Which compliance framework does my Hawaii business need: CMMC, SOC 2, or HIPAA?

Start with the data you handle. If you transmit, store, or process protected health information for a covered entity, HIPAA applies. If you handle Federal Contract Information or Controlled Unclassified Information under a DoD contract, CMMC 2.0 applies. If a B2B customer demands evidence of your security controls before signing, SOC 2 is the framework they typically want. Most Hawaii SMBs need none, one, or at most two — not all three.

What does CMMC 2.0 cost a Hawaii small business in 2026?

Level 1 self-assessment costs are mostly internal labor: budget $15,000 to $40,000 to document an SSP, run a NIST 800-171 self-assessment, and remediate gaps. Level 2 with C3PAO certification typically runs $75,000 to $250,000 in the first year for a small contractor, including environment redesign for CUI, FedRAMP-cloud licensing such as Microsoft 365 GCC High, third-party assessment fees, and remediation. Realistic timeline: 6 to 18 months.

What is the HIPAA Security Rule update and when does it take effect?

HHS proposed a comprehensive HIPAA Security Rule overhaul in January 2025 — the first major update in over two decades. The agency targeted May 2026 for finalization, though that date has been signaled as likely to slip. If finalized as proposed, covered entities and business associates get roughly 240 days total to comply: 180 days for substantive controls plus 60 days for business-associate agreement updates. The proposal is not yet final law.

What does a SOC 2 Type 2 audit cost and how long does it take?

For a 10 to 50 employee Hawaii business, SOC 2 Type 2 audit fees alone run $15,000 to $45,000. The full first-year program — readiness assessment, compliance platform, penetration testing, internal labor, and the audit itself — typically lands between $30,000 and $80,000. Timeline: 1 to 3 months readiness, 3 to 12 months observation period, then 4 to 8 weeks of fieldwork and reporting before you get the report.

Do Hawaii businesses need CMMC if they only do commercial work?

No. CMMC 2.0 applies to DoD contracts that involve Federal Contract Information or Controlled Unclassified Information. If your business does not bid on DoD contracts, subcontract to a prime that holds one, or otherwise touch FCI or CUI, CMMC does not apply to you. Many Hawaii businesses incorrectly assume CMMC is universal cybersecurity certification; it is not. It is defense-specific.

When should a Hawaii business pursue SOC 2 voluntarily?

When customers start asking for it during sales cycles, when you sell B2B software or services that handle customer data, or when a single enterprise contract is contingent on it. If no customer has asked and your business does not sell software-as-a-service, SOC 2 is usually premature. Start with a documented information security program based on the NIST Cybersecurity Framework first — that is the foundation SOC 2 builds on.

Can one set of controls satisfy multiple frameworks?

Mostly yes. CMMC Level 2 maps to NIST SP 800-171, SOC 2 maps to the Trust Services Criteria, and HIPAA Security Rule maps to its own administrative, physical, and technical safeguards — but the underlying controls overlap substantially. A multi-factor authentication policy or an incident-response procedure can satisfy all three. The work is mapping once, evidencing for each framework, and accepting that the assessor-facing artifacts will differ.

Compliance · Decision framework

CMMC vs SOC 2 vs HIPAA: which compliance framework does your Hawaii business actually need?

Most Hawaii small businesses end up paying for the wrong compliance framework — or for all three when one would do. The choice is not philosophical. It is determined by the kind of data you handle and which contracts you bid on. This is a plain-English decision guide for 2026, with current deadlines, real Hawaii cost ranges, and a way to figure out which framework actually applies to you in about ten minutes.

The 60-second answer. HIPAA applies if you handle protected health information — medical practices, dental offices, behavioral health, billing companies, and anyone who is a business associate to those. CMMC 2.0 applies if you bid on or subcontract to Department of Defense contracts involving Federal Contract Information or Controlled Unclassified Information. SOC 2 is voluntary — pursue it when B2B customers start demanding evidence of your security controls. Most Hawaii SMBs need one of these, not all three.

Published June 14, 2026 · HI Tech Hui · ~8 min read

Why this question gets answered wrong

Two patterns keep showing up in our compliance conversations with Hawaii businesses. The first is “we should probably do CMMC just to be safe” from a company that has never bid on a DoD contract and never will. The second is “our IT vendor said we need SOC 2” from a 12-person services firm whose customers have not asked for it once. Both end with money spent on the wrong framework. The fix is to start from the data, not the framework.

The decision tree, in order

Walk through these questions in sequence. The first “yes” tells you what you must do. Subsequent questions tell you what is optional but valuable.

Do you create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity? → HIPAA Security Rule applies. Not optional. This is federal law and predates the 2026 update conversation.
Do you hold or pursue DoD contracts that touch Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)? → CMMC 2.0 applies. Level 1 self-assessment for FCI-only; Level 2 C3PAO assessment for CUI.
Do enterprise B2B customers require evidence of your security controls before signing? → SOC 2 is the answer they want. ISO 27001 is the international equivalent; HITRUST CSF is the healthcare-focused alternative.
Do you take credit card payments? → PCI-DSS applies, scoped to your card-handling footprint. Most Hawaii SMBs reduce scope by using a hosted processor.

That is it. If you answered “no” to all four, you do not have a regulatory or contractual compliance obligation today — but you still have a security obligation. That is what the NIST Cybersecurity Framework is for, and it is the foundation every other framework builds on.

HIPAA: what is changing in 2026

HHS published a Notice of Proposed Rulemaking in January 2025 proposing the most significant HIPAA Security Rule overhaul in over two decades. The agency’s regulatory agenda targeted May 2026 for finalization, though current industry reporting indicates that date is likely to slip as HHS works through more than 4,700 public comments (Priverion, May 2026). The agency has not confirmed when — or whether — the rule will be finalized in its proposed form.

What changes if it is finalized as proposed:

End of “addressable” vs “required” distinction. All technical safeguards become required, eliminating the soft language covered entities have relied on for two decades.
Mandated technical controls. Multi-factor authentication, encryption of ePHI at rest and in transit, regular vulnerability scans, and annual penetration testing become explicit requirements.
240-day total compliance window. 60 days from Federal Register publication to effective date, then 180 days for substantive provisions. Business-associate agreement updates get an extra 60 days.
Estimated industry cost: $9 billion in year one. HHS’s own analysis; small practices will see thousands to low-tens-of-thousands in first-year compliance work.

For Hawaii medical practices, dental offices, and behavioral-health providers: do not wait for the final rule to start. The proposed controls are the security controls a reasonable HIPAA-covered entity should already have. Start the gap analysis now; the 240-day clock will be short if you wait for the rule to publish.

CMMC 2.0: where the rollout sits in 2026

CMMC 2.0’s DFARS implementation rule (DFARS 252.204-7021) took effect November 10, 2025. We are currently in Phase 1, which runs through November 9, 2026. Phase 1 focuses on Level 1 and Level 2 self-assessment requirements, with DoD discretion to include them in new solicitations (Defense Compliance Report, May 2026).

The transition that matters: Phase 2 begins November 10, 2026. From that date, Level 2 C3PAO third-party assessments become the default for DoD contracts involving CUI. Self-assessment alone will no longer be sufficient for most CUI contracts (CMMC Gap, May 2026).

The bottleneck nobody warns small contractors about: C3PAOs are currently booking assessments 6 to 9 months out, and industry analysis projects wait times will exceed 18 months by Q3 2026 as the contractor rush hits. If you are a Hawaii business with a DoD contract that will touch CUI in 2027 or 2028, the time to schedule a C3PAO is now — not after Phase 2 starts.

Realistic cost and timeline for a small Hawaii defense contractor pursuing Level 2:

Level 1 self-assessment. $15,000 to $40,000 in first-year internal labor for SSP documentation, NIST 800-171 self-assessment, SPRS score submission, and gap remediation.
Level 2 C3PAO certification. $75,000 to $250,000 in year one for a small contractor — CUI environment design, Microsoft 365 GCC High or AWS GovCloud licensing, C3PAO assessment fees, and remediation. Typical engagement: 6 to 18 months from kickoff to defensible posture.
Ongoing. Annual senior-official affirmation; triennial reassessment for Level 2.

SOC 2: when it is the right answer

SOC 2 is the framework people most often pursue when they do not need to. It is voluntary, market-driven, and only meaningful in contexts where a customer is going to read the report. The honest tests:

Sales-cycle signal. Have at least two prospective customers asked for a SOC 2 report in the last 12 months? If yes, the framework is paying its own way.
Business model. Do you sell B2B software, managed services, or data processing where you hold customer data? If yes, SOC 2 is becoming table stakes.
Specific contract. Is a named contract over a meaningful dollar value contingent on a SOC 2 report? If yes, sequence the audit timeline to the contract close date.

If you cannot answer yes to one of those, SOC 2 is probably premature. Build the underlying security program first — the same controls a SOC 2 audit eventually tests — and pursue the audit when there is a customer-driven reason.

2026 cost ranges from industry surveys, scaled for a Hawaii SMB:

Readiness assessment (1 to 3 months). $5,000 to $15,000.
Type 1 audit (point-in-time). $10,000 to $30,000 in auditor fees.
Type 2 audit (3 to 12 month observation period). $15,000 to $45,000 in auditor fees for a small business with a narrow scope.
Compliance platform (Drata, Vanta, Secureframe, similar). $7,500 to $25,000 per year.
Full first-year program (small Hawaii SMB). $30,000 to $80,000 once you add penetration testing and internal time.

The total cost surprises most owners; the audit invoice is typically only 40 to 60 percent of the spend. Source: SOC 2 Auditors 2026 cost survey.

What overlaps — and what does not

The three frameworks share more underlying controls than the marketing suggests. Multi-factor authentication, access reviews, logging, encryption, incident response, vendor management, and risk assessments appear in all three. The work is mapping your control set once and then producing the framework-specific artifacts for each audit.

Where they diverge:

Scope of data covered. HIPAA = PHI; CMMC = FCI/CUI; SOC 2 = customer data per the Trust Services Criteria you select.
Who decides you have passed. HIPAA = HHS Office for Civil Rights enforcement and breach reporting; CMMC = C3PAO (Level 2) or self-attestation (Level 1); SOC 2 = your selected CPA firm.
What “done” looks like. HIPAA has no certificate — you maintain documentation and respond to enforcement; CMMC produces a certification; SOC 2 produces a report you give to customers.

This is the framework underlying the same point we made in our CISA KEV SMB patching SLA post — one good control set, multiple uses. The leverage is in not building the program three times.

The pragmatic Hawaii SMB sequence

For a Hawaii business with no current compliance obligation but recognition that good security is a market requirement, the right order is:

NIST CSF baseline first. Six months, modest budget, gets you to a defensible written security program. Same baseline that supports our managed IT provider scope recommendations.
Cyber insurance posture next. The controls insurers now require for renewal — MFA, EDR, immutable backups, tested IR plan — map directly to all three frameworks. We wrote about this in cyber insurance and the one missing thing.
Targeted compliance only when triggered. When a customer asks, a contract requires it, or you take on regulated data, pursue the specific framework that matches.
Layer, do not stack. The next framework should reuse 70 to 80 percent of the prior framework’s controls. If your second audit feels like a fresh start, scope and tooling were probably wrong.

FAQ for owners

We’re a Hawaii law firm. Do we need any of these?

Not by federal law, unless you handle PHI on behalf of a healthcare client (HIPAA business associate) or a DoD client (CMMC subcontractor). What you do have: state and Bar-association ethical obligations to protect client confidentiality, plus practical exposure to ransomware and data theft. NIST CSF and cyber-insurance posture are the right targets. The same baseline controls a SOC 2 audit eventually tests are what an insurer’s renewal questionnaire is going to ask about, which is why we framed it as a single security program in our three critical cybersecurity protections every business must have piece.

What if we’re a Hawaii business associate to a mainland covered entity?

You are subject to the HIPAA Security Rule the same way as the covered entity. Your business-associate agreement (BAA) likely flows down the same controls. The 2026 update, if finalized, will require BAA renegotiation within an additional 60 days beyond the main compliance window. Have the BAA template ready; do not wait for the rule to publish.

Sources

Need help figuring out which compliance framework actually applies to your Hawaii business — or want a single control program that satisfies more than one? HI Tech Hui provides managed IT, cybersecurity, and compliance program support for Hawaii businesses. Contact us for a framework-fit assessment.

Ready when you are

Let’s scope your IT & security plan.

Talk with a Honolulu-based engineer about managed IT, cybersecurity, or a 24/7 SOC handoff. We’ll review your current environment, identify the highest-impact gaps, and outline a clear next step — with no obligation.

Schedule an assessment Call (808) 206-8549