top of page
Cybersecurity Compliance Services PCI ISO NIST HIPAA SOC2/Type2 GDPR CMMC FISMA


Compliance with frameworks and industry regulations doesn't have to be a difficult or confusing process. Our experienced and results-driven team of compliance experts will help you easily navigate the requirements and seamlessly integrate cybersecurity, regulatory compliance and best practices into your organization.  RedPenSec, powered by Crafted Compliance, Inc. will be your trusted partner in supporting your mission to harden organizational assets and governance, providing peace of mind for you, your employees, vendors, partners and clients.  We work with your existing IT/IS management teams and provide you with expert, unbiased, risk-based audits and assessments to give you the knowledge and tools needed as you journey to Cybersecurity Maturity. 

An effectively organized, adaptable, scalable, repeatable approach to enterprise risk management is essential to protect your organizations’ interests and demonstrates to your partners that it acts with due care and due diligence, both hallmarks of a mature cybersecurity program.  By implementing a well-established framework you have an instrument by which to measure your environment and identify any aps in your present processes, procedures, and controls.  Whether you're adopting a framework for the first time or looking for a specialized certification, our cybersecurity specialists will perform a comprehensive assessment against the framework and design a customized roadmap which will serve as an invaluable tool in helping your enterprise achieve measurable progress, and compliance, across your organizational functions.


Through our expert assessment and advisory services, including Gap Assessments, Readiness Assessments and Risk Assessments, as well as ongoing support and monitoring of your programs, we can help you to ensure continuous regulatory compliance in an ever-evolving and changing landscape of frameworks and standards.  Proactive cybersecurity assessments are a good way to measure your performance and show your partners, customers, vendors, and employees that you have security and privacy at the heart of all you do as an organization. 

Our auditing and assessment expertise covers the most prevalent and prominent industry frameworks and our solutions will arm you with the knowledge, skills, and information you need to achieve and maintain your compliance goals.


If you have a question for our team or would like more information on our services and solutions, we are available for a free, confidential, no-obligation consultation to discuss your cybersecurity concerns, answer your questions, and have a conversation about how we can help your organization meet its' compliance goals. 


CONTACT US for a complimentary one-hour consultation.

NIST SP 800-171

Protecting Controlled Unclassified Information in Non-Federal Systems & Organizations

The National Institute of Standards and Technology (NIST) is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal and non-federal agencies on many topics – including cybersecurity.  NIST Special Publication 800-171, defines the Standards for the way contractors and sub-contractors of Federal agencies should manage and secure Controlled Unclassified Information (CUI).  We can conduct a security assessment of your systems and processes to identify any potential non-compliance risk and help you implement the required security controls, as well as training your employees and actively monitoring your systems to ensure continuous protection of CUI.  

NIST SP 800-53 rev 4

Security and Privacy Controls for Federal Information Systems and Organizations

The National Institute of Standards and Technology (NIST) is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics – including cybersecurity.  NIST Special Publication 800-53 rev 4, is a set of standards and guidelines for the way Federal agencies should manage and secure Controlled Unclassified Information (CUI) and helps Federal contractors meet the requirements set by the Federal Information Security Management Act (FISMA).  We can conduct a security assessment of your systems and processes to identify any potential non-compliance risk and help you with remediation and implementation of the required security controls, as well as training your employees and actively monitoring your systems to ensure continuous protection of CUI.  

FISMA - Federal Information Security Management Act 

The Federal Information Security Management Act (FISMA) is U.S. legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats and applies to all agencies within the U.S. federal government, including state agencies that administer federal programs such as student loans, unemployment insurance, Medicare, and Medicaid. However, even if you don't sell to government agencies, it is important to understand the regulations, as they often impact the private commercial sector. Our experienced and knowledgeable team can assist you with FISMA compliance and ensure your abidance with its' security requirements to give your enterprise a competitive advantage.  

ISO/IEC 27001

Information Technology, Security techniques - Information Security Management Systems 

The ISO/IEC 27000 family of standards are a widely known set of requirements suitable for any size or type of organizations' information security management system (ISMS).  Risk management is a key ingredient of the ISO 27001 standard as it demonstrates that a company or non-profit understands what strengths and weaknesses exist, therefore ISO certification is a sign of a secure, mature organization that can be trusted with sensitive data.  Our ISO/IEC 27001 ISMS Certified Lead Auditors will help your firm seamlessly navigate the complex and significant requirements of the framework, and design a physical, logical and technical cybersecurity program to help you achieve your objective of effectively managing the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

Payment Card Industry - Data Security Standard / Self Assessment Questionnaire

If you are a merchant of any size, in any industry, and you accept credit cards, you must be in compliance with the Payment Card Industry Data Security Standard (PCI-DSS). We've helped merchants of all shapes and sizes across a myriad of industries from retail to hospitality and financial services to hospitals understand and implement the PCI-DSS requirements to secure their payment systems from breaches and protect their reputation.  If you are seeking guidance on compliance with these standards for your Self-Assessment Questionnaire (SAQ), our experienced team stands ready to assist and craft a solution for your business. 

The Health Insurance Portability & Accountability Act (HIPAA) is a national standard of privacy regulations designed to protect individuals' medical records and other personal health information and requires health care providers, physicians, dentists and hospitals, insurers, health care clearinghouses and their business associates, to develop and follow procedures and best practices that ensure the confidentiality and security of protected health information (PHI), and electronic protected health information (ePHI) when it is transferred, received, handled, or shared.  The security rules are scalable based on your organization's size and RedPenSec powered by Crafted Compliance, Inc. has the knowledge, experience and certifications, to help you navigate HIPAA's intricate requirements and implement a security policy appropriate for your specific environment.  

The General Data Protection Regulation (EU) 2016/679 (GDPR) regulates data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside of the EU and EEA areas. The GDPR is central to data privacy laws and aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.  We have worked both internationally and with US-based global companies and that has afforded us a deep and keen understanding of the GDPR requirements to best enable your firm to become, and stay, compliant when handling your customers and clients personal data across international lines, and avoid the hefty fines and penalties.

SOC 2 Type 1 and Type 2 - System and Organization Controls

the American Institute of Certified Public Accountants (AICPA) System and Organization Controls is an auditing procedure that ensures that your organization, or your clients, third-party vendors and service providers securely manage data to protect the privacy and security of their clients. SOC1 and SOC2 define the standards for managing customer data based on the five trust service criteria and a SOC2 Type I or Type II Gap Assessment or Readiness Assessment will play an important role in defining your firms' current corporate governance and oversight, policies, procedures, and risk management processes and will detail the system controls in place and identify any gaps or weak points in those controls as measured against the SOC requirements for compliance.  A SOC2 Gap Assessment or Readiness Assessment will empower your organization to take the next steps to passing a full SOC2 Type II Audit by ensuring the security, integrity, confidentiality and privacy of your customers' personal data assets.  Our expert assessors will work with you to craft controls sensitive to your specific business practices which comply with one or more of the five trust service criteria.  

CMMC - Department of Defense Cybersecurity Maturity Model Certification 

The United States Department of Defense (DoD) recently released its' Cybersecurity Maturity Model Certification (CMMC) Version 1.0, the next stage in their efforts to enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. The new CMMC Regulations are an evolution of DFARS 252.204-7012 (CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171) and now requires third-party attestation.   The CMMC includes comprehensive, scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level and all organizations that provide services to the DoD will be required to hold a CMMC to bid on Solicitations.  It is designed to provide an increased level of assurance that a DIB company can adequately protect sensitive unclassified information, and account for the secure flow of information to its' subcontractors in a multi-tier supply chain.  RedPenSec, powered by Crafted Compliance will provide you with consulting advice to help you understand the evolution of these ever-changing regulations - and help ensure that you're ready to implement the new security requirements to keep you competitive, compliant and in business.  

bottom of page