Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Every audit turns up a few surprises. A missing patch here. A policy that was missing a few key processes. An employee training record that slipped through the cracks. Together all of these gaps tell a story: somewhere, a control isn’t doing what you expect. ‍ In GRC, we give those events names, issues, risks, and exceptions, and the way they connect is what separates a reactive program from a resilient one. ‍

As AI and automation increasingly become embedded into healthcare operations, securing these technologies becomes critical, especially for organizations managing protected health information (PHI), which are frequent targets for cybersecurity threats such as data breaches and unauthorized access. ‍ To safeguard this sensitive data, regulatory agencies like the U.S. Department of Health and Human Services (HHS) enforces strict cybersecurity and privacy regulations under HIPAA.

In today’s fast-moving digital economy, growth depends on strong, trusted relationships with vendors, suppliers, and partners. These third parties are often essential to modern business operations; however, they also open the door to a range of risks, from regulatory fines to operational slowdowns. Many organizations have already felt the impact of these risks becoming reality firsthand.

This past month, the Vanta team launched new features to help you: ‍

After years of drafts, revisions, and shifting timelines, the Cybersecurity Maturity Model Certification (CMMC) program is no longer just a concept. It's a contractual requirement, and enforcement begins soon. ‍ On September 9, 2025, the U.S. Department of Defense (DoD) released the final CMMC rule (48 CFR) for public inspection, with official publication in the Federal Register on September 10. From this point forward, all DoD contracts require some level of CMMC certification. ‍

As a startup, your early success and growth depend on earning buyer trust. But when you have limited levers to pull, like brand recognition, customer logos, and investor backing, proving trust often comes down to demonstrating a strong security posture. ‍ However, the bar for trust is rising—especially if you’re building with AI. Today’s discerning buyers expect more than a SOC 2 report.

In late March 2025, the General Services Administration (GSA) announced the first major overhaul to FedRAMP in over a decade, soft-launching a new, fast-track authorization path called FedRAMP 20x. ‍ In May 2025, we submitted our initial package for the pilot, quickly followed by a resubmission of our final package. We’re now excited to share that Vanta has officially achieved FedRAMP 20x Low Authorization and a listing on the FedRAMP Marketplace.

Healthcare organizations operate under an extension of regulations, HIPAA being amongst the top, leaving little room to prioritize voluntary frameworks like SOC 2. ‍ However, overlooking SOC 2 is a missed strategic opportunity as it offers structured, actionable security guidance that not only strengthens security and privacy posture but also facilitates HIPAA compliance. ‍ In this guide, you’ll learn why that’s the case and discover: ‍

Staying compliant has never been more complex or more critical. With evolving regulations, expanding tech stacks, and increasing third-party exposure, today’s security and compliance teams are under constant pressure to reduce risk while upholding trust. Understanding the latest trends is key to staying ahead. ‍ This roundup of security and compliance statistics brings together the most up-to-date data on regulatory readiness, breach impact, automation, vendor risk, and more.