ControlMap

CMMC vs HIPAA

Side-by-side comparison of CMMC Level 2 and HIPAA Security Rule across 49 cybersecurity controls.

43
Shared
3
CMMC Only
3
HIPAA Only
0
Neither

Covered by Both (43 controls)

Controls recognized by both CMMC and HIPAA.

Gp Governance Policy
CA.L2-3.12.1, CA.L2-3.12.4 | §164.308(a)(1)(i), §164.316(a)
 Aw Awareness & Training
AT.L2-3.2.1, AT.L2-3.2.2 | §164.308(a)(5)(i), §164.308(a)(5)(ii)(A)
 Rm Risk Management
RM.L2-3.11.1, RM.L2-3.11.2 | §164.308(a)(1)(ii)(A), §164.308(a)(1)(ii)(B)
 Rr Roles & Responsibilities
PS.L2-3.9.2 | §164.308(a)(2), §164.308(a)(3)(i)
 Cm Compliance
CA.L2-3.12.1 | §164.308(a)(8), §164.316(b)(1)
 Am Asset Management
CM.L2-3.4.1, CM.L2-3.4.2 | §164.310(d)(1), §164.310(d)(2)(iii)
 Ra Risk Assessment
RM.L2-3.11.1, RA.L2-3.11.2 | §164.308(a)(1)(ii)(A)
 Da Data Classification
MP.L2-3.8.1, MP.L2-3.8.2 | §164.312(a)(1)
 Vn Vulnerability Mgmt
RA.L2-3.11.2, SI.L2-3.14.1 | §164.308(a)(1)(ii)(A), §164.308(a)(8)
 Ac Access Control
AC.L2-3.1.1, AC.L2-3.1.2 | §164.312(a)(1), §164.312(a)(2)(i)
 Mf Multi-Factor Auth
IA.L2-3.5.3 | §164.312(d)
 En Encryption
SC.L2-3.13.8, SC.L2-3.13.11 | §164.312(a)(2)(iv), §164.312(e)(2)(ii)
 Dp Data Protection
MP.L2-3.8.1, SC.L2-3.13.16 | §164.312(a)(2)(iv), §164.312(c)(1), §164.312(e)(1)
 Bk Backup & Recovery
RE.L2-3.8.9 | §164.308(a)(7)(ii)(A), §164.310(d)(2)(iv)
 Pa Privileged Access
AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.7 | §164.312(a)(1), §164.308(a)(3)(ii)(B)
 Fw Firewall / Net Seg
SC.L2-3.13.1, SC.L2-3.13.5, SC.L2-3.13.6 | §164.312(e)(1)
 Ep Endpoint Protection
SI.L2-3.14.2, SI.L2-3.14.4 | §164.308(a)(5)(ii)(B), §164.310(d)(1)
 Pm Patch Management
SI.L2-3.14.1 | §164.308(a)(1)(ii)(A), §164.308(a)(8)
 Cf Secure Config
CM.L2-3.4.1, CM.L2-3.4.2, CM.L2-3.4.6 | §164.310(d)(1), §164.312(a)(1)
 Ml Email Security
SI.L2-3.14.5 | §164.308(a)(5)(ii)(A), §164.312(e)(1)
 Ws Web Security
SC.L2-3.13.1 | §164.312(e)(1)
 Zt Zero Trust
AC.L2-3.1.1, SC.L2-3.13.1 | §164.312(a)(1)
 Mb Mobile Security
AC.L2-3.1.18, AC.L2-3.1.19 | §164.310(d)(1), §164.312(a)(1)
 Cl Cloud Security
SC.L2-3.13.1, AC.L2-3.1.1 | §164.308(b)(1), §164.314(a)(1)
 Wf WAF
SC.L2-3.13.1 | §164.312(e)(1)
 Dl DLP
MP.L2-3.8.3, SC.L2-3.13.16 | §164.312(a)(1), §164.312(e)(1)
 Sm Cont. Monitoring
SI.L2-3.14.6, SI.L2-3.14.7 | §164.312(b)
 Lg Logging & Audit
AU.L2-3.3.1, AU.L2-3.3.2 | §164.312(b), §164.308(a)(1)(ii)(D)
 Id Intrusion Detection
SI.L2-3.14.6 | §164.308(a)(1)(ii)(D), §164.312(b)
 An Anomaly Detection
SI.L2-3.14.6, SI.L2-3.14.7 | §164.308(a)(1)(ii)(D)
 Sg SIEM / SOC
AU.L2-3.3.1, SI.L2-3.14.6 | §164.308(a)(1)(ii)(D), §164.312(b)
 Ir Incident Response
IR.L2-3.6.1, IR.L2-3.6.2 | §164.308(a)(6)(i), §164.308(a)(6)(ii)
 Fn Forensics
IR.L2-3.6.1 | §164.308(a)(6)(ii)
 Co Communication
IR.L2-3.6.2 | §164.308(a)(6)(ii), §164.404(a)(1)
 Mt Mitigation
IR.L2-3.6.1 | §164.308(a)(6)(ii)
 Rp Reporting
IR.L2-3.6.2, IR.L2-3.6.3 | §164.308(a)(6)(ii), §164.404(a)(1), §164.408(a)
 Rc Recovery Planning
RE.L2-3.8.9 | §164.308(a)(7)(i), §164.308(a)(7)(ii)(B)
 Bc Business Continuity
RE.L2-3.8.9 | §164.308(a)(7)(i), §164.308(a)(7)(ii)(C)
 Ll Lessons Learned
IR.L2-3.6.3 | §164.308(a)(8)
 Cr Comms & Restore
IR.L2-3.6.2 | §164.308(a)(7)(ii)(C)
 Dr Disaster Recovery
RE.L2-3.8.9 | §164.308(a)(7)(ii)(A), §164.308(a)(7)(ii)(B)
 Ap API Security
SC.L2-3.13.1, SA.L2-3.16.1 | §164.312(a)(1), §164.312(e)(1)
 It Insider Threat
AC.L2-3.1.1, AU.L2-3.3.1, PS.L2-3.9.2 | §164.308(a)(3)(ii)(A), §164.308(a)(4)

Only in CMMC (3 controls)

Controls covered by CMMC but not HIPAA. Organizations using HIPAA should consider supplementing with these.

Ti Threat Intelligence
RA.L2-3.11.3
 Sd Secure Development
SA.L2-3.16.1, SA.L2-3.16.2
 Ds DNS Security
SC.L2-3.13.1

Only in HIPAA (3 controls)

Controls covered by HIPAA but not CMMC. Organizations using CMMC should consider supplementing with these.

Sc Supply Chain Risk
§164.308(b)(1), §164.314(a)(1)
 Be Business Environment
§164.308(a)(1)(i)
 Vr Vendor Risk Mgmt
§164.308(b)(1), §164.314(a)(1), §164.314(a)(2)(i)

Summary: CMMC vs HIPAA

CMMC Level 2 and HIPAA Security Rule share 43 controls in common out of 49 total. CMMC uniquely covers 3 controls that HIPAA does not, including Threat Intelligence, Secure Development, DNS Security. HIPAA uniquely covers 3 controls that CMMC does not, including Supply Chain Risk, Business Environment, Vendor Risk Mgmt. Together, these two frameworks cover all tracked controls. For comprehensive cybersecurity coverage, organizations often adopt both frameworks or supplement with other frameworks.

Other Comparisons

NIST CSF 2.0 vs ISO 27001NIST CSF 2.0 vs CIS v8NIST CSF 2.0 vs SOC 2NIST CSF 2.0 vs PCI DSSNIST CSF 2.0 vs CMMCNIST CSF 2.0 vs 800-53NIST CSF 2.0 vs HIPAANIST CSF 2.0 vs GDPRISO 27001 vs CIS v8ISO 27001 vs SOC 2ISO 27001 vs PCI DSSISO 27001 vs CMMCISO 27001 vs 800-53ISO 27001 vs HIPAAISO 27001 vs GDPRCIS v8 vs SOC 2CIS v8 vs PCI DSSCIS v8 vs CMMCCIS v8 vs 800-53CIS v8 vs HIPAACIS v8 vs GDPRSOC 2 vs PCI DSSSOC 2 vs CMMCSOC 2 vs 800-53SOC 2 vs HIPAASOC 2 vs GDPRPCI DSS vs CMMCPCI DSS vs 800-53PCI DSS vs HIPAAPCI DSS vs GDPRCMMC vs 800-53CMMC vs GDPR800-53 vs HIPAA800-53 vs GDPRHIPAA vs GDPR
View Interactive Dashboard