May 29, 2026
Accounting firm cybersecurity, IRS Pub 4557 and the FTC Safeguards Rule
What the IRS expects in a Written Information Security Plan, the nine elements the revised FTC Safeguards Rule actually requires and how the new 30-day breach notification rule changed the operational picture for tax preparers and accounting firms.
May 28, 2026
HIPAA breach notification, the 60-day clock and what trips it
When the 60-day breach notification clock actually starts under the HIPAA Breach Notification Rule, the four-factor Risk of Compromise analysis and the timing failures that turn an incident into an OCR enforcement action.
May 27, 2026
HIPAA risk analysis vs risk assessment, what OCR actually scores
Why HHS Office for Civil Rights settlements keep citing the same Security Rule risk analysis failure, and how the formal risk analysis differs from the general risk assessments most practices think satisfy it.
May 26, 2026
POA&M for NIST 800-171, anatomy of a defensible plan of action
What a Plan of Action and Milestones actually contains, why assessors read it before the System Security Plan and how to build one that holds up under prime contractor and DoD review.
May 25, 2026
SPRS score, what the number means and how to move it
How the DoD Supplier Performance Risk System scores NIST 800-171 compliance, why most sub-contractors come in negative the first time and how to sequence the work to climb.
May 23, 2026
FCI vs CUI: the inventory question every sub-contractor avoids
What the distinction between Federal Contract Information and Controlled Unclassified Information means in practice, and why getting the inventory right determines whether you owe 15 controls or 110.
May 21, 2026
Bakery customer audit deep dive: when the branded customer sends a 60 question security review
How small and mid-market bakeries answer a 60 question supplier security audit from a branded national customer without missing the renewal window.
May 19, 2026
Peanut and nut processing cybersecurity: FSMA, food defense and allergen segregation
Cybersecurity for peanut, tree nut and seed processors operating under FDA FSMA: allergen segregation system integrity, food defense plan IT alignment and customer-audit readiness.
May 16, 2026
Meat and poultry processing cybersecurity under USDA FSIS
Cybersecurity for meat and poultry processors operating under USDA FSIS continuous inspection: OT segmentation, FSIS reporting, recall posture and customer-audit readiness.
May 14, 2026
Dairy processing cybersecurity: OT, cold chain and USDA reporting
What dairy processors should expect from a cybersecurity program: OT segmentation, cold-chain monitoring resilience, USDA FSIS reporting and customer-audit readiness.
May 5, 2026
When the customer security audit visit lands, a manufacturer's prep playbook
What changes when an enterprise customer's security team books an on-site or remote audit visit at a mid-market manufacturer, and how to be ready before the calendar invite arrives.
May 5, 2026
Walking through a customer security questionnaire, section by section
What enterprise customers are actually measuring when they send a vendor security questionnaire, and how to answer each section without overpromising or underselling.
April 20, 2026
Medical practice IT, HIPAA safeguards in 60 to 90 days
A practical 60 to 90 day plan for medical practices to bring HIPAA Security Rule safeguards to a defensible baseline, from risk analysis to access controls to incident response.
April 20, 2026
Security marketing vs. security evidence
Why enterprise buyers, auditors and cyber insurance underwriters discount marketing language in security questionnaires, and what audit-grade evidence actually looks like.
April 20, 2026
How to build a cybersecurity program document your customers accept
The contents, structure and maintenance cadence for a cybersecurity program document that holds up to customer audits, cyber insurance renewals and SOC 2 readiness assessments.
April 20, 2026
Cybersecurity for community banks and credit unions, the examiner's list
What FDIC, OCC, NCUA and state examiners actually look at when they review a community bank or credit union's cybersecurity posture, and what a credible program looks like at the mid-market asset level.
April 20, 2026
CIS Controls v8, the practical prioritization most MSPs skip
A working guide to the CIS Controls v8 Implementation Groups, why most MSPs ignore the prioritization and how a mid-market firm should actually sequence the 153 safeguards.
April 20, 2026
Law firm data protection, matter segregation and encryption practices
The practical data protection obligations a modern law firm carries, from client confidentiality and matter segregation to encryption, access controls and the new wave of enterprise-client security requirements.
April 20, 2026
Insurance agency IT, what your carrier expects from YOU
The cybersecurity and IT expectations insurance carriers, E&O underwriters and state regulators increasingly place on independent insurance agencies, and how an agency should actually comply.
April 20, 2026
IT for senior-care operators, HIPAA, multi-site and the state inspection
The practical IT and cybersecurity workload a multi-site senior-care operator carries, from HIPAA safeguards to the state inspection readiness the corporate office rarely thinks about.
April 19, 2026
HIPAA for business associates, what's in a BAA and what's not
What a Business Associate Agreement actually commits a vendor to, where the common misreadings surface and how a BA should build the program the BAA promises.
April 19, 2026
SOC 2 readiness vs. audit and why your MSP doesn't do audits
Why SOC 2 readiness and the SOC 2 audit are distinct engagements, why one firm cannot do both and how to sequence the two without burning budget or credibility.
April 19, 2026
Your first enterprise customer security questionnaire, what to expect
A practical walkthrough of the enterprise customer security questionnaire, what the buyer is actually measuring and how to respond without burning the deal.
April 19, 2026
SOC 2 Type I vs Type II: what your enterprise customer actually wants
A practical breakdown of SOC 2 Type I and Type II reports, what each one proves, and how to decide which to pursue for your first enterprise customer review.
April 19, 2026
NIST 800-171: the 110 controls and which ones eat the budget
A practical breakdown of the NIST 800-171 control families, which controls take the most effort for small and mid-market organizations and how to sequence the 90-120 day compliance arc.
April 19, 2026
NIST CSF 2.0 in plain English: what changed and why it matters
NIST CSF 2.0 added Govern as a sixth function and reorganized how small and mid-market organizations should think about cybersecurity. A practitioner's translation.