Healthcare providers, medical device manufacturers, and health IT vendors serving the U.S. Department of Defense are facing a new cybersecurity mandate: CMMC Level 2 compliance.
Hospitals and research institutions often rely on outdated systems—some running unsupported operating systems or proprietary software—that are difficult to secure or monitor. Many also struggle with sprawling networks that blend clinical and administrative systems, making boundary definition and CUI scoping particularly challenging.
HIPAA focuses on protected health information (PHI), which may also be classified as CUI in federal contracts. Organizations may assume that existing policies are sufficient, only to find that CMMC requires more granular access control, auditing, encryption, and incident response planning—all specifically mapped to NIST 800-171.
From cloud EHR platforms to telehealth services, healthcare is a deeply outsourced ecosystem. Under CMMC, organizations are responsible for how their vendors handle CUI. If subcontractors aren’t compliant—or if contracts don’t include the right flow-down clauses—your entire compliance posture could be at risk.
Many healthcare organizations are already stretched thin meeting HIPAA, PCI, and other regulatory demands. Adding another compliance layer presents new challenges to already taxed IT and security resources that will require additional planning, cross-functional coordination, and executive sponsorship.
A CMMC gap analysis provides a structured review of your current cybersecurity posture against all requirements, including compliance with NIST 800-171. It will help you identify technical, policy, and documentation gaps that will require additional investments beyond those made to ensure HIPAA compliance. For healthcare, this step is critical in understanding how CUI flows through clinical, research, and administrative environments.
Identify where CUI is stored, processed, or transmitted, and define your CMMC assessment boundary accordingly. In complex healthcare settings, it may be necessary to segment research systems from clinical systems or isolate vendor-managed platforms to reduce scope.
CMMC requires formal, repeatable, and enforced security policies—and assessors will expect to see evidence that these are being followed. Many healthcare orgs find they need to write entirely new procedures for access control, logging, system monitoring, and risk assessment that are distinct from HIPAA or Joint Commission requirements.
CMMC isn’t a checkbox. It reflects operational maturity. That means establishing governance, assigning roles, and running internal audits to validate implementation. Mock assessments can provide a valuable test run for organizations that believe they’re ready for the real thing.
“Working with Coalfire Federal for our CMMC Level 2 assessment was a thorough and professional experience from start to finish. Their assessment team demonstrated deep expertise in both the technical requirements and the practical implementation of CMMC controls."
Please note that this FAQ is a summary and should be used in conjunction with the official CMMC documentation for precise guidance and compliance instructions.
CMMC 2.0 is the Department of Defense’s cybersecurity certification. Healthcare providers, device makers, and IT vendors handling Controlled Unclassified Information (CUI) must meet all 110 practices in NIST SP 800-171 to stay eligible for contracts.
CMMC Level 2 is required for any contractor or subcontractor that handles CUI in support of the DoD. That includes:
Many of these organizations already operate under HIPAA. But HIPAA compliance is not enough. CMMC introduces additional requirements around technical controls, documentation, and maturity that go well beyond privacy rules and breach notification.
Healthcare is one of the most targeted sectors for cyberattacks—and one of the most heavily regulated. DoD healthcare contractors face pressure not only from CMMC requirements, but also from heightened expectations around patient privacy, data integrity, and national security.
Organizations that delay CMMC preparation risk losing federal contracts or facing remediation timelines that disrupt operations. Those who move now can build trust with contracting officers, improve their overall cyber posture, and maintain their eligibility as the DoD tightens enforcement.
Any organization handling CUI for DoD contracts—such as healthcare providers, medical device manufacturers, and health IT vendors—must achieve CMMC Level 2 to remain eligible for defense work.
HIPAA addresses patient privacy and health data protection, but CMMC focuses on broader cybersecurity practices across IT systems, access controls, and vendor management required for defense contracts.
Start with a gap analysis to identify what’s in scope and where remediation is needed. Organizations ready for assessment can benefit from a mock assessment to test readiness and reduce risk.
CMMC Level 2 is now essential for healthcare organizations working with the DoD. HIPAA isn’t enough—compliance requires a focused plan to reduce risk and stay competitive.
