Skip to main content
Back to ResourcesCompliance

HIPAA, CMMC, PCI-DSS: A Plain-English Guide to IT Compliance

Spencer Heath
February 18, 20262 min read
Share

Compliance frameworks can feel like alphabet soup, but underneath the acronyms, most of them are asking for the same basic things: know what data you have, control who can access it, and be able to prove it. Here's a plain-English breakdown of three of the most common frameworks SMBs run into.

HIPAA — healthcare data

If you handle protected health information (PHI) — even indirectly, as a business associate — HIPAA applies to you. At the IT level, this means access controls, encryption of PHI at rest and in transit, audit logging, and a documented risk assessment.

  • Access controls tied to individual users, not shared logins
  • Encryption for PHI in storage and in transit
  • Regular, documented risk assessments
  • Breach notification procedures

CMMC — defense contractors

The Cybersecurity Maturity Model Certification applies to businesses in the Department of Defense supply chain. It's built on NIST 800-171 and requires documented security controls across a wide range of domains, from access control to incident response.

  • Formal system security plan (SSP)
  • Multi-factor authentication on all access
  • Incident response plan and testing
  • Controlled unclassified information (CUI) handling procedures

PCI-DSS — payment card data

If you store, process, or transmit credit card data, PCI-DSS applies. The core idea is to minimize where card data lives and lock down everything around it — network segmentation, vulnerability scanning, and strict access control.

  • Network segmentation around cardholder data
  • Regular vulnerability scanning
  • Strong access control and unique credentials
  • Logging and monitoring of access to cardholder data

The common thread

Every framework above comes back to the same fundamentals: know your data, control access, monitor activity, and document everything. Build IT operations around those fundamentals and most compliance work becomes a documentation exercise, not a scramble.

Where Crossguard fits in

Our Command tier builds compliance alignment directly into how we manage your environment — gap assessments, policy development, and audit-ready documentation, without hiring a separate compliance consultant.

Ready to put this into practice?

Get a free IT risk assessment and see exactly where your business stands today.