Compliance Services

Compliance used to be a side-of-the-desk concern at most Wichita-area manufacturers, contractors, healthcare practices, and accounting firms. That's no longer the case. Federal contractors are moving into a phased CMMC requirement that runs through 2028. Healthcare providers and their business associates face the proposed HIPAA Security Rule update. CPAs and tax preparers are now full-scope subject to the FTC Safeguards Rule with enforcement teeth.

CybertronIT does the compliance readiness work across the frameworks our Wichita and Southcentral Kansas clients are actually subject to. The work is bundled with Managed IT Services on the same engagement, because the documentation and the live systems have to be owned by the same team or the two drift and the next audit, assessment, insurance renewal, or breach is where the gap shows up.

The frameworks we work with

CMMC (Cybersecurity Maturity Model Certification). The DoD framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense industrial base. Three levels: Level 1 (FCI only, self-assessment), Level 2 (CUI, either self-assessment or C3PAO certification depending on contract, built on the 110 controls of NIST SP 800-171), and Level 3 (highest-sensitivity programs, DIBCAC assessment, NIST SP 800-172 controls layered on Level 2). The phased rollout under the DFARS final rule started November 10, 2025, with Level 2 C3PAO assessments becoming a standard condition of award beginning November 10, 2026. Most of the Wichita-area Tier 2 and Tier 3 aerospace and defense suppliers we work with are heading for Level 2. CybertronIT is a CyberAB-authorized Registered Practitioner Organization (RPO). We do the readiness work. We are not a C3PAO and do not perform the certification assessment itself. See our deep CMMC Readiness Services page.

NIST SP 800-171. The 110-control security requirement set that underlies CMMC Level 2. Every contractor with a DFARS 252.204-7012 clause has had a self-attestation obligation under NIST 800-171 since 2017. You'd be surprised how often a Wichita aerospace supplier discovers they've been handling CUI for years without realizing the DFARS obligation existed or that their self-attestation was inaccurate. The work to get a contractor compliant is the same whether the destination is CMMC Level 2 certification or just an accurate DFARS self-attestation. The controls span access management, audit logging, configuration management, incident response, media protection, personnel security, physical protection, risk assessment, communications protection, and system integrity. See our NIST 800-171 page for the deep view.

HIPAA (Health Insurance Portability and Accountability Act). The federal framework for protecting Protected Health Information. Three rules: the Privacy Rule (who can access PHI), the Security Rule (administrative, physical, and technical safeguards for ePHI), and the Breach Notification Rule (what happens when PHI is exposed). Most Wichita-area medical and dental practices we onboard have HIPAA risk assessments older than three years, or none on file at all, which is the single most-cited finding when OCR settles with a practice. The proposed 2025 Security Rule update will explicitly require annual risk assessments, mandatory MFA, mandatory encryption, biannual vulnerability scans, and annual penetration testing. The trajectory is clear regardless of finalization timing. See our deep HIPAA IT page for the full picture.

FTC Safeguards Rule (16 CFR Part 314). The Gramm-Leach-Bliley Act security regulation administered by the FTC. The 2021 update became effective in December 2022, with the more stringent provisions enforceable from June 2023. Applies to financial institutions as the FTC defines them, which is broad enough to cover tax preparers, CPAs, bookkeepers, mortgage brokers, and other businesses significantly engaged in financial activities. Requires a written Information Security Program maintained by a designated Qualified Individual, a written risk assessment, MFA, encryption at rest and in transit, oversight of service providers, an incident response plan, and an annual written report. Penalties under the FTC's CPI-adjusted authority can reach $46,517 per violation per day. IRS Publication 4557 covers parallel requirements for paid tax return preparers, including the Security Six controls and a written data security plan. Compliance with the Safeguards Rule generally also satisfies Pub 4557. Most Kansas CPA firms we review already have pieces of Safeguards compliance in place but lack the documentation an FTC examiner would want to see. See our deep FTC Safeguards Rule page and the IT for CPAs vertical.

GLBA (Gramm-Leach-Bliley Act). The broader statute underlying the FTC Safeguards Rule. We work GLBA primarily through the Safeguards Rule lens for tax preparers, CPAs, and financial advisors in our market.

PCI DSS (Payment Card Industry Data Security Standard). Card brand requirements for any business processing payment cards. The right move for most small retailers is reducing PCI scope by routing card data through validated processors so the merchant environment never stores raw card data. We work the technology side of this rather than acting as a Qualified Security Assessor.

State-level frameworks (Kansas breach notification, sector-specific state rules) layer on top of the federal frameworks. We work through those case by case.

Flowdown reaches deeper than most manufacturers expect

Many Wichita manufacturers assume compliance only applies to prime contractors. In practice, flowdown requirements often reach Tier 2 and Tier 3 suppliers long before management expects them. A Wichita-area supplier selling parts to a prime that holds a DFARS-covered contract is bound by the same flowdown obligations the prime is signing for. The pattern shows up in other frameworks too. HIPAA business associate agreements obligate downstream subcontractors who touch PHI. The FTC Safeguards Rule requires covered entities to oversee their service providers contractually. The compliance conversation often arrives in your inbox as a supplier questionnaire from a customer's procurement team, not as a direct regulatory notice.

Why compliance belongs with Managed IT

We don't take compliance work as a standalone consulting product. The readiness work is bundled with Managed IT Services on the same engagement, for the reason the CMMC Readiness Services page lays out in full: the documentation describes a security posture that's supposed to be live on real systems, and when one firm writes the documents while another runs the systems, the two drift apart within a quarter. We see it in onboardings here more than we'd like, a serious-looking SSP that doesn't match the live network, or a Safeguards risk assessment that still lists assets the firm sold off years ago.

When the same team owns the systems and the documents, every change shows up in the documentation as a matter of routine and the artifacts stay current. If you already have a Managed IT provider you're committed to, the conversation is about whether the timing is right to switch, not about adding us as a compliance-only layer.

The pretest principle

Before any external review (an OCR HIPAA audit, an FTC examination, a CMMC C3PAO assessment, an insurance underwriter's verification, a customer supplier qualification), we walk the documentation against the actual systems control by control. If the document claims something the system doesn't do, we find that before the auditor does. The cost of finding a gap three weeks before an audit is a project. The cost of letting the auditor find it is a finding, a penalty, or a denied claim.

Compliance work and cyber insurance overlap

The compliance frameworks above and the cyber insurance underwriting questionnaire converge on most of the same controls (MFA, immutable backups, EDR, incident response plan, written security program, training records, vendor oversight). A renewal questionnaire and a compliance assessment ask many of the same questions from different directions. Doing the compliance work properly tends to improve your insurance posture and keeps your application attestations honest, which matters because attestation mismatches can be grounds for claim denial. The deeper view is on our Cybersecurity Services page.

Where to start

A short call is the right way to figure out which frameworks you're actually subject to (often more than the business realizes), what your current posture looks like, and what a realistic readiness timeline is.

Book an exploratory call. Thirty minutes, no commitment. Bring any contract clauses, customer questionnaires, or audit letters you have in hand, or anything else you think might be relevant or have questions on.

Book an exploratory call

Frequently asked questions

1. Which compliance frameworks do you actually work with day to day?

The frameworks named on this page (CMMC, NIST 800-171, HIPAA, FTC Safeguards Rule, IRS Publication 4557, GLBA, PCI DSS) are the ones we work with regularly across our Wichita-area and Kansas client base. State-level requirements (Kansas breach notification, sector-specific state laws) we handle case by case. If your business is subject to a framework not on the list (SOX, HITRUST, ISO 27001, ITAR, EAR, a specialty industry framework), we'll tell you in the first call whether it's adjacent to what we already know or whether you'd be better served by a specialist.

2. Are you a CMMC certification body?

No. CybertronIT is a CyberAB-authorized Registered Practitioner Organization (RPO). We do the readiness work that prepares contractors for CMMC assessments. The certification itself is conducted by a separate accredited Third Party Assessor Organization (C3PAO). An RPO and a C3PAO cannot be the same firm on the same engagement, by design. We can point you to the official accredited C3PAO list at the CyberAB.

3. How do you handle multiple frameworks for the same business?

Most of our compliance-active clients are subject to more than one framework. A Wichita defense contractor might be subject to CMMC and DFARS plus GLBA exposure if they handle financial information. A Kansas medical practice is subject to HIPAA and may also have PCI DSS exposure if they take card payments. A CPA firm with a federal contract may be subject to both the FTC Safeguards Rule and CMMC. The discipline is to find the framework with the highest bar in any given control area and build to that, rather than running parallel programs that duplicate effort. One Information Security Program, one risk assessment, one set of policies, mapped to whatever frameworks apply.

4. What does compliance readiness cost?

It depends on the frameworks involved, the starting posture of the business, the size of the environment, and how much of the work is documentation versus technical control implementation. The work is bundled with Managed IT Services in a per-user model. The exploratory call is the right place to talk through what the numbers look like for your situation.

5. Can we do compliance readiness without Managed IT?

No. The documentation and the live systems have to be owned by the same team or the documentation drifts and the next audit, assessment, or breach finds the gap. If you already have an MSP, the right conversation is about whether the timing is right to switch, not about adding compliance readiness as a separate workstream from your day-to-day IT.

logo
Let's get together for coffee!

CybertronIT strives to provide the best comprehensive IT, Computer, and Networking services to small businesses. We can handle all of your organization's technology challenges.

Contact Us
Contact Us

Learn more about what CybertronIT can do for your business.

4727 S Emporia St,
Wichita, Kansas 67216

Call us: (316) 440-8282

Book a Meeting

News & Updates
CybertronIT launches new website!
CybertronIT is proud to announce the launch of our new website at www.cybertronit.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for ...
Read More