BLOG

CMMC 2.0 and the HIPAA Security Rule: Two Key Regulatory Updates for Healthcare and Defense Clients 

By Sumera Riaz, VP of Cybersecurity 

A look at two must-know regulatory developments impacting healthcare and defense organizations—what’s changing, what’s at stake, and how to prepare.

At a Glance

  • Healthcare and defense organizations have been facing new compliance requirements under the HIPAA Security Rule and CMMC 2.0.  HIPAA impacts healthcare, and CMMC 2.0 is for defense contractors. 
  • The HIPPA Security Rule is currently pending final approval. The CMMC framework is final and in a phased rollout.  
  • These regulatory deadlines provide a timely opportunity to start cybersecurity and compliance conversations.  
  • Advisors can use governance, risk, and compliance (GRC) principles to connect security investments to business outcomes and drive action.  
  • Organizations that wait too long may face penalties, lost contracts, and costly remediation efforts.  
  • Advisors do not need to be compliance experts to start regulatory conversations around HIPAA and CMMC 2.0. Telarus can help fill gaps and move deals forward. 
  • If you work with healthcare or defense clients, your role is to: flag upcoming HIPAA Security Rule and CMMC 2.0 deadlines, use targeted discovery questions to qualify risk and urgency, and bring in Telarus and our suppliers to run structured HIPAA/CMMC assessments and remediation projects. 

We get it: Selling cybersecurity and data protection can feel like pulling teeth sometimes. Business leaders will often delay investments until issues become painful, expensive, and difficult to fix.  

But there’s one thing that decision makers rarely ignore: regulatory deadlines.  

Right now, two pending regulatory shifts the HIPAA Security Rule update and CMMC 2.0— are directly impacting customers in the healthcare and defense sectors. Proposed changes to the HIPAA Security Rule and the Cybersecurity Maturity Model Certification (CMMC) framework, are forcing healthcare organizations and defense contractors to reassess their security and compliance posture—creating a significant revenue opportunity for technology advisors. 

Here’s what advisors need to know about upcoming changes to HIPAA and CMMC, why they matter, and how to help clients ensure compliance before deadlines hit. 

GRC: Your North Star for Navigating Cybersecurity Sales 

Before we dive into HIPAA and CMMC updates, let’s take a step back and look at the bigger picture: the role that governance, risk, and compliance (GRC) plays in cybersecurity decisions. 

There are countless ways to approach cybersecurity conversations. New technologies emerge almost daily. The threat landscape constantly evolves, and security headlines never stop.  

To most business leaders, it’s all noise.  

It’s not that executives don’t care about security or data protection—far from it. Rather, they often fail to connect security initiatives with business outcomes. Security investments don’t produce direct growth, so they often take a back seat to competing priorities. 

In the AI era, organizations can no longer separate innovation from security and compliance. The two go hand in hand. As AI usage ramps up, organizations are collecting, processing, and sharing larger volumes of data, increasing both risk and regulatory scrutiny. 

According to Eliciting Insights, 75% of U.S. health systems are now using at least one AI application, up from 59% in 2025. At the same time, federal agencies and military branches are being directed to accelerate AI development for national security applications. Aerospace and defense companies are on pace to spend $44 billion on AI by 2030. 

The key is to approach cybersecurity through a framework executives will understand, which is where GRC comes into play. Simply put, GRC is a model that organizations use to align business objectives, manage risk, and demonstrate compliance through specific policies and controls.  

Three boxes labeled Governance, Risk, and Compliance, each providing a brief definition: Governance covers rules and ownership, Risk covers threats to business, and Compliance covers proof of meeting regulatory updates like the HIPAA Security Rule or CMMC 2.0 requirements.

As I explained in a recent HITT session, GRC is the backbone of every security sale. That’s because clients typically invest in security when faced with deadlines, compliance requirements, or other pressure—not because they want to. 

Think of it this way: Regulatory changes are like an incoming storm at sea. You can’t change the weather, but you can prepare for it. Having a GRC plan in place means battening down the hatches, navigating turbulence, and changing your course to reach your destination safely.  

For advisors, GRC will elevate technical conversations into critical business discussions, and earn a seat at the table with organizational leaders. 

Upcoming Changes to HIPAA and CMMC  

Through a GRC lens, HIPAA and CMMC are two compliance frameworks that demand immediate attention from healthcare and defense organizations. Read on for the key details, deadlines and opportunities surrounding each. 

HIPAA’s Security Makeover 

Target customers: Healthcare providers, physician groups, specialty practices, clinics, healthcare technology companies, and related business associates 

Overview:  

  • Originally finalized in 2003, the HIPAA Security Rule establishes the administrative, physical, and technical safeguards healthcare organizations must implement to protect electronic protected health information (ePHI).  
  • In January 2025, HHS proposed the most significant updates to the HIPAA Security Rule in more than a decade.  
  • If finalized, the changes will introduce tighter security requirements for covered entities and business associates. Organizations will also need to demonstrate that security controls are actively implemented and maintained. 

Status:  

  • As of June, the HIPAA Security Rule update has not been finalized. While HHS originally targeted May 2026, that deadline has passed. The rule is currently under administrative review.  
  • Once the final rule passes, healthcare organizations will have 240 days from the date of publication to achieve full compliance.  
A graphic showing the costs of ignoring HIPAA and the HIPAA Security Rule: 57 million individuals affected by data breaches in 2025, $7.42 million average breach cost, and $2.19 million in penalties per violation; source: TELARUS.

Proposed requirements: 

  • Mandatory multi-factor authentication for all systems that access ePHI. 
  • Network segmentation to isolate critical systems and limit lateral movement during cyberattacks.   
  • 72-hour recovery objective requiring organizations to demonstrate their ability to quickly restore critical systems and data following a security incident. 
  • Comprehensive asset inventories and network maps that accurately reflect systems, devices, and data flows.   
  • Evidence of operational enforcement demonstrating that security controls are actively implemented and maintained. 

For advisors, this is the moment to help healthcare clients inventory where ePHI lives, validate MFA and backup coverage, review network segmentation and monitoring, and position a HIPAA security assessment to document their current posture before the 240-day clock starts. 

HIPAA discovery questions for healthcare clients   

Impacted organizations will need help evaluating their HIPAA readiness and implementing new technologies. The proposed changes to HIPAA introduce new opportunities around MFA, backup and recovery, vulnerability management, network segmentation, incident response, and security monitoring. By taking early action, companies can reduce audit risk, downtime, and patient impact. 

Use the following questions to engage customers about HIPAA readiness: 

  • Do you create, store, or transmit health data? 
  • Have you fully deployed encryption and MFA?  
  • Do you know where ePHI resides across your environment? 
  • If asked, could you prove your safeguards in writing tomorrow? 
  • Have you completed a formal HIPAA risk assessment in the last 12 months?  

When these answers are unclear or concerning, your next step is to bring in Telarus and our HIPAA-focused suppliers to scope a formal HIPAA readiness or gap assessment and build a remediation roadmap. 

CMMC 2.0: The Next Phase of Defense Compliance  

Target customers: Defense contractors, subcontractors, manufacturers, engineering firms and technology providers supporting Department of Defense contracts 

Overview:  

  • CMMC 2.0 is a cybersecurity compliance framework developed by the U.S. Department of Defense (DoD) to protect sensitive government information throughout the Defense Industrial Base (DIB)—the vast network of contractors, subcontractors, suppliers, and service providers that support U.S. military operations.  
  • Organizations that handle Controlled Unclassified Information (CUI) may be required to demonstrate CMMC compliance. For many contractors, certification is becoming a prerequisite for bidding on and maintaining DoD contracts.  
  • The DoD released the original CMMC framework in 2019, introducing five maturity levels and required mandatory third-party assessments for contractors.  
  • CMMC 2.0 was introduced in 2021 and simplified the model to three levels while aligning each requirement with the latest NIST cybersecurity standards. 
  • As of today, more than 76,000 defense contractors still need Level 2 certification. Only about 1,100 contractors have completed it.  

Timeline:   

CMMC is being implemented through a phased rollout extending through 2028. As of June, organizations are approximately five months away from the Phase 2 deadline, when third-party assessments will be required for many Level 2 contractors.  

  • Phase 1 – November 10, 2025: Initial self-assessment requirements began for Level 1 and Level 2 contractors 
  • Phase 2 – November 10, 2026: Mandatory third-party assessments begin for Level 2 contractors 
  • Phase 3 – November 10, 2027: Level 3 government assessments will be introduced for high-priority programs 
  • Phase 4 – November 10, 2028: Full implementation across all applicable contracts 

Advisors can help defense contractors map which contracts and revenue streams depend on CMMC, confirm their current level, and schedule a gap assessment well before Phase 2 third-party audits begin. 

A graphic outlines the three levels of CMMC 2.0: Level 1 (Foundational) with self-assessment, Level 2 (Advanced) with third-party assessment, and Level 3 (Expert) with government-led assessment, reflecting recent regulatory updates.

CMMC discovery questions to ask defense clients  

Organizations that fail to meet CMMC requirements risk losing eligibility for certain DoD contracts. They also face reputational harm and increased liability under the False Claims Act as the Department of Justice continues to scrutinize cybersecurity compliance.  

The following discovery questions can help start impactful conversations around CMMC readiness: 

  • How much of your revenue is tied to the federal government or DoD contracts?
  • Do you handle CUI, or other sensitive government data? 
  • Is your business ready for the November Phase 2 deadline? 
  • Do you know which CMMC level applies to your organization? 
  • Have you completed a CMMC gap assessment?
  • Are you still relying on self-assessment, or have you engaged a third party assessor?  

How to Approach Customers About HIPAA and CMMC Compliance 

You don’t need to be a policy expert to lead effective compliance conversations. Your role is to help clients understand what’s changing, why it matters, and what steps they need to take.  

Sometimes the most valuable thing an advisor can do is be the voice reminding busy clients that regulatory deadlines are approaching—and helping them prepare before deadlines become emergencies.  

Keep these tips in mind when approaching customers about HIPAA and CMMC compliance: 

  • Frame cost and risk, not features: Ground your conversations in reality and remind customers what non-compliance can cost. For example, HIPAA violations can exceed $2 million and carry potential criminal penalties.   
  • Lead with deadlines: Deadlines drive action, and both HIPAA and CMMC introduce important milestones. Organizations that wait too long may face penalties, lost business opportunities, or costly remediation efforts.   
  • Connect compliance to business outcomes: HIPAA and CMMC compliance aren’t IT projects. They help organizations reduce risk, maintain customer trust, and protect revenue.   

Keep in mind that compliance is already a priority in the boardroom. In fact, 77% of global C-level leaders say compliance contributes significantly or moderately to company objectives. And in a PwC benchmark study, 51% of respondents identified technology compliance risks, including cybersecurity, data privacy and data protection as a top priority.  

The Bottom Line: Start the Compliance Conversation Today

A comparison chart of HIPAA Security Rule and CMMC 2.0 shows differences in status, applicable parties, deadlines, and messaging, with HIPAA rules targeted for 2026 and CMMC 2.0 finalized with a deadline of November 10, 2026.

Like many opportunities in the channel—such as POTS or VMware migration—HIPAA Security and CMMC 2.0 won’t last forever. There is a limited time to capitalize on this round of healthcare and defense updates. Advisors who act now can use these regulatory shifts to drive the next 18 months of compliance revenue. 

Keep in mind that HIPAA and CMMC ultimately follow the same playbook. Regulatory changes are creating urgency, organizations face hard deadlines and compliance requirements, and clients need to act quickly to close security gaps and prepare for what’s ahead. 

The stakes are real. The opportunity is real. Now it’s time to leverage your network—and Telarus—to turn urgency into action.  

Next step for advisors: If you have healthcare or defense clients who may be impacted by the HIPAA Security Rule update or CMMC 2.0, connect with your Telarus cybersecurity team. We can help you qualify opportunities, align the right suppliers, and structure HIPAA or CMMC readiness assessments that move deals forward before deadlines hit. 

FAQ: HIPAA Security Rule Changes and CMMC 2.0 Requirements

As of June 2026, the proposed rule remains under administrative review. Advisors should continue monitoring guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). 

The biggest proposed change is to eliminate the “addressable” flexibility of the past. It will force a shift toward strict, measurable technical controls and documented policies to operational enforcement. If finalized, organizations will need to prove that safeguards are implemented and maintained.  

CMMC 2.0 is a cybersecurity compliance framework developed by the Department of Defense to protect sensitive government information throughout the Defense Industrial Base.  

Organizations handling Controlled Unclassified Information (CUI) or supporting applicable DoD contracts may be required to meet CMMC requirements.  

Phase 1: November 10, 2025 – Self-assessments began for Level 1 & 2 
• Phase 2: November 10, 2026 – Third-party assessments begin for Level 2 
• Phase 3: November 10, 2027 – Level 3 government assessments introduced 
• Phase 4: November 10, 2028 – Full implementation across applicable contracts

Advisors can help healthcare clients prepare by: 
• Identifying where ePHI is stored and accessed 
• Assessing gaps in MFA, backup and recovery, and segmentation 
• Validating incident response and 72-hour recovery capabilities 
• Mapping existing controls to HIPAA Security Rule requirements 
• Coordinating third-party HIPAA risk assessments and remediation plans  

Advisors can support CMMC 2.0 readiness by: 
• Confirming whether the client handles CUI and which contracts are in scope 
• Identifying which CMMC level applies to the organization 
• Scoping a formal CMMC gap assessment with a certified partner 
• Prioritizing remediation for high-risk gaps before the Phase 2 deadline 
• Introducing third-party assessors and managed security providers to maintain compliance 

ABOUT THE AUTHOR

A woman with long, wavy brown hair wearing a navy blazer and gold earrings smiles softly in a bright, modern office, where regulatory updates like the CMMC 2.0 are often discussed by her team near large windows in the background.

Sumera Riaz

Sumera Riaz is Vice President of Cybersecurity at Telarus—a CISSP-certified former Chief Information Security Officer turned industry advocate on a mission to change how cybersecurity is sold. Based in the Dallas–Fort Worth area, she empowers technology advisors to confidently guide their clients through AI risk, enterprise security, and what’s coming next—including the quantum computing shift organizations can’t afford to ignore. A Forbes Council member and sought-after speaker, Sumera translates technical complexity into human clarity, making the scary feel manageable and the stakes impossible to ignore. Her mission is simple: to leave every company better protected than she found it.

TAGS:

SHARE: