<img src="https://d5nxst8fruw4z.cloudfront.net/atrk.gif?account=u84Bm1akGFL1N8" style="display:none" height="1" width="1" alt="">

Frequently Asked Questions


We offer CMMC, HIPAA HITECH, NIST 171 assistance and other cybersecurity compliance services. 

In addition to CMMC, HIPAA HITECH, NIST 171 assistance we also offer PCI, FINRA, FISMA, DFARS, NYDFS, ISO 27001, 22301, 27032, SOC 2, NERC and more.
Each assessment and each client is unique. A security assessment typically takes 30 minutes to four hours for a small business with low complexity compliance requirements.
CMMC Stands for Cybersecurity Maturity Model Certification. All Department of Defense (DOD) contractors and subcontractors working with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must complete a CMMC assessment from an approved entity to continue to compete for DOD contracts. 
CMMC verification is based on 5 levels. Level 1 represents basic cyber hygiene while Level 5 represents Advanced cyber hygiene. The contract you will be bidding for will determine the minimum security level you must meet. Your CMMC level is determined by an independent, third-party audit of your IT security controls and your vendors/partners controls. If you fail an audit however, you may have to wait weeks to months before reapplying for certification. Unfortunately this cannot be expedited and would delay your opportunity to obtain the DOD contracts your business desires. 

SOC 2 is an auditing process that ensures your service providers are securely managing your data and protecting the privacy and security of your clients. SOC 2 compliance is considered the minimum of security maturity when evaluating a SaaS provider. SOC 2 defines the criteria for managing customer data based on five trust service principles —security, availability, processing integrity, confidentiality, and privacy. We can help your business with SOC2 compliance.

SOC 2 Compliance is not a State or Federal requirement, but it is considered an industry standard for SaaS companies or cloud computing businesses. If your SaaS business is not SOC 2 compliant you risk exposing your customer’s data and exposing your business information. 

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of cybersecurity regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions.

All entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. This means if you are a State-chartered bank, Licensed lender, Private banker, Foreign bank licensed to operate in New York or a Mortgage company, Insurance company or Service provider, you may be required to comply with NYDFS Cybersecurity regulations.

HITRUST stands for the Health Information Trust Alliance. HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements. HITRUST is administered by an independent testing organization that issues the Certified Security Framework (CSF) certification to vendors who successfully pass their rigorous HIPAA security evaluation.

The HITRUST CSF provides a set of controls that meet the requirements of  HIPAA and other cybersecurity compliance requirements including PCI and NIST. The HITRUST CSF is the most widely adopted security framework in the healthcare industry at 81 percent of hospitals and 80 percent of health plans who have adopted the HITRUST certification. If your organization must comply with HIPAA you may want to consider a HITRUST certification.

ISO 27001 is the international standard that describes the requirements for an ISMS (information security management system).

The standard’s framework is designed to help organizations manage their security practices in one place, consistently and cost-effectively.

The international standard ISO 22301:2012 provides a best-practice framework for implementing an optimized BCMS (business continuity management system).

This enables organizations to minimize business disruption and continue operating in the event of an incident.

ISO 27032 is the international standard offering guidance on cybersecurity management. It provides guidance on addressing a wide range of cybersecurity risks, including user endpoint security, network security, and critical infrastructure protection.

ISO certification provides independent validation of a company’s conformity to a set of cybersecurity standards created by the International Organization for Standardization (ISO), the certification process can be long. Many organizations prefer to focus on being ISO compliant rather than ISO certified.

Making sure your organization is fully compliant NERC standards is critical for your business success in state election contracts. NERC, or the North American Electric Reliability Corporation is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid.

All bulk power system owners, operators, and users must comply with NERC-approved Reliability Standards. These organizations are required to register with NERC through their appropriate Regional Entity.

PCI Compliance, managed by the Payment Card Industry Data Security Standard, is an information security standard for all organizations that process major credit card brands. PCI Standards are mandated by the major credit card companies but is administered by the Payment Card Industry Security Standards Council. PCI requirements ensure that all companies that process, store, or transmit credit card information maintain a secure environment to protect customer information

PCI compliance applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. Any business that accepts or processes payment cards must comply with PCI. Online retailers and brick and motor stores must all comply with PCI.

 NIST stands for the National Institute of Standards and Technology, a non-regulatory government agency that develops technology, metrics, and standards. NIST produces cybersecurity standards and guidelines to help federal agencies meet federal information security requirements. The NIST Cybersecurity Framework is considered an industry standard for organizations implementing cybersecurity controls. NIST standards are based on a series of security documents, organizations, and publications. The NIST Cybersecurity Framework is an asset for cybersecurity programs requiring stringent security measures and federal agencies. 

The NIST Cybersecurity Framework exists to aid organizations in developing cybersecurity policies and standards. NIST is not a federal requirement, but simply a set of cybersecurity recommendations. In many cases, complying with NIST guidelines helps federal agencies and organizations ensure compliance with other regulations, such as HIPAA and FISMA. NIST guidelines are often deployed to help organizations meet specific regulatory and compliance requirements. 

Making sure your organization is fully compliant with DFARS is critical for your business success in federal contracts. DFARS stands for Defense Federal Acquisition Regulation Supplement. DFARS is a DoD (Department of Defense) specific supplement to the FAR (Federal Acquisition Regulation). It provides acquisition regulations that are specific to the DoD.

DoD government acquisition officials, contractors and subcontractors doing business with the DoD must comply with DFARS.

The Financial Industry Regulatory Authority (FINRA) is a government-authorized not-for-profit organization that oversees U.S. broker-dealers. FINRA writes and enforces the rules governing registered brokers and broker-dealer firms in the United States. FINRA also administers the qualifying exams that securities professionals must pass to sell securities or supervise others who do.

FINRA is responsible for the securities industry and stock market oversight and monitors the activities of more than 4,200 brokerage firms and their brokers.  All registered brokers and brokerage firms must comply with FINRA or face serious fines.


Penetration testing involves senior security engineers attacking your network to find weak points and vulnerabilities that an attacker may exploit. By conducting an annual pen-test you can both meet compliance requirements and identify weak points in your security program.


We try to ensure that our pricing allows businesses of all sizes to get the security they need. We provide custom quotes based on business size, number of computers, and the overall complexity of the environment. We guarantee that we have one of the most accessible pricing structures on the market.


We take great pains to ensure that your organization will suffer minimal disruption during the test. We are business owners too and understand the importance of maintaining regular business operations.


Many people see Governance Risk and Compliance work as needless paperwork. That couldn’t be further from the truth. When done properly GRC will enable your organization to meet compliance requirements, and focus in risk reduction in a clear and coherent way that provides meaningful protection from a range of threats.


Our GRC work is performed by senior level CISO’s with extensive security credentials. We have experience helping small business, mid-sized business, and large enterprise design coherent and effective GRC programs. Contact us for a free assessment.



Solutionz Security provides an assessment and strategy for improving chosen critical security programs. We offer flexible cybersecurity protection, tailored to your needs.

Get In Touch