top of page

Compliance with frameworks and industry regulations doesn't have to be a difficult or confusing process. Our experienced and results-driven team of compliance experts will help you easily navigate the requirements and seamlessly integrate cybersecurity, regulatory compliance, and best practices into your organization.  RedPenSec, powered by Crafted Compliance, Inc. will be your trusted partner in supporting your mission to harden organizational assets and governance, providing peace of mind for you, your employees, vendors, partners, and clients.  We work with your existing IT/IS management teams and provide you with expert, unbiased, risk-based audits and assessments to give you the knowledge and tools needed as you journey to Cybersecurity Maturity. 

An effectively organized, adaptable, scalable, repeatable approach to enterprise risk management is essential to protect your organizations’ interests and demonstrates to your partners that it acts with due care and due diligence, both hallmarks of a mature cybersecurity program.  By implementing a well-established framework you have an instrument by which to measure your environment and identify any gaps in your present processes, procedures, and controls.  Whether you're adopting a framework for the first time or looking for a specialized certification, our cybersecurity specialists will perform a comprehensive assessment against the framework and design a customized roadmap which will serve as an invaluable tool in helping your enterprise achieve measurable progress, and compliance, across your organizational functions.


Through our expert assessment and advisory services, including Gap Assessments, Readiness Assessments, and Risk Assessments, as well as ongoing support and monitoring of your programs, we can help you to ensure continuous regulatory compliance in an ever-evolving and changing landscape of frameworks and standards.  Proactive cybersecurity assessments are a good way to measure your performance and show your partners, customers, vendors, and employees that you have security and privacy at the heart of all you do as an organization. 

Our auditing and assessment expertise covers the most prevalent and prominent industry frameworks and our solutions will arm you with the knowledge, skills, and information you need to achieve and maintain your compliance goals.

If you have a question for our team or would like more information on our services and solutions, we are available for a free, confidential, no-obligation consultation to discuss your cybersecurity concerns, answer your questions, and have a conversation about how we can help your organization meet its' compliance goals. 


A complimentary conversation with an expert from our team will

provide valuable insight into the options that may best fit your needs.

833-4CRAFTED / 833.427.2383

CMMC Department of Defense Cybersecurity Maturity Model Certification The United States Department of Defense (DoD) recently released its' Cybersecurity Maturity Model Certification (CMMC) Version 2.0, the next stage in its efforts to enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its suppliers. The new CMMC Regulations are an evolution of DFARS 252.204-7012 (NIST SP 800-171), and now require third-party attestation in many cases.  All organizations that provide services to the DoD will need to be CMMC certified to bid on Solicitations.  Our information security experts are experts in NIST 800-171 (the backbone for the CMMC) and stay at the forefront of the developing standard to help you understand - and implement these new and ever-changing security requirements to keep you competitive and compliant.  

Our Experts Will Help You Understand - And Implement These New Security Requirements To Keep You Competitive And Compliant.

Keeping our nations’ confidential data secure from cybercriminals is critical to our sovereignty, independence, and economy and up until now, companies that process sensitive government data have only been required to “self-attest” to their conformance with relevant regulations and guidance. Beginning as early as late 2022, the DoD will require many organizations to be audited and certified to CMMC standards by a Certified Third-Party Assessor Organization (C3PAO).

You Can Position Your Organization For Future CMMC Certification By Partnering With Us

To Perform A NIST Readiness, Compliance, Or Cybersecurity Assessment.

Our experienced assessors can help you navigate the complex landscape of the NIST 800-171 and evolving CMMC requirements, making sense of the numerous capabilities, security practices, certification levels, and Domains.  And, our skilled technical experts will help you to segment your environment to limit the scope of the audit to only those areas that transmit, process or store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), maximizing your ROI and minimizing your risk.


NIST 800-171: Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations  The National Institute of Standards and Technology (NIST) is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics – including cybersecurity.  NIST Special Publication 800-171, defines the Standards for the way contractors and sub-contractors of Federal agencies shall manage and secure Controlled Unclassified Information (CUI).  Compliance with the standard serves to strengthen the entire federal supply chain and protect data such as patents, diagrams/blueprints and other technical data.  We can conduct a security assessment of your systems and processes to identify any potential non-compliance risk and help you implement the required security controls, as well as train your employees and actively monitor your systems to ensure continuous protection of CUI.  

Organizations that do business with the Federal Government or the Department of Defense are required to meet the upcoming CMMC mandates, and as the deadline approaches, entities that fail to reach the required cybersecurity maturity will be left out of profitable government contracts. Both the CUI designation and the NIST SP 800-171 framework will be wholly replaced by the Cybersecurity Maturity Model Certification (CMMC). For companies doing business with the Federal Government, adherence to this standard is mandatory if any data will be transmitted to, stored on, or processed by your information systems. Organizations that fail to gain the required CMMC Certification can expect to be left out of profitable government contracts.

You can position your organization for CMMC Certification by partnering with us to achieve a high

SPRS score by establishing your SSP and POAM now and working towards updated cyber-maturity.

NIST 800-171 consists of 14 control families and a total of 110 requirements, addressing different areas of information security, such as Access Control, Configuration Management, Risk Assessment, and Incident Response and sets out straightforward requirements for cybersecurity policy.  This can be a seemingly overwhelming task, and RedPenSec’s expert assessors will join in your effort to evaluate and your environment and ensure that your systems are sufficiently designed and effectively operating to protect the confidentiality of CUI data.  


If Your Firm Is Ready To Update To NIST, CMMC or DFARS, our Consulting Services Can Get You There Faster.

We can conduct a compliance and cybersecurity assessment of your systems and processes to identify any potential risks of non-compliance and help you implement the required security controls, as well as offer security training to your employees and actively monitor your systems to ensure continuous protection of CUI. You will receive the highest level of trusted advisory support throughout the process, as well as expert guidance on how to address any weaknesses in your processes and systems.

NIST 800-171

A complimentary conversation with an expert from our Compliance team 

will provide valuable insight into the options that may best fit your needs.



Created through a collaboration between private industry and the government, the NIST CSF is a voluntary framework consisting of guidelines and security best practices to promote the protection of critical infrastructure.  The NIST Cybersecurity Framework (CSF) is one of the most widely adopted standards.  Its prioritized, flexible, repeatable, and cost-effective approach supports non-federal business owners and operators in managing their cybersecurity-related risk.  NIST compliance helps to ensure an organization’s infrastructure is secure and lays the groundwork when achieving compliance with other specific regulations such as HIPAA or FISMA.


RedPenSec’s auditors are experts in Risk Management and understand the NIST CSF’s Framework Core,

Sub-Categories and Implementation Tiers.  We will partner with your organization and be your

trusted advisors, sharing our knowledge and expertise as you journey to Compliance.


The NIST CSF is a roadmap for organizations to build, assess, and develop an information security program.  When used properly, the NIST CSF can transform an organization’s security posture and risk management program from reactive to proactive.  It is not a formal certification or accreditation program; however, third-party validation of an organization’s controls is a best practice and provides an additional level of assurance that security is at the heart of all you do.


RedPenSec’s NIST CSF Gap Assessment has been devised as a method to measure the current state of your organization’s security program against the framework’s 5 Core Functions, 23 Categories and 98 Sub-Categories.  The results will provide you with an extremely useful project management tool with which to measure your security maturity over time, with an effective Action Plan for remediation towards a more risk/security-aware culture.  Our comprehensive reports will arm your firm with the tools needed to fully understand your current state, gain control of it, and improve it immediately.

The Federal Information Security Management Act (FISMA) is U.S. legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats and applies to all agencies within the U.S. federal government, including state agencies that administer federal programs such as student loans, unemployment insurance, Medicare, and Medicaid. However, even if you don't sell to government agencies, it is important to understand the regulations, as they often impact the private commercial sector; Our team can assist you with FISMA compliance and ensure your abidance with its' security requirements to give your enterprise a competitive advantage.  

ISO 27001

ISO/IEC 27001:2013 & ISO 27002:2022 is the global benchmark for demonstrating an organization's commitment to an effective Information Security Management System (ISMS). If you have international customers or are pursuing customers and business outside of the USA, it is likely that you will be asked to present your ISO 27001 Certification.  While many organizations have a number of information security controls in place, they can be disconnected or even conflicting, having been implemented at different points in time to address different security technologies or situations. Many organizations protect limited aspects of their information technology (IT) or information security (IS), leaving paperwork and proprietary knowledge unprotected.

If your organization is ISO/IEC 27001:2013 certified, then you should be aware that the International Organization for Standardization has made significant changes to Annex A and companies will have to audit to these new standards beginning in 2024/2025. 

The biggest differences are within the Code of Practice of ISO 27002; its’ current 114 controls over 14 domains have been consolidated into 93 controls over 4 domains (Organizational, People, Physical and Technical Controls) and addresses such issues as information security for the use of cloud-based services, privacy and protection of PII, Digital Rights Management (DRM), Threat Intelligence, Data Leakage Protection (DLP), Identity and Access Management, enhanced monitoring activities, physical security monitoring, and configuration management, to name a few.  ISO also deleted 16 controls, and modified several others, contributing to a more streamlined alignment with its’ other standards.

Our ISO Lead Auditors understand these updates and will collaborate with your organization to

implement an effective ISMS to protect the confidentiality, integrity & availability of its assets.

ISO 27001 is the only auditable standard and one of the most popular information security standards in existence. Its’ flexible best-practice approach helps organizations manage their information security by addressing its people, processes, and technology from a holistic perspective. Adherence to the standard demonstrates a company’s commitment to securing the confidentiality, integrity, and availability (CIA) of its’ assets and can improve your reputation globally by showing that security is at the heart of everything you do.

Our ISO 27001 Lead Auditors will expertly & efficiently perform a formal audit

of the Standard against your ISMS, ultimately leading to Certification.

If you’re just building your ISMS program or preparing for a full Audit, we can help you get ready. RedPenSec’s ISO 27001 Gap Assessment will serve to determine your current information security posture and organizational effectiveness/maturity as measured against the ISO Standards, and the requirements of your own mission and objectives.  The results will provide you with an extremely useful project management tool with which to measure your security maturity over time, with an effective Action Plan full of practical advice for remediation towards a more risk/security-aware culture.

Our Certified ISO Lead Auditors understand the nuances & complexities of the Clauses & Security Controls.

We are poised to partner with your organization to incorporate an effective ISMS easily & seamlessly. 

You will receive the highest level of trusted advisory support throughout the process, as well as expert guidance and support on how to address any weaknesses in your processes and systems. Our ISO Lead Auditors will help your firm adopt an effective process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving your ISMS, topped off with an ISO 27001 Certification upon successful completion of the Audit.


A complimentary conversation with an expert from our Compliance team 

will provide valuable insight into the options that may best fit your needs.

SOC 2 Type 1 and SOC 2 Type 2

The System and Organization Controls is a component of the American Institute of CPA's auditing procedure that verifies whether an organization follows the requirements relevant to Security, Processing Integrity, Availability, Confidentiality, and Privacy, and it is meant for organizations that process, store or hold the private data of their clients. SOC 2 defines the criteria for managing customer data based on the five Trust Services Criteria and a SOC 2 assessment/audit can empower your organization by providing a level of assurance that your customers' personal assets are properly protected. SOC 2 Compliance is mandatory for all technology-based service organizations that process, use or store client information in the cloud.

Our Experienced Assessors Can Perform A SOC 2 Readiness Assessment

To Find The Areas Of Opportunity For Your Organization On Its’ Journey To Full Compliance.

Our Readiness Assessment will help you prepare for your Audit by defining the scope of your environment and your objectives, identifying key controls, evaluating the clarity and content of your policies and procedures, and detecting underperforming or missing controls in the operation. We’ll partner with your teams to walk through the processes and help you prepare for compliance by crafting a detailed plan of action full of expert advice and recommendations for the remediation of any gaps and help you to gain efficiency in your processes.

There are two types of SOC Reports:

A SOC 2 Type 1 Report is a snapshot of a service organization’s systems and the suitability of its design of controls at a point in time. The report describes the current systems and controls in place and reviews the Policies and Procedures that govern and support those controls. Our SOC 2 Readiness Assessment will find the weaknesses that could cause your organization to have negative results and an unqualified opinion during a full Audit. It is an integral first step to achieving SOC 2 Type 2 compliance and is a good way to show your customers that you have security, privacy, and compliance at the heart of all you do as an organization.

Our Highly Skilled Assessors Will Be Your Trusted Partners And Provide You

With The Knowledge & Tools You Need On Your Journey To SOC 2 Compliance.

A SOC 2 Type 2 Audit Report captures how a company safeguards its customer data and how well those controls operate over time. A SOC 2 Type 2 Report is very similar to the Type 1 report, except that the evidence of control effectiveness is described in greater detail and evaluated for a minimum of six (6) months to validate that the systems and controls in place are functioning effectively as intended. The SOC 2 Type 2 Certification is conducted by an independent accounting firm.

In short, A SOC 2 Type 1 evaluates the suitability of the controls at a point in time; a SOC 2 Type 2 tests and validates those controls over time.

A SOC2 Readiness Assessment Is An Integral First Step To Achieving Full Compliance And Is A Good Way To Show That You Have Security And Privacy At The Heart Of All You Do As An Organization.

The SOC 2 service controls often intersect with other industry-specific requirements, such as HIPAA, HITRUST and PCI DSS compliance. We can maximize your return on investment and operational efficiency by mapping your SOC 2 readiness assessment with another relevant standard.

HIPAA Health Insurance Portability and Accountability Act The Health Insurance Portability & Accountability Act (HIPAA) is a national standard of privacy regulations that requires health care providers, physicians, dentists and hospitals, insurers and their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared.  The security rules are scalable based on your organization's size and we have the expertise to help you navigate the requirements and implement a security policy appropriate for your specific environment.

We Have The Expertise To Help You Navigate The Requirements &

Implement A Security Policy Appropriate For Your Specific Environment.

Cybercriminals are targeting the healthcare industry. With ransomware attacks and phishing campaigns on the rise, hackers are deliberately affecting patient safety and their personal health information. Securing this sensitive information is critical and by doing so you reduce the possibility of your patients’ health records being compromised. Should you suffer a breach, you'll have more than just a regulatory headache and hefty fines to pay, you’ll have to prove that your systems were compliant and that security controls were in place to prevent such an attack.


Our Comprehensive HIPAA Risk Assessment Is Designed To Bring Your Healthcare

Organization’s Security Program To Full Compliance With HIPAA’s Requirements.

We can aid you in understanding the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and help you to implement best practices for each area that will protect the confidentiality and security of PHI and avoid the high cost of HIPAA violations.

The Certified HIPAA Privacy Security Expert (CHPSE) is the gold standard for HIPAA credentials. It is the highest-level certification for core HIPAA compliance and includes extensive and in-depth HIPAA training on the privacy and security laws, rules, and regulations. Our team of CHPSE’s have the education and experience to help your organization develop, manage, and implement processes to ensure compliance with applicable federal and state HIPAA regulations and guidelines.

CHPSE hipaa-privacy-security.png

GDPR General Data Protection Regulation The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation regarding data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR is central to data privacy laws and aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.  We have worked both internationally and with US-based global companies and that has afforded us a deep and keen understanding of the GDPR requirements to best enable your firm to become, and stay, compliant.  


California Consumer Privacy Act The California Consumer Privacy Act (CCPA) is a robust data protection and privacy regulation designed to protect the personal information of all California residents and regulates how certain businesses all over the world are allowed to handle that personal information; drafted as a compliment to CalOPPA, it is the first law of its' kind of United States, and surely won't be the last.  If your business meets any of the three CCPA thresholds and has an online domain, you are required to implement the CCPA.  Our experts in California, and across the country have the knowledge and expertise to help you understand and implement compliance with these obligations.  

The New York SHIELD Act The New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amends NY's data breach notification law and adds to the growing list of states enacting data security laws to protect the privacy of their residents. New York’s law requires the implementation of a cybersecurity program, including reasonable protective measures such as risk assessments, workforce training, incident response planning, and testing on any employer, individual, or organization, regardless of size or location, which collect private information on NY residents.  Our experts have a strong understanding of the GDPR & CCPA and are positioned to help you understand and achieve compliance with the newest laws and regulations.  


PCI-DSS / SAQ Payment Card Industry - Data Security Standard and Self Assessment Questionnaire If you are a merchant of any size, in any industry, and you accept credit cards, you must be in compliance with the Payment Card Industry Data Security Standard (PCI-DSS). We've helped merchants of all shapes and sizes across a myriad of industries from retail to hospitality and financial services to hospitals understand and implement the PCI-DSS requirements to secure their payment systems from breaches and protect their reputation. If you are seeking guidance on compliance with these standards for your Self-Assessment Questionnaire (SAQ), our experienced team stands ready to craft a solution for your business. 

A complimentary conversation with an expert from our Compliance team 

will provide valuable insight into the options that may best fit your needs.

bottom of page