 
-1. **Policy** - Documented policies that address the control requirements
-2. **Procedures** - Documented procedures to implement the policies
-3. **Implementation** - Controls actually implemented in systems and processes
-4. **Measurement** - Testing and measuring the effectiveness of controls
-5. **Management** - Oversight and continuous improvement of controls
+A HITRUST report can be issued with a specific cross-reference set, so a vendor can hand the same report to an auditor who needs HIPAA evidence and another who needs NIST 800-53 evidence.
 
-This approach allows organizations to not just implement controls but to demonstrate that they are functioning effectively and continuously improving over time.
+## What are the HITRUST assessment types?
 
-## Benefits of HITRUST certification
+HITRUST publishes three assessment levels. They differ in scope, rigor, validity period, and the assurance they provide to a relying customer.
 
-Organizations that achieve HITRUST certification realize several key benefits:
+| Assessment | Scope | Validity | Best for |
+|---|---|---|---|
+| **e1 (Essentials)** | ~44 foundational requirements covering basic cyber hygiene. | 1 year | Early-stage vendors and small organizations establishing a baseline. |
+| **i1 (Implemented)** | ~182 controls covering leading security practices, threat-adapted. | 1 year (rapid recertification in year 2) | Mid-market vendors that need to demonstrate solid practices to enterprise buyers. |
+| **r2 (Risk-Based, 2-Year)** | Customized scope drawn from the full CSF (often 350+ requirements), tailored by risk factors. | 2 years (with an interim assessment at year 1) | The traditional "HITRUST certified" report. Required by most healthcare enterprise buyers. |
 
-* **Comprehensive compliance** - A single assessment can help demonstrate compliance with multiple regulatory requirements, reducing the need for multiple assessments
-* **Standardized approach** - The framework provides a structured, consistent methodology for security and compliance
-* **Risk reduction** - Implementation of the comprehensive controls helps reduce the likelihood and impact of security incidents
-* **Competitive advantage** - Certification can differentiate an organization in the marketplace and simplify vendor selection processes
-* **Inheritable controls** - Organizations can leverage third-party assessments through inheritance, potentially reducing assessment scope and efforts
-* **Third-party validation** - Independent assessment provides credibility to security claims
-* **Streamlined business associate agreements** - Can simplify contractual requirements with business partners
+The earlier terminology ("HITRUST CSF Validated," "HITRUST CSF Certified") still appears in older contracts; r2 is the current name for the highest-rigor option.
 
-HITRUST offers different levels of assessment, including self-assessment, validated assessment, and certified assessment, giving organizations flexibility in how they approach the framework based on their business needs.
+## How are HITRUST controls scored?
 
-## Challenges in achieving HITRUST compliance
+Each in-scope requirement is evaluated against a five-level **PRISMA-derived maturity model**. A control isn't just present or absent; the assessor scores how mature its implementation is across these levels:
 
-Despite its benefits, achieving HITRUST certification presents several challenges:
+1. **Policy.** A written, approved policy exists that addresses the requirement.
+1. **Procedure.** Documented procedures translate the policy into operational steps.
+1. **Implemented.** The control is actually operating in systems and processes.
+1. **Measured.** The control's effectiveness is tested and reported on.
+1. **Managed.** Findings from measurement feed back into improvements over time.
 
-* **Complexity and scope** - The framework is extensive and detailed, requiring significant resources to implement
-* **Documentation requirements** - Extensive documentation is needed to demonstrate both the existence and effectiveness of controls
-* **Cost and time commitment** - The certification process can be expensive and time-consuming
-* **Subjectivity in interpretation** - The framework's requirements can sometimes be vague and open to interpretation
-* **Continuous maintenance** - Controls must be continuously monitored and improved to maintain certification
-* **Limited automation options** - Many control requirements involve processes that cannot be fully automated
-* **Resource intensity** - The assessment process requires dedicated resources with specific expertise
+Each level gets a percentage score (0-100%). The overall control score is a weighted combination across the levels, and a control passes certification at 3+ (a passing score, conventionally 62+ out of 100). The same maturity framing applies whether the assessment is e1, i1, or r2.
 
-Organizations pursuing HITRUST certification often need to engage specialized consultants and allocate dedicated internal resources to navigate the process successfully.
+## How is HITRUST different from HIPAA, SOC 2, and ISO 27001?
 
-## Learn more
+These frameworks overlap heavily, but they answer different questions.
+
+| Framework | What it is | Prescriptive controls? | Auditor model | Common use |
+|---|---|---|---|---|
+| **HIPAA** | US federal law for health information | No (outcomes, not controls) | HHS / OCR enforcement | Mandatory for US health data |
+| **HITRUST CSF** | Certifiable framework that maps to many regimes | Yes (1,900+ requirement statements) | HITRUST + External Assessor | Healthcare and other regulated vendors that want one audit for many regimes |
+| **SOC 2** | AICPA attestation against Trust Services Criteria | Partially (criteria, customer-defined controls) | Independent CPA firm | SaaS vendors selling to US enterprise buyers |
+| **ISO/IEC 27001** | International ISMS standard | Partially (risk-based selection from Annex A via SoA) | Accredited certification body | International enterprises and vendors selling globally |
+
+In practice:
+
+* **HIPAA** is a legal floor for US health data.
+* **HITRUST** is how a healthcare vendor *proves* it meets HIPAA (and many other regimes) to its customers.
+* **SOC 2** is how a SaaS vendor proves operational security to enterprise buyers, often paired with HITRUST in healthcare.
+* **ISO 27001** is the international equivalent for global buyers.
+
+Many healthcare-adjacent vendors maintain both SOC 2 and HITRUST. SOC 2 gives buyers an attestation against a familiar US criteria set; HITRUST gives them a healthcare-specific, certifiable framework.
 
-HITRUST provides a comprehensive framework for managing information security risks and demonstrating regulatory compliance, particularly in the healthcare sector. By adopting HITRUST, organizations can streamline their compliance efforts and build trust with partners and customers.
+## What does HITRUST certification involve?
 
-Pulumi's infrastructure as code solutions can help with implementing some of the technical controls required by HITRUST, especially around infrastructure security, configuration management, and automated compliance verification. [Learn how Pulumi supports security and compliance](/docs/insights/policy/).
+A typical r2 certification runs 6–18 months from kickoff to report, depending on scope, prior maturity, and remediation load. The major phases:
 
-Pulumi offers off-the-shelf support for HITRUST compliance through Pulumi Policies' `frameworks` option. For AWS environments, you can quickly get started with a comprehensive HITRUST policy pack by running:
+1. **Readiness assessment (optional but typical).** A self-assessment or facilitated gap analysis using HITRUST's MyCSF platform to identify control gaps before a paid audit.
+1. **Scoping.** Determine which systems, locations, and data types are in scope and which risk factors drive your specific requirement set.
+1. **Remediation.** Implement the missing controls, write the missing policies and procedures, and operate them long enough to produce evidence.
+1. **Validated assessment.** An authorized External Assessor tests every in-scope control across the maturity levels, gathers evidence, and submits findings to HITRUST.
+1. **HITRUST QA and report issuance.** HITRUST reviews the External Assessor's work and issues the certified report.
+1. **Interim assessment (year 1).** For r2, a lighter-weight check during the certification period to confirm controls are still operating.
+1. **Recertification.** Every two years for r2, annually for e1 and i1.
+
+The first time through, expect months of work on policies, procedures, and evidence collection. Subsequent cycles are faster because the program is already running.
+
+## How does infrastructure as code support HITRUST controls?
+
+A large share of HITRUST CSF requirements describe technical infrastructure controls: encryption, network segmentation, IAM, logging, configuration management, change control, vulnerability management. These are exactly the controls that [infrastructure as code](/what-is/what-is-infrastructure-as-code/) lets you enforce, audit, and prove.
+
+Pulumi ships a HITRUST policy pack specifically for AWS:
 
 ```bash
 pulumi policy new aws-hitrust-compliance-policies-typescript
 ```
 
-This creates a policy pack with pre-built rules that help enforce HITRUST compliance requirements across your AWS infrastructure. You can learn more about this policy pack in the [AWS HITRUST compliance policies template repository](https://github.com/pulumi/templates-policy/tree/master/aws-hitrust-compliance-policies-typescript).
+The pack contains prebuilt [Pulumi policies](/docs/insights/policy/) that block non-compliant configurations in CI before they deploy. Source and customization details are in the [aws-hitrust-compliance-policies-typescript template](https://github.com/pulumi/templates-policy/tree/master/aws-hitrust-compliance-policies-typescript).
+
+More broadly, Pulumi helps with HITRUST control maturity in concrete ways:
+
+* **Policy maturity (level 1).** Encode security policy as code with [Pulumi Policies](/docs/insights/policy/). Policy lives in version control with the same review process as application code.
+* **Procedure maturity (level 2).** The Pulumi program is itself the procedure. The same code is run by every engineer in every environment.
+* **Implementation maturity (level 3).** Pulumi applies the configuration. The state file is evidence that the control was deployed.
+* **Measurement maturity (level 4).** `pulumi preview` and policy reports give auditors continuous evidence of compliance status across accounts and clouds.
+* **Managed maturity (level 5).** Findings from policy violations and drift detection flow into the same backlog as application bugs and feed the next iteration.
+
+* **Centralized secrets.** [Pulumi ESC](/product/esc/) keeps secrets out of code and CI logs, with audit trails for every read.
+* **Reusable secure defaults.** Platform teams ship [Pulumi components](/docs/iac/concepts/components/) with HITRUST-aligned settings baked in (encryption, logging, restricted IAM), so product teams consume compliant infrastructure by default.
+
+[Get started with Pulumi](/docs/get-started/) to manage HITRUST-relevant cloud infrastructure as code in TypeScript, Python, Go, C#, Java, or YAML.
+
+## Frequently asked questions about HITRUST
+
+### What does HITRUST stand for?
+
+HITRUST originally stood for "Health Information Trust Alliance." The organization has since dropped the long-form name and goes by HITRUST. The framework itself is the HITRUST CSF (Common Security Framework).
+
+### Is HITRUST only for healthcare?
+
+No. HITRUST originated in healthcare and is still most common there, but the CSF is used well beyond it — financial services, public sector, and SaaS in particular. The harmonized control set works for any organization that has to satisfy multiple compliance regimes at once.
+
+### Is HITRUST certification required for HIPAA compliance?
+
+No. HIPAA is a US federal law; HITRUST is a private framework. You can be HIPAA-compliant without HITRUST, and HITRUST certification doesn't automatically make you HIPAA-compliant. HITRUST is widely used because a single CSF assessment cross-references to HIPAA requirements, which makes it easier to demonstrate HIPAA compliance to customers and auditors.
+
+### What's the difference between HITRUST CSF Certified and HITRUST r2?
+
+They refer to the same assessment level. "HITRUST CSF Certified" was the older naming; "r2" (Risk-Based, 2-Year) is the current name, introduced in 2021. Reports issued before then typically use the older terminology, but the rigor is unchanged.
+
+### How long does HITRUST certification take?
+
+A first-time r2 certification typically runs 6–18 months from kickoff to issued report, including readiness, remediation, validated assessment, and HITRUST QA review. The lighter-weight e1 and i1 assessments run shorter (often 4–9 months for first-time issuance). Recertification cycles are faster than the first round.
+
+### How much does HITRUST certification cost?
+
+Total cost varies widely by scope and assessment level. MyCSF platform subscriptions start around $18,000 per year (per HITRUST's published pricing). The External Assessor fee for an r2 is typically in the low-to-mid six figures for a first-time assessment. Internal remediation and program-building costs usually exceed the external fees. Smaller e1 and i1 assessments are correspondingly cheaper.
+
+### Can a HITRUST report replace a SOC 2 report?
+
+Not directly. Many enterprise buyers (especially outside healthcare) specifically ask for SOC 2, and an AICPA-issued SOC 2 attestation is the only way to satisfy that request. There is a combined HITRUST + AICPA SOC 2 report option that lets a single audit produce both a SOC 2 attestation and a HITRUST CSF report, which is a common path for vendors that need both.
+
+### What is MyCSF?
+
+MyCSF is HITRUST's web-based assessment platform. It hosts the requirement set tailored to your organization, captures evidence and scoring, and is the system of record that External Assessors and HITRUST QA use to review your assessment. Every HITRUST assessment runs in MyCSF.
+
+### How does HITRUST treat cloud infrastructure?
+
+HITRUST treats cloud workloads like any other in-scope system. The customer is responsible for controls on the configurations they own (IAM, encryption, network, logging), while the cloud provider is responsible for the platform. AWS, Azure, and Google Cloud all publish HITRUST-relevant control inheritance documentation that customers can cite to reduce their own evidence burden for shared controls.
+
+### What is "control inheritance" in HITRUST?
+
+A way to reuse controls operated by another party (a cloud provider, a SaaS vendor, or a shared internal service) instead of testing them yourself. If AWS has a current HITRUST report, you can inherit its physical security and platform-level controls and only test the controls you operate on top. Inheritance significantly reduces the size of a customer's assessment.
+
+## Learn more
+
+Pulumi gives engineering teams the tooling to make HITRUST CSF controls live in code: encrypted resources by default, least-privilege IAM, [Pulumi policies](/docs/insights/policy/) that block non-compliant infrastructure in CI, and a pre-built [AWS HITRUST policy pack](https://github.com/pulumi/templates-policy/tree/master/aws-hitrust-compliance-policies-typescript) to accelerate the technical work. [Get started today](/docs/get-started/).
 
-For more information about compliance-related topics:
+Related reading:
 
-* [What is Configuration Management?](/what-is/what-is-configuration-management)
-* [What is Secrets Management?](/what-is/what-is-secrets-management)
-* [What is Cloud Infrastructure Autoscaling?](/what-is/what-is-cloud-infrastructure-autoscaling)
+* [What is HIPAA?](/what-is/what-is-hipaa/)
+* [What is SOC 2?](/what-is/what-is-soc-2/)
+* [What is Cloud Security?](/what-is/what-is-cloud-security/)
+* [What is Secrets Management?](/what-is/what-is-secrets-management/)
+* [What is Configuration Management?](/what-is/what-is-configuration-management/)