US Cybersecurity Regulations: FISMA, HIPAA, CMMC, and More

Federal agencies, healthcare providers, defense contractors, and financial institutions each operate under distinct cybersecurity compliance obligations that carry civil penalties, contract terminations, or debarment consequences for non-compliance. This page maps the major US cybersecurity regulatory frameworks — FISMA, HIPAA, CMMC, PCI DSS, GLBA, and their associated enforcement structures — describing their scope, mechanics, classification boundaries, and operational tensions. The Information Security Providers provider network provides organized access to practitioners and service providers operating within these regulatory environments.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Compliance reference checklist
• Reference table: major US cybersecurity frameworks

Definition and scope

US cybersecurity regulations are legally enforceable instruments — statutes, administrative rules, and contractual flow-down requirements — that mandate specific security controls, incident reporting timelines, audit obligations, and data handling practices for organizations within defined sectors or holding defined data types. Unlike voluntary frameworks such as the NIST Cybersecurity Framework, regulatory mandates carry external enforcement authority vested in named agencies: the Department of Health and Human Services (HHS) Office for Civil Rights enforces HIPAA, the Office of Management and Budget (OMB) and Cybersecurity and Infrastructure Security Agency (CISA) share oversight of FISMA, the Department of Defense (DoD) enforces CMMC through its acquisition chain, and the Federal Trade Commission (FTC) enforces the Safeguards Rule under GLBA for non-bank financial institutions.

The scope of any single framework is defined by three variables: organizational type (federal agency, defense contractor, covered entity), data category (federal information systems, protected health information, controlled unclassified information), and transaction type (payment card processing, financial account administration). An organization may fall under 2 or more concurrent regulatory regimes — a hospital processing payment cards, for instance, faces both HIPAA and PCI DSS obligations simultaneously, each with independent audit and enforcement mechanisms.

As described in the , the provider network-level reference does not interpret regulatory requirements for specific fact patterns — it maps the structural landscape of the compliance sector.

Core mechanics or structure

Each major framework operates through a layered enforcement architecture consisting of a governing statute, implementing regulations, technical standards, and audit or assessment procedures.

FISMA (Federal Information Security Modernization Act, 44 U.S.C. § 3551 et seq.) requires federal agencies and their contractors to implement security programs based on NIST SP 800-53, which catalogs 20 control families. Agencies must authorize information systems through a formal Risk Management Framework (RMF) process documented in NIST SP 800-37, including categorization (FIPS 199), control selection, implementation, assessment, authorization, and continuous monitoring phases.

HIPAA (Health Insurance Portability and Accountability Act, Pub. L. 104-191) divides its security obligations between the Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E) and the Security Rule (45 C.F.R. Part 164, Subparts A and C). The Security Rule applies exclusively to electronic protected health information (ePHI) and structures controls as either "required" or "addressable" — a distinction that creates implementation flexibility but not optionality. HHS OCR enforces civil monetary penalties on a four-tier structure, with penalties reaching up to $1.9 million per violation category per calendar year (HHS CMP Wall).

CMMC (Cybersecurity Maturity Model Certification) applies to DoD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The CMMC 2.0 model, formalized in the DoD's interim rule at 32 C.F.R. Part 170 (published November 2024), establishes three maturity levels: Level 1 (17 basic safeguarding practices from FAR 52.204-21), Level 2 (110 practices aligned with NIST SP 800-171), and Level 3 (additional practices drawn from NIST SP 800-172). Level 2 and Level 3 contracts require assessment by a Certified Third-Party Assessment Organization (C3PAO) accredited through the Cyber AB.

PCI DSS (Payment Card Industry Data Security Standard), maintained by the PCI Security Standards Council, is a contractual framework rather than a statute — compliance is mandated through merchant agreements with card brands. Version 4.0, released in March 2022, contains 12 requirements organized across 6 goals and introduced customized implementation paths alongside the traditional defined approach.

GLBA Safeguards Rule (16 C.F.R. Part 314), as amended by the FTC in 2021, requires financial institutions to implement a written information security program with 9 enumerated elements, including encryption of customer information in transit and at rest, and multi-factor authentication for any individual accessing customer information (FTC Safeguards Rule).

Causal relationships or drivers

The proliferation of sector-specific regulations reflects a legislative pattern in which high-profile data breaches or systemic failures in specific industries triggered targeted statutory responses rather than a single omnibus law. The absence of a federal general-purpose privacy statute — analogous to the EU's GDPR — has produced the current fragmented structure. Congress enacted HIPAA in 1996 following concerns about medical records confidentiality in electronic billing transitions. FISMA was enacted in 2002 after audits revealed widespread inadequacy in federal agency security programs. CMMC emerged from documented theft of export-controlled technical data from defense contractors, with RAND Corporation and DoD Inspector General reports identifying supply chain exposure as the primary threat vector.

State breach notification laws — enacted in all 50 states as of 2018, per the National Conference of State Legislatures — further layer obligations onto the federal baseline, each with distinct trigger thresholds, notification timelines, and covered data categories.

Classification boundaries

Regulatory applicability is determined by four boundary conditions that practitioners and compliance officers must evaluate before selecting a control baseline:

1. Federal nexus — Organizations processing, storing, or transmitting information on behalf of a federal agency fall under FISMA regardless of organizational type. This includes cloud service providers hosting federal workloads, who must achieve FedRAMP authorization (managed by GSA's FedRAMP Program Management Office) as a prerequisite condition.

2. Covered entity or business associate status — HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. Business associate agreements (BAAs) extend HIPAA obligations contractually to downstream vendors.

3. CUI or FCI designation — CMMC scope is triggered by the presence of CUI or FCI in a contractor's environment. CUI categories and handling requirements are defined by the National Archives CUI Registry, administered under Executive Order 13556. A contractor with no CUI and only commercial-off-the-shelf items may fall outside CMMC scope entirely.

4. Cardholder data environment (CDE) — PCI DSS scope is defined by the presence of primary account numbers (PANs), cardholder names, service codes, or expiration dates. Network segmentation that isolates the CDE from other systems is the primary scope-reduction mechanism recognized by the PCI SSC.

Tradeoffs and tensions

The most persistent tension in US cybersecurity regulation is the specificity-flexibility tradeoff. Prescriptive frameworks such as CMMC Level 2 mandate 110 specific practices from NIST SP 800-171 with no "addressable" equivalent — this provides clear audit criteria but creates compliance burden for small defense contractors with limited security staffing. HIPAA's addressable implementation model offers flexibility but generates interpretive disputes during OCR investigations about whether alternative measures were genuinely equivalent.

A second tension exists between audit frequency and operational continuity. FISMA's continuous monitoring mandate (codified in OMB Memorandum M-14-03) requires agencies to monitor security controls on an ongoing basis rather than triennial point-in-time assessments, but implementation fidelity varies. PCI DSS requires annual on-site assessments only for large merchants (Level 1, defined as processing over 6 million transactions annually per card brand rules) — smaller merchants self-attest, introducing verification gaps.

The multi-framework overlap problem creates direct cost and operational tension for organizations in sectors such as healthcare IT, financial services, and federal contracting. A company serving DoD healthcare contracts may simultaneously manage FISMA/RMF authorization, HIPAA Security Rule compliance, CMMC Level 2 certification, and state breach notification obligations — with no formal harmonization mechanism between them, though NIST SP 800-66 (HIPAA-NIST mapping) and CMMC-to-NIST SP 800-171 alignment provide partial cross-walks.

Common misconceptions

Misconception: FISMA applies only to federal agencies.
FISMA's scope extends to contractors and third-party service providers operating on behalf of federal agencies. Under 44 U.S.C. § 3554, agency heads are responsible for information security across their entire information supply chain, which includes contractor-operated systems. FedRAMP authorization is the operationalized mechanism for cloud service providers in this category.

Misconception: HIPAA compliance requires encryption.
The HIPAA Security Rule classifies encryption as an "addressable" implementation specification under 45 C.F.R. § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii). This means covered entities must implement encryption or document an equivalent alternative measure. HHS guidance clarifies that encrypted data that is breached may qualify for the breach notification safe harbor — but encryption is not mandated as a categorical requirement for all ePHI.

Misconception: Passing a CMMC assessment means full NIST SP 800-171 compliance.
CMMC Level 2 assessments evaluate whether an organization meets the 110 practices in NIST SP 800-171 at the time of assessment. A Plan of Action and Milestones (POA&M) may exist for a limited number of open findings without disqualifying a contractor from contract award in some circumstances, per DoD CMMC 2.0 implementation guidance. Assessment results reflect a point-in-time snapshot, not perpetual compliance status.

Misconception: PCI DSS is a law.
PCI DSS is a contractual standard enforced through card brand merchant agreements and acquiring bank relationships, not a federal or state statute. Non-compliance consequences — fines, increased transaction fees, loss of card processing privileges — flow from contract terms, not regulatory enforcement actions.

Compliance reference checklist

The following sequence reflects the standard operational phases organizations move through when establishing or auditing compliance posture across major US frameworks. These are structural process steps, not advisory guidance.

Phase 1 — Scope definition
- [ ] Identify applicable regulatory frameworks based on organizational type, data categories handled, and transaction or contract types
- [ ] Determine federal nexus: agency contractor status, CUI/FCI presence, healthcare covered entity or business associate classification
- [ ] Map cardholder data environments and apply network segmentation analysis for PCI DSS scope reduction
- [ ] Identify state breach notification obligations based on operational states and resident data subject locations

Phase 2 — Baseline gap assessment
- [ ] Select the applicable control baseline: NIST SP 800-53 (FISMA/FedRAMP), NIST SP 800-171 (CMMC Level 2), HIPAA Security Rule control categories, PCI DSS Requirements 1–12, or GLBA Safeguards Rule 9 program elements
- [ ] Document current control implementation status against each baseline requirement
- [ ] Identify open findings and classify by risk impact level (high/moderate/low per FIPS 199 for federal systems)

Phase 3 — Remediation planning
- [ ] Develop a System Security Plan (SSP) for FISMA/CMMC-scoped systems per NIST SP 800-18 format
- [ ] Develop or update a Plan of Action and Milestones (POA&M) for unresolved findings
- [ ] Execute Business Associate Agreement inventory for HIPAA-covered organizations

Phase 4 — Assessment and authorization
- [ ] Engage an accredited assessor: C3PAO for CMMC Level 2/3, Qualified Security Assessor (QSA) for PCI DSS Level 1, or independent auditor for GLBA program review
- [ ] Complete formal authorization decision for FISMA systems (Authority to Operate, or ATO, issued by the Authorizing Official)
- [ ] Establish continuous monitoring program cadence per OMB M-14-03 for FISMA-covered systems

Phase 5 — Incident response integration
- [ ] Establish breach notification trigger thresholds and reporting timelines for each applicable framework (72-hour CISA reporting per CIRCIA for critical infrastructure, 60-day HHS notification for HIPAA breaches affecting 500+ individuals)
- [ ] Maintain evidence of control effectiveness for audit readiness on a rolling basis

Reference table: major US cybersecurity frameworks

The how to use this information security resource page provides additional context on navigating compliance-related content within this reference network.