Cybersecurity Maturity Model Certification
Healthcare and Life Sciences organizations holding Department of Defense contracts are now operating under direct pressure from the U.S. Department of Defense's Cybersecurity Maturity Model Certification 2.0 framework, which moved from proposed rule to final rulemaking in late 2024 and will require third-party assessment for most Level 2 and all Level 3 contractors. The U.S. Department of Health and Human Services Office for Civil Rights adds a compounding layer: its proposed updates to the HIPAA Security Rule, published in January 2025, borrow heavily from CMMC-adjacent controls, meaning compliance teams cannot treat these as separate workstreams.
Watch
- CMMC 2.0 final rule: third-party assessment timelines for Level 2 DoD contractors
- HHS Office for Civil Rights proposed HIPAA Security Rule amendments, January 2025
- C3PAO accreditation bottleneck slowing assessment scheduling for mid-size health firms
- Defense Contract Management Agency audit posture toward healthcare subcontractors in 2025
- State attorneys general using federal CMMC gaps as a hook for independent enforcement actions
Recent material activity in Healthcare & Life Sciences
-
FDA issues Complete Response Letter for novel GLP-1 receptor agonist oral formulation
The FDA issued a CRL for a once-daily oral GLP-1 receptor agonist citing manufacturing consistency concerns at the primary production facility. The agency requested additional CMC data and a pre-approval inspection befor…
Read a full sample brief →