CMMC Maintenance Requirements: 2025 Updates for Healthcare
Post Summary
The 2025 updates to the Cybersecurity Maturity Model Certification (CMMC) bring mandatory compliance for healthcare organizations working with the Department of Defense (DoD).
Here’s what you need to know:
- CMMC Levels:
- Level 1: Basic cybersecurity for Federal Contract Information (FCI).
- Level 2: Advanced controls for Controlled Unclassified Information (CUI) with 110 NIST SP 800-171 requirements.
- Level 3: Government-led assessments for highly sensitive data, adding 24 controls from NIST SP 800-172.
- Key Changes:
- Third-party assessments are now required for Level 2 and above.
- Certification must be obtained before contract awards - no exceptions.
- Non-compliance risks include disqualification and legal penalties under the False Claims Act.
- Timeline:
- CMMC Final Rule took effect on Dec 16, 2024.
- Compliance requirements began appearing in contracts on Nov 10, 2025.
- Full enforcement is expected by Nov 2028.
Action Steps for Healthcare Providers:
- Conduct a gap analysis against NIST SP 800-171 immediately.
- Begin preparations for third-party assessments (takes 12–18 months).
- Use automation tools for risk management and compliance monitoring.
- Ensure subcontractors handling CUI also meet CMMC standards.
Delays in certification can lead to missed contracts and financial penalties. Start early to stay compliant and secure your place in the DoD supply chain.
CMMC 2.0: Getting Started in 2025
sbb-itb-535baee
CMMC Certification Levels for Healthcare Organizations
The CMMC (Cybersecurity Maturity Model Certification) levels are tailored to the type of DoD-related data a healthcare organization handles. Understanding your organization's contracts and the sensitivity of the data involved is key to determining the appropriate level. Here's a breakdown of the controls, assessments, and costs tied to each level.
Level 1: Basic Cybersecurity Controls
Level 1 applies to organizations managing only Federal Contract Information (FCI). This includes basic contractual details that don’t involve sensitive patient or research data. It requires implementing 15 cybersecurity practices outlined in FAR 52.204-21 [4][5]. Think of services like custodial or maintenance work for DoD facilities.
The assessment process involves an annual self-assessment, with results submitted to the Supplier Performance Risk System (SPRS). At this level, organizations must meet all controls upfront - Plans of Action and Milestones (POA&Ms) are not permitted. Compliance costs are typically a few thousand dollars, and about 63% of the Defense Industrial Base is expected to fall under this category [8].
For organizations handling Controlled Unclassified Information (CUI), Level 2 requirements come into play.
Level 2: Advanced Controls for CUI Protection
Level 2 is aimed at organizations dealing with CUI, such as health IT providers, medical device manufacturers, clinical research institutions, and managed service providers supporting electronic health record systems. Compliance requires implementing 110 controls from NIST SP 800-171 Rev. 2 [3][4][5].
Most organizations (98%) handling CUI must undergo triennial third-party assessments by a Certified Third-Party Assessor Organization (C3PAO), with costs ranging between $50,000 and $80,000. Only 2% of organizations qualify for self-assessment [8]. Unlike Level 1, POA&Ms are allowed if the organization achieves an SPRS score of at least 88% and has no critical control gaps. Organizations have 180 days to address any deficiencies [1].
Travis Goldbach, Global Head of CMMC at AWS, shared his experience:
"Working with Coalfire Federal for our CMMC Level 2 assessment was a thorough and professional experience from start to finish. Their assessment team demonstrated deep expertise in both the technical requirements and the practical implementation of CMMC controls." [3]
Preparation for Level 2 can take 12–18 months. Healthcare organizations should start early, as about 35% of contractors are expected to complete their C3PAO certification by November 2026 [8].
Level 3: Government-Led Assessments for Sensitive Data
Level 3 is reserved for organizations managing highly sensitive CUI tied to mission-critical programs, specialized technologies, or advanced research that could attract sophisticated cyber threats. This level builds on the 110 Level 2 controls and adds 24 more from NIST SP 800-172 [4][5][6][8].
Assessments for Level 3 are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and occur every three years. These evaluations often require substantial security investments, with costs exceeding six figures annually [7].
| CMMC Level | Controls Required | Assessment Type | Healthcare Application | Estimated Cost |
|---|---|---|---|---|
| Level 1 | 15 practices (FAR 52.204-21) | Annual Self-Assessment | Basic providers handling only FCI | A few thousand dollars |
| Level 2 | 110 controls (NIST SP 800-171) | Triennial C3PAO or Self | Health IT, device makers, research labs | $50,000–$80,000 |
| Level 3 | 110 + 24 controls (NIST SP 800-172) | Triennial Government (DIBCAC) | High-sensitivity or advanced research | Six figures+ annually |
It’s important to note that CMMC requirements extend to subcontractors. For example, if you’re a Level 2 prime contractor, any subcontractors handling CUI - such as telehealth vendors or cloud-based EHR providers - must also meet Level 2 standards. Additionally, all documentation related to CMMC compliance must be retained for six years after certification [1].
How to Maintain CMMC Certification and Stay Compliant
Staying compliant with CMMC certification requires more than just passing an initial assessment - it’s about maintaining vigilance through ongoing monitoring, detailed documentation, and efficient processes. The 2025 updates emphasize a shift from one-time certifications to continuous compliance, making automation and structured workflows key to long-term cybersecurity success.
Using Automation for Configuration Management
Automation can take a lot of the manual labor out of maintaining compliance. Tools designed for tasks like patch management and system audits help ensure your infrastructure remains secure without constant human oversight. For example, automated patch management ensures that security updates are consistently applied across all software and operating systems, reducing the risk of unpatched vulnerabilities lingering in your systems [2]. This frees up your team to tackle more strategic priorities.
In addition, scheduling regular audits and implementing change management protocols can help you quickly identify and document system modifications [2]. Keeping thorough records of these changes not only supports compliance but also demonstrates your commitment to maintaining robust security controls.
By integrating automation into your processes, you can also improve how you manage risks across vendor relationships, creating a more resilient and efficient approach to cybersecurity.
Managing Cybersecurity Risks with Censinet RiskOps™
For healthcare organizations, managing vendor assessments at scale is a major challenge. Emory Healthcare faced this issue when manual processes caused vendor assessments to take over 60 days. Under the leadership of Jigar Kadakia, VP & CISO at Emory Healthcare, the organization adopted Censinet RiskOps™ and transitioned to a streamlined network model with 1-Click Assessments™ [9].
Kadakia shared:
We have done more assessments in a shorter amount of time with existing staff, and have much more time to do the actual analysis, identify risk, and really work with the vendor on remediation [9].
The platform simplifies risk management by using standardized questionnaires and automated corrective action plans to evaluate and score risks across third-party products. Its dashboard provides insights into portfolio risks and benchmarks performance against the NIST CSF framework [9]. This efficient approach not only supports CMMC maintenance but also strengthens risk workflows, making external evaluations smoother [9].
Automating risk management processes doesn’t just save time - it also reinforces your compliance efforts during assessments.
Getting Ready for Third-Party Assessments
Preparation for C3PAO assessments should start at least six months in advance. Centralizing all vendor documentation and maintenance logs in one place can make audits faster and more efficient [9]. Access to maintenance capabilities should be limited to authorized personnel, such as IT administrators, to minimize the risk of unauthorized changes [2].
Clear communication with vendors is also essential. Share guidelines outlining your CMMC maintenance requirements and compliance expectations [2]. Additionally, create incident response plans to address potential security issues that could arise during maintenance activities [2].
Benchmarking your cybersecurity maturity against similar organizations using frameworks like NIST CSF can help you identify areas to prioritize for improvement [9]. Engaging with C3PAOs early in the process can provide valuable feedback on your practices, helping you address any gaps before the formal assessment [2].
CMMC Implementation Timeline Starting in 2025
CMMC Implementation Timeline for Healthcare Organizations 2024-2028
On November 10, 2025, the CMMC Final Rule takes effect, transitioning cybersecurity standards from optional guidelines to mandatory contractual obligations for healthcare organizations working with the Department of Defense (DoD) [10]. The rollout spans three phases over three years, with full enforcement set for November 10, 2028 [10]. This phased implementation impacts roughly 338,000 contractors and subcontractors, including healthcare providers and vendors managing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) [10]. Successfully navigating these phases is crucial for maintaining contract eligibility.
Phase 1: Self-Assessments Begin in Late 2025
Starting November 10, 2025, healthcare organizations must complete self-assessments for CMMC Level 1 or Level 2 to qualify for relevant contracts [12]. Approximately 210,000 contractors will fall under Level 1 requirements, while 118,000 will need Level 2 certification [10]. Organizations must upload their assessment scores to the Supplier Performance Risk System (SPRS) prior to contract awards, with a senior official certifying compliance annually. Failing to maintain accurate SPRS profiles results in immediate disqualification [14].
Chad Koslow, CEO of Ridge IT Cyber, highlighted the urgency of preparation:
We're witnessing a compliance crisis in real-time. Only 200 defense contractors have completed C3PAO assessments while 80,000 need CMMC Level 2 certification... contractors who aren't actively pursuing certification today are effectively choosing to exit the defense industrial base by 2026 [14].
For contractors opting for conditional Level 2 certification with a Plan of Action and Milestones (POA&M), a minimum SPRS score of 88% is required [11].
Full Enforcement Expected by 2028
After the initial self-assessment phase, the requirements intensify. From November 10, 2026, to November 9, 2027 (Phase 2), third-party C3PAO assessments become mandatory for Level 2 certification [12][14]. During Phase 3 (November 10, 2027, to November 9, 2028), Level 3 certification requirements take effect for the most sensitive contracts, impacting approximately 3,400 organizations [10]. By November 10, 2028, CMMC compliance will be mandatory for all applicable DoD contracts [12].
Achieving Level 2 certification typically takes 12 to 18 months, starting with a gap assessment and culminating in a successful evaluation. Current wait times for C3PAO assessments range from 3 to 6 months due to limited assessor availability. Additionally, compliance records must be maintained for six years post-certification [11][13][14]. Immediate gap assessments against NIST 800-171 are strongly recommended to allow time for necessary remediation before third-party audits become mandatory. This structured timeline underscores the critical need for proactive cybersecurity measures in the healthcare sector, shaping ongoing compliance efforts.
Conclusion: Preparing for 2025 CMMC Changes in Healthcare
The CMMC Final Rule, set to take effect on December 16, 2024, introduces critical compliance requirements for Department of Defense (DoD) contracts starting in November 2025. With roughly 80,000 companies needing Level 2 certification and assessment wait times ranging from 3 to 6 months, acting early isn’t just smart - it’s necessary for staying competitive [15].
Healthcare organizations, in particular, must prioritize completing gap assessments and addressing POA&M (Plan of Action and Milestones) items without delay. The risks of non-compliance are steep. For example, in 2024, a DoD contractor faced a $4.6 million False Claims Act settlement and a 12-month federal work ban for falsely claiming compliance with NIST SP 800-171 [16].
Maintaining compliance is not a one-and-done effort. It requires ongoing monitoring, regular assessments, and reassessments every three years to ensure organizations stay on track.
To streamline this process, automated platforms are becoming essential tools. Solutions like Censinet RiskOps™ simplify the complexity of compliance by automating risk assessments for third-party vendors, enterprise systems, patient data, PHI, clinical applications, and medical devices. These platforms align closely with CMMC requirements for configuration management and continuous monitoring, allowing healthcare teams to focus on regulatory obligations and patient care without disrupting daily operations.
Looking ahead, proactive preparation is the best strategy for ensuring long-term compliance. With the rollout extending through 2028, healthcare organizations should immediately conduct a gap analysis, establish a clear compliance roadmap, and prepare with mock audits. These steps will safeguard sensitive data and keep patient care running smoothly.
FAQs
How do I know if my organization needs CMMC Level 1, 2, or 3?
To figure out which CMMC level you need, start by assessing your cybersecurity measures and the kind of data your organization deals with. If your work involves Federal Contract Information (FCI), you'll likely fall under Level 1. However, if you handle Controlled Unclassified Information (CUI) or are involved in defense-related contracts, you may need to meet the requirements for Level 2 or even Level 3. The level you aim for depends on your contractual responsibilities and how sensitive the data is.
What qualifies as CUI in healthcare DoD work?
In healthcare-related Department of Defense (DoD) work, Controlled Unclassified Information (CUI) includes sensitive but unclassified data that must be protected under the CMMC framework. Examples of such data include military research, TRICARE claims, and VA contracts. Protecting this information requires implementing specific cybersecurity measures to ensure compliance and to secure critical healthcare and defense-related data.
How can we maintain CMMC compliance year-round?
To ensure compliance with CMMC standards throughout the year, it's crucial to adopt a proactive approach that includes continuous monitoring, regular assessments, and detailed documentation. Here's how you can stay on track:
- System Audits: Regularly audit your systems to identify and address potential issues.
- Vulnerability Scans: Perform these scans every six months to uncover and fix weaknesses before they become problems.
- Annual Penetration Testing: Test your defenses annually to simulate real-world attacks and identify gaps in your security.
Automating tasks like patch management can save time and reduce errors, while maintaining thorough maintenance records ensures you're always prepared for reviews. Tools like Censinet RiskOps™ can simplify vendor risk assessments and streamline evidence collection, helping you stay ahead of evolving cybersecurity requirements.
