Frequently Asked Questions

This service focuses on the two most critical employee transition points in your organization. For onboarding, we review how security policies are introduced and formally adopted by new employees. For offboarding, we assess whether your process fully revokes access, recovers devices, and closes every door when someone leaves. You receive updated procedures and checklists your team can follow consistently for every transition.

Think of it as a focused add-on. While the broader policy and procedure service establishes your organization's overall security governance framework, this service zooms in specifically on onboarding and offboarding (making sure those policies are actually lived at the moments when your organization is most vulnerable). It works best when your foundational policies are already in place.

A policy review is a structured analysis of your existing cyber liability insurance before your renewal date. We read your policy carefully (something most organizations don't have time to do) and identify coverage gaps, exclusions that could void a claim, and requirements your organization may not be meeting. You leave with a plain-language summary and a list of questions to bring to your broker.

Cyber liability policies have become significantly more complex in recent years. Insurers are adding exclusions, tightening control requirements, and changing coverage terms at renewal (often without clear explanation). Many organizations discover their coverage doesn't apply to a specific incident only after a claim is denied. A pre-renewal review costs far less than that outcome.

A SOC 2 report is an independent audit that validates how your organization manages security, availability, and data confidentiality. It has become the de facto credential for doing business with enterprise customers, SaaS buyers, and regulated industries. Without one, you may find deals stalling, security questionnaires multiplying, or prospects walking away. With one, you have a third-party-verified answer to "how do we know you're secure?"

A Type I report is a "point-in-time" assessment that validates your controls are designed correctly. It answers the question: "Are the right policies and processes in place?" A Type II report goes further (it validates that those controls operated effectively over a defined period, typically three months to one year). Enterprise buyers almost always require Type II because it proves your controls aren't just documented, they're actually followed every day. Type I is often the right starting point if you have no SOC 2 history, while Type II is what you'll need to sustain ongoing trust.

A bridge letter is a professional document that covers the gap between when your last SOC 2 Type II audit period ended and today. If a prospective customer needs assurance but your report is six months old, a bridge letter (backed by a short-period Type II engagement) can close that gap and keep a deal moving. Our SOC 2 Type II (3-Month) Accelerated Coverage engagement is specifically designed for this scenario.

SOC 2 Rescue is a focused engagement for organizations whose audit has gone off the rails. If your audit is stalled, you have received unexpected findings, your auditor relationship has broken down, or you are facing a deadline you can no longer meet, Rescue is a structured intervention to diagnose what went wrong, stabilize your control environment, and get the audit back on track.

Our NIST CSF 2.0 Alignment engagement assesses your current security posture across all six CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, and Recover) and delivers findings scaled to your organization. Small businesses receive a gap report with prioritized findings suitable for sharing with cyber liability insurers and enterprise customers. Mid-market organizations receive a full strategy and roadmap with sequenced initiatives, resource estimates, and ownership assignments. Enterprise organizations receive GRC platform integration and board deck preparation. Monthly vCISO maintenance is available following the initial engagement to keep your program current.

CMMC Level 1 applies to defense contractors handling Federal Contract Information (FCI) that is not CUI. It requires annual self-assessment against 17 basic safeguarding practices from FAR 52.204-21, covering access control, authentication, media protection, physical protection, network boundary controls, and malicious code protection. After the assessment, a senior company official must submit an affirmation to the Supplier Performance Risk System (SPRS). That affirmation carries False Claims Act exposure. Our CMMC Level 1 Readiness engagement audits all 17 practices against your actual implementation, collects supporting evidence, closes any gaps, and prepares your senior official for the affirmation.

The Cybersecurity Maturity Model Certification (CMMC) is a DoD requirement for defense contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC Level 2 requires assessment against all 110 security practices in NIST SP 800-171. Our CMMC Readiness engagement audits your controls against every NIST 800-171 requirement, collects and organizes the evidence a C3PAO assessor expects, and builds your System Security Plan (SSP) and Plan of Action and Milestones (POA&M). If your organization is party to a DoD contract involving CUI, CMMC requirements will apply to you as they phase into new contracts starting in 2025.

NIST SP 800-53 is the federal government's comprehensive security and privacy control catalog, mandatory for agencies under FISMA and required for FedRAMP cloud service authorization. Our NIST SP 800-53 Control Assessment covers control baseline selection based on your system's impact level (Low, Moderate, or High), full control assessment using the examination, interview, and testing methods in NIST SP 800-53A, evidence collection and organization, and production of the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M) required for an Authority to Operate (ATO) package.

NIST SP 800-161 is the federal framework for cybersecurity supply chain risk management (C-SCRM). It applies to any organization that acquires technology from third-party suppliers and is required for FISMA compliance and Executive Order 14028. Supply chain compromises, including tampered hardware, backdoored software updates, and vulnerable components, have been behind some of the most consequential security incidents in recent years. Our NIST SP 800-161 Supply Chain Risk Assessment inventories your technology suppliers, risk-tiers them, assesses your practices against the 800-53 SR control family, and builds the policy, program documentation, and vendor controls that make supply chain risk management operational rather than theoretical.

PCI DSS (Payment Card Industry Data Security Standard) applies to any organization that stores, processes, or transmits cardholder data. This includes merchants, payment processors, and service providers at every level. Our PCI DSS Compliance Readiness engagement helps you understand your merchant level, identify your applicable SAQ type, map your cardholder data environment, and close the gaps before your assessment.

Our HIPAA Security Audit reviews your organization's compliance with the HIPAA Security Rule (administrative, physical, and technical safeguards), produces a documented security risk analysis, and identifies gaps with remediation priorities. The engagement also assesses readiness for the 2026 proposed Security Rule changes, which would eliminate the "addressable" vs. "required" distinction and make MFA, encryption, vulnerability scanning, network segmentation, and patch management timelines mandatory for all covered entities and business associates.

NCUA cybersecurity requirements apply to federally insured credit unions. The National Credit Union Administration uses its ACET (Automated Cybersecurity Evaluation Toolbox) framework to assess cybersecurity maturity during examinations. Our NCUA Cybersecurity Compliance engagement prepares your credit union for the examination by reviewing your controls against ACET domains and helping you document your maturity level before the examiner arrives.

The SEC's Item 106 of Regulation S-K requires public companies to disclose their cybersecurity risk management processes, governance structure, and material incidents in their annual 10-K filings. Our SEC 10-K Cyber Risk Disclosure engagement helps you develop the risk treatment narrative, document board oversight, and describe management roles in a way that satisfies the requirement and holds up to scrutiny.