Compliance-Driven Cybersecurity: HIPAA, PCI-DSS, CMMC, and SOC 2

Four regulatory and attestation frameworks — HIPAA, PCI-DSS, CMMC, and SOC 2 — define the compliance-driven cybersecurity landscape for the majority of US organizations handling sensitive data or operating in regulated industries. Each framework carries distinct legal authority, technical requirements, and enforcement mechanisms that shape how security programs are structured, staffed, and audited. Understanding the boundaries, mechanics, and tensions among these frameworks is essential for security professionals, procurement teams, and researchers navigating the sector. This page maps the structure of each framework and their relationships to one another.

Definition and scope

Compliance-driven cybersecurity refers to security programs whose architecture, controls, and audit cycles are organized around the requirements of one or more external regulatory or attestation standards. Rather than being purely risk-appetite-driven, these programs must satisfy mandatory control baselines, documentation requirements, and third-party verification processes defined by statute, rule, or industry standard.

HIPAA — the Health Insurance Portability and Accountability Act of 1996 (45 CFR Parts 160 and 164) — applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. The Security Rule within HIPAA establishes administrative, physical, and technical safeguards for electronic protected health information (ePHI). Enforcement authority rests with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR).

PCI-DSS — the Payment Card Industry Data Security Standard — is a contractual framework governed by the PCI Security Standards Council (PCI SSC), a body founded by American Express, Discover, JCB, Mastercard, and Visa. PCI-DSS applies to any entity that stores, processes, or transmits cardholder data. Version 4.0, released in March 2022, replaced version 3.2.1 as the active standard (PCI SSC, PCI DSS v4.0).

CMMC — the Cybersecurity Maturity Model Certification — is a Department of Defense requirement governing contractors in the Defense Industrial Base (DIB). Administered through the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), CMMC 2.0 consolidates requirements into 3 levels aligned to NIST SP 800-171 and NIST SP 800-172 (NIST SP 800-171 Rev 2).

SOC 2 — Service Organization Control 2 — is an attestation framework developed by the American Institute of CPAs (AICPA). It evaluates service organizations against five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type I reports on design at a point in time; Type II reports on operational effectiveness over a defined period, typically 6 to 12 months.

Core mechanics or structure

Each framework operates through a distinct combination of control requirements, assessment methodology, and enforcement or validation mechanism.

HIPAA Security Rule specifies 18 administrative safeguard standards, 4 physical safeguard standards, and 5 technical safeguard standards under 45 CFR §164.308–164.312. Controls are classified as either "required" or "addressable" — addressable controls must be implemented or have a documented rationale for alternative measures. HHS OCR enforces through complaint investigation and compliance reviews; civil penalties scale from $100 to $50,000 per violation, up to an annual cap of $1.9 million per violation category (HHS OCR Civil Money Penalties).

PCI-DSS v4.0 is organized into 12 requirements covering network security, cardholder data protection, vulnerability management, access control, monitoring, and information security policy. Compliance is validated through Qualified Security Assessors (QSAs) for large merchants or through Self-Assessment Questionnaires (SAQs) for smaller entities. The standard introduces a "customized approach" option in v4.0 that allows organizations to demonstrate equivalent security through alternative controls, replacing the prior prescriptive-only model.

CMMC 2.0 operates at 3 levels. Level 1 (Foundational) covers 17 practices aligned to FAR 52.204-21 for Federal Contract Information (FCI). Level 2 (Advanced) requires 110 practices from NIST SP 800-171 for Controlled Unclassified Information (CUI), with third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) for most contracts. Level 3 (Expert) adds controls from NIST SP 800-172 and requires government-led assessments.

SOC 2 assessments are conducted by licensed CPA firms. The AICPA's Trust Services Criteria (TSC) provide the control framework. The Security criterion (CC series) is mandatory; the remaining four criteria are selected based on the organization's service commitments. Type II reports — covering operational effectiveness over time — carry substantially more weight in vendor risk management than Type I reports.

Causal relationships or drivers

The proliferation of compliance-driven cybersecurity frameworks responds to three structural forces: legislative mandates following high-profile breach events, contractual risk transfer by large commercial networks, and supply chain security concerns in government contracting.

HIPAA's Security Rule was strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which introduced breach notification requirements and increased penalty tiers after a period when OCR enforcement was limited. The 2021 HITECH Amendment (Pub. L. 116-321) directed HHS to consider recognized security practices when determining penalties, creating a compliance credit mechanism.

PCI-DSS emerged as a unified standard in 2004 after the five founding card brands operated separate, incompatible programs. The standard's authority derives from contractual obligation through merchant agreements and acquiring bank relationships — not from federal statute. Non-compliance exposes organizations to fines imposed by card brands through acquiring banks, not through government enforcement.

CMMC was initiated following a series of data breaches affecting DIB contractors and the documented exfiltration of CUI, including incidents involving F-35 technical data. The framework's legal footing is the Defense Federal Acquisition Regulation Supplement (DFARS), specifically DFARS 252.204-7021, which makes CMMC certification a contract performance requirement.

SOC 2 adoption accelerated as enterprise procurement teams integrated third-party risk management programs requiring attestation evidence. Unlike the other three frameworks, SOC 2 carries no direct legal mandate — demand is driven entirely by commercial counterparty requirements and cyber insurance underwriting.

Classification boundaries

The four frameworks occupy non-overlapping but occasionally intersecting jurisdictional domains:

Organizations handling healthcare payments, for example, may simultaneously face HIPAA and PCI-DSS obligations for overlapping data sets, requiring control mapping to avoid duplicative audit burden. The Smart Security Listings page catalogs providers with demonstrated multi-framework compliance capabilities.

Tradeoffs and tensions

Prescriptive versus risk-based controls: HIPAA's addressable control model and PCI-DSS v4.0's customized approach introduce risk-based flexibility that reduces prescriptive certainty. Organizations benefit from adaptability but face greater documentation burden to justify deviations. Auditors and assessors apply inconsistent interpretations of equivalency.

Point-in-time versus continuous compliance: SOC 2 Type II and CMMC assessments cover defined periods, not real-time security posture. Organizations may pass assessments while operating in degraded security states between evaluation windows. Continuous monitoring programs under NIST SP 800-137 address this gap but are not universally mandated across all four frameworks.

Compliance as a ceiling rather than a floor: Each framework establishes minimum baselines. A PCI-DSS-compliant organization can still experience a breach — Target's 2013 breach affecting 40 million payment card records occurred while the company held PCI-DSS compliance status, a point examined extensively by the Senate Commerce Committee's 2014 investigation. Compliance satisfies regulatory obligation; it does not guarantee adequate security for all threat models.

Overlapping control requirements: Organizations subject to HIPAA and SOC 2 simultaneously manage partially overlapping control sets. HIPAA's technical safeguards align partially with SOC 2's Security criterion (CC6 series), but terminology, documentation formats, and assessment procedures differ, creating audit redundancy.

Assessment cost and DIB burden: CMMC Level 2 C3PAO assessments impose significant financial and operational costs on small and mid-sized defense contractors. The DoD's CMMC rulemaking process (32 CFR Part 170) acknowledged this burden and introduced phased implementation to reduce immediate impact on the supplier base. Detailed provider selection guidance is available through the Smart Security Directory Purpose and Scope page.

Common misconceptions

"HIPAA certification exists": No federal program certifies HIPAA compliance. HHS OCR does not issue compliance certificates. Organizations may engage third-party auditors for gap assessments, but no HIPAA certification carries official regulatory standing. Claims of "HIPAA certification" reflect internal or commercial attestations only.

"PCI-DSS compliance is a legal requirement": PCI-DSS is not a federal or state statute. It is a contractual standard enforced by payment card networks through merchant agreements. Penalties for non-compliance are assessed by acquiring banks under card brand rules, not by government agencies. Twenty-eight US states have referenced PCI-DSS in breach notification or data security statutes, but the standard itself remains industry-controlled.

"SOC 2 Type I is equivalent to Type II": Type I reports assess whether controls are suitably designed at a single point in time. Type II reports assess whether controls operated effectively over an observation period of 6 to 12 months. Enterprise procurement and cyber insurance underwriting treats these reports as non-equivalent, with Type II carrying substantially greater evidentiary weight.

"CMMC Level 1 self-attestation applies to all DoD contracts": Level 1 self-attestation applies only to contracts involving FCI but not CUI. Contracts involving CUI require Level 2 compliance; the majority of significant DIB contracts involve CUI, meaning the population eligible for Level 1 self-attestation is narrower than commonly assumed.

"Passing one framework satisfies requirements for another": While control overlap exists, no framework accepts another as a substitute. HIPAA compliance does not satisfy PCI-DSS. SOC 2 Type II does not satisfy CMMC. Each framework requires independent assessment against its own requirements. Resources for locating providers capable of simultaneous multi-framework assessments are indexed through the How to Use This Smart Security Resource page.

Checklist or steps (non-advisory)

The following represents the standard phases organizations move through when establishing or renewing compliance under these frameworks. This is a structural description of the process, not prescriptive guidance.

Phase 1 — Scope definition
- Identify applicable framework(s) based on data types processed, sectors served, and counterparty contractual requirements
- Delineate the system boundary: which systems, networks, and personnel are in scope
- Identify data flows for ePHI (HIPAA), cardholder data (PCI-DSS), CUI/FCI (CMMC), or client data (SOC 2)

Phase 2 — Gap analysis
- Map existing controls against the applicable framework's control requirements
- Document required versus addressable distinctions (HIPAA) or mandatory versus customized approach distinctions (PCI-DSS v4.0)
- Identify control gaps, missing policies, and documentation deficiencies

Phase 3 — Remediation
- Implement missing technical controls (encryption, access management, logging, patch management)
- Develop or revise security policies, incident response plans, and risk assessment documentation
- Train relevant personnel on framework-specific requirements

Phase 4 — Pre-assessment preparation
- For CMMC: engage a C3PAO for Level 2 contracts; complete a System Security Plan (SSP) per NIST SP 800-171A (NIST SP 800-171A)
- For PCI-DSS: select appropriate SAQ or engage a QSA; confirm scope with acquiring bank
- For SOC 2: select trust service criteria and define observation period with CPA firm
- For HIPAA: complete or update risk analysis per 45 CFR §164.308(a)(1)

Phase 5 — Formal assessment or audit
- CMMC Level 2: C3PAO conducts assessment; results submitted to the CMMC Accreditation Body (Cyber-AB)
- PCI-DSS: QSA produces Report on Compliance (ROC); or SAQ submitted to acquirer
- SOC 2: CPA firm produces Type I or Type II attestation report
- HIPAA: Internal risk analysis completed and documented; OCR review triggered only by complaint or audit selection

Phase 6 — Continuous monitoring and renewal
- Maintain audit logs, patch cadence, and access review cycles per framework requirements
- Track validity windows: PCI-DSS annual reassessment; SOC 2 observation period renewal; CMMC triennial assessment cycle; HIPAA ongoing risk management obligation

Reference table or matrix

Framework Governing Body Legal Authority Applies To Assessment Method Penalty / Consequence
HIPAA Security Rule HHS OCR 45 CFR Parts 160 & 164 Covered entities, business associates Internal risk analysis; OCR audits Civil penalties $100–$50,000/violation; criminal referral possible
PCI-DSS v4.0 PCI SSC Contractual (card brand rules) Any entity storing/processing cardholder data QSA ROC or SAQ Card brand fines via acquiring banks; termination of card
📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Smart Security Listings Each entry represents a vetted organizational or individual presence within a defined service category, mapped against... Smart Security Directory: Purpose and Scope This reference covers the scope of listed service categories, the criteria governing inclusion, the regulatory frameworks that... How to Use This Smart Security Resource This page describes how the directory is organized, what types of professionals and services are catalogued, and where the...