Businesses are required to comply with many kinds of government regulations or other rules. In many cases, it is not enough to follow the requirements. If your business is ever audited for compliance, the auditors will be looking for policies and procedures and other documentation to prove that you are following the requirements. Not being prepared for auditors can have significant consequences for your business.
I have significant experience in compliance with many different types of regulations including the following:
- NIST 800-171: Cybersecurity regulation that applies to any business that manages unclassified but sensitive information for the US Department of Defense.
- CMMC: Evolving cybersecurity regulation that will apply to all businesses who do business with the Department of Defense.
- NISPOM: Security regulation that applies to contractors who have access to classified information.
- FAR: Acquisition regulation that applies to any business that performs contracts for the Federal Government.
- HIPAA: Federal regulation regarding protection of health information. The bulk of my experience was with information technology requirements related to HIPAA.
Compliance projects typically start with a detailed review of each compliance requirement to ensure that the business is in compliance. Next, a plan is developed to bring the business in compliance in any areas that are not fully compliant. Lastly, policies and procedures are written or updated as required.
See below for some relevant examples of my work: